Enterprise printers have curiously become one of the top concerns for cybersecurity defense. Long an afterthought relegated to the corners of offices, the printers barely got attention and did not seem particularly susceptible to cybersecurity risks compared to corporate databases where sensitive data about the identities of the executives and customers are stored.
Printers connected to the Internet of Things (IoT) expose their latent security vulnerabilities in unforeseen ways. (Read The Impact Internet of Things (IoT) is Having on Different Industries.)
The Price of Overlooking the Enterprise Printer
A 2019 research study by Quocirca, a market research firm specializing in printers, found that print infrastructure is one of the top five concerns by 66% of the respondents next only to the public cloud with 69%.
In some industries, professional services, financial, and retail, it is the top concern.
Printers are where sensitive, and confidential documents are routed to create their paper versions and frequently left in the tray where they are at risk of pilferage. Hackers looking to access these documents remotely intercept them when they are waiting in the queue, hold them until they are copied, before resuming printing without raising suspicion according to the Quocirca report. (Read Is Security Research Actually Helping Hackers?)
The Nature of the Enterprise Printer Threat
Researchers at the NCC Group, a prominent security consulting firm, identified several zero-day vulnerabilities in enterprise printers. Hackers batten on them to elude intrusion detection systems, and all other protection mechanisms, to launch attacks that have no signatures. (Read Never Really Gone: How to Protect Deleted Data From Hackers.)
Daniel Romero, principal security consultant and Mario Rivas, senior security consultant, based in the Madrid, Spain office of NCC Group, explained: "It’s necessary to improve processes to add security throughout the software development lifecycle to mitigate the risk of vulnerabilities in enterprise printers."
Increasingly, developers reuse software components already written, "without necessarily validating their security, and that code could contain multiple vulnerabilities."
Buffer overflow or the spillover from the temporary memory, when traffic flow exceeds its capacity, corrupts the permanent memory or the RAM. Hackers inject their software to open the gate for them to enter the enterprise network.
“Once an attacker gets full control of the printer, they can penetrate the internal networks of the company, and steal any sensitive document sent to the printer,” said Romero and Rivas. After they gain entry into the network, hackers look for credentials to penetrate sources of confidential information. "Attackers retrieve sensitive information, such as domain credentials, that is used to configure enterprise printer services and parlay it to access internal company resources."
Hackers favor printers as targets because they aren't well protected which leaves room for them to cover their tracks. "Printers network activity is left unmonitored, and an attacker can, for example, modify code in the memory of the printer which a reboot erases leaving no footprints behind," Romero and Rivas added.
What are the options for the enterprise to protect their networks with numerous printers on their premises?
Their exposed surface expands as an increasing number of devices are interconnected. A widely discussed option is self-healing methods, armed with artificial intelligence (AI) (or intrusion detection systems) which autonomously monitor and nip threats before they spread into the network.
Romero and Rivas are skeptical about the very premise of the recommendation. "In most cases, an attacker "exploits" a weakness that the developers overlooked," Romero and Rivas surmised. Autonomous detection systems need to learn first the cybersecurity risk, which they can’t do without being aware of it.
“The attacker will develop the exploit in a printer controlled by them, so they can work on bypassing any exploitation mitigation or any detection system that the printer may have,” said Romero and Rivas explaining the complexity of spotting the attackers. (Read 3 Defenses Against Cyberattack That No Longer Work.)
The enterprise can fortify their defenses by anomaly detection of AI software. Such software would detect that the printer is not communicating with the network prompting a response from the IT department. “Anomaly detection systems are probabilistic, and sophisticated attacks may still bypass detection by these types of systems,” Romero and Rivas cautioned.
Vijay Kurkal, Chief Operating Officer at Resolve Systems, an AIOps and IT Automation company, said the weaknesses in probabilistic modeling are remedied with the enrichment of data and automated diagnostics.
"Data analysis improves when it is nurtured with contextual business information, such as a Black Friday, that can help to understand metrics like volume of traffic in perspective." (Read Job Role: Data Analyst.)
"The interdependencies in IT systems help to see causal relationships instead of relying on patterns in noisy raw data alone. The enrichment of data is complemented by automated diagnostics which helps to separate false alarms from those that urgently need attention," Kurkal explained.
What We've Learned
Hackers find vulnerabilities where the victims least expect them. In a connected world, no device is safe. Worse, the attackers have increasingly sophisticated means to cover their tracks or remove their footprints to avoid detection. The ideal way to eliminate the risks of an attack is to close the gates at the time the development of the software. This is something organizations rarely do.
Robust analytics can go a long way to make up for the laxity in software development.