The views expressed in this presentation are those of the
author and do not necessarily reflect the official policy or
position of the Air Force, the Department of Defense, or
the U.S. Government nor do they reflect any federal
endorsement.
Think your network is safe?
Check your printers.
Ron Chestang CISM, SANS GCIH, CEH, MBA
Security PPS Consultant
What Does The Market Research Say About Print
Security !
What are the top printing security concerns?
1) Exposure of data in transit
2) Company’s ability to identify a security breach from printers
3) Exposure of documents left in the output tray
4) Unauthorized use of printer features
5) Remote employee’s use of home printers
6) Exposure of device network settings or ports
7) Threat of outside malicious access to network through
printers
IDC, “User Perspectives on Print Security,” U.S. companies with more than 500 employees, November 2015 IDC#US40612015
4
IDC Research – 2,000 I.T. Security Professionals Study
56% of respondents do not see
printers as risk to their data or
network.
1IDC,
“Print and IT Security Spending,” U.S. companies with more than 500 employees,” November 2015 IDC#40626615
Institute, “Insecurity of Network-Connected Printers,” October 2015.
2Ponemon
IDC Research – 2,000 I.T. Security Professionals Study
77% of respondents do not
integrate print fleet with
access controls or SIEM.
1IDC,
“Print and IT Security Spending,” U.S. companies with more than 500 employees,” November 2015 IDC#40626615
Institute, “Insecurity of Network-Connected Printers,” October 2015.
2Ponemon
A Brief History of Printer Hacks
7
1962
8
2010
“
Stuxnet is known as one of the most
sophisticated viruses ever discovered,
so unique it make history as the
worlds first global digital weapon of
the coming age of digital warfare…
Kim Zetter
Discovered exploit using printspooler to spread between
machines over the network… he
tested on his own test machine and
it worked. The feeling made his hair
stand on end
”
2011
10
2011
11
2015
12
2016
13
2016 April
Customer Photo – Network Sniffing.
Cupboard
2016 – Print Security Important YES
?
2016
So What About Now !
16
134 different Vulnerabilities
Over 50 modules/attacks
250 different Vulnerabilities
Over 400 modules/attacks
“I probe around for a multifunction
printer and see that it is configured
with default passwords. Great I am
in” ………..Hackers Playbook by Peter Kim.
“YES! We've compromised a number of
companies using printers as our initial
foothold, we move laterally from the printer,
find Active Directory, query it with an account
from the printer and bingo, we hit GOLD”
18
Are Printers So Different to PC’s ?
19
Today’s printers look a whole lot like PCs
Network Access
Email
Hardware
Software
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Internet
PC
21
Print
PJL / Post Script
When I Looked At Print Infrastructure
!
22
Compliance
External
audit
Regulation
(formerly CBP)
Compliance
23
Framework – All Venders – All Industries
Logical Access
Governance
Physical Security
Asset Management
Security Configuration
Data Security
Patching & AV
Log Management
& Security Incident
Build & Release
Business Continuity
Network Security
Information Security
Personal Security
System Acquisition
& Development
Access Control
20 Critical Controls
•CSC 1: Inventory of Authorized and Unauthorized Devices
•CSC 2: Inventory of Authorized and Unauthorized Software
•CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops,
Workstations, and Servers
•CSC 4: Continuous Vulnerability Assessment and Remediation
•CSC 5: Controlled Use of Administrative Privileges
•CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
•CSC 7: Email and Web Browser Protections
•CSC 8: Malware Defenses
•CSC 9: Limitation and Control of Network Ports, Protocols, and Services
•CSC 10: Data Recovery Capability
•CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches
•CSC 12: Boundary Defense
•CSC 13: Data Protection
•CSC 14: Controlled Access Based on the Need to Know
•CSC 15: Wireless Access Control
•CSC 16: Account Monitoring and Control
•CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
•CSC 18: Application Software Security
•CSC 19: Incident Response and Management
•CSC 20: Penetration Tests and Red Team Exercises
20 Critical Controls
•CSC 1: Inventory of Authorized and Unauthorized Devices
•CSC 2: Inventory of Authorized and Unauthorized Software
•CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops,
Workstations, and Servers
•CSC 4: Continuous Vulnerability Assessment and Remediation
•CSC 5: Controlled Use of Administrative Privileges
•CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
•CSC 7: Email and Web Browser Protections
•CSC 8: Malware Defenses
•CSC 9: Limitation and Control of Network Ports, Protocols, and Services
•CSC 10: Data Recovery Capability
•CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches
•CSC 12: Boundary Defense
•CSC 13: Data Protection
•CSC 14: Controlled Access Based on the Need to Know
•CSC 15: Wireless Access Control
•CSC 16: Account Monitoring and Control
•CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
•CSC 18: Application Software Security
•CSC 19: Incident Response and Management
•CSC 20: Penetration Tests and Red Team Exercises
Regulation – Control 1 of 124 controls for Print
Security.
•NIST 800-53 Revision 4, Section (9)(b)
•Access control/ Controlled Release
27
Baseline Security Score For Print Infrastructure
No. of Controls
Yes
No
% Compliant
Asset Management
6
4
2
66.67%
Security Governance
10
5
5
35.00%
Security Incident & Logging
6
3
3
30.00%
Logical Access
11
2
9
18.18%
Security Config.
8
0
8
0.00%
Patching & AV
5
4
1
60.00%
Build & Release
5
3
2
50.00%
Data Security
6
3
3
50.00%
Information Security
6
4
2
66.67%
63
28
35
Average = 41.9%
Vertical Industry = 65% , Global = 45%
Pwn – “All Mine”
29
Types of
policy
settings
250+
security
settings
available in
HP
enterprise
MFPs
connect
ports
File system
access protocols
Fax
speed
dial lock
File erase
mode
Device
control
Control panel
lock
Authenticatio
n services802.1x
Authentication
LDAP Server
Authentication
FTP
Firmware
Update
Novell
remote
configuration
PJL passwordSNMPv1/v2 SNMPv
3
Credential
s
Device
PIN
presence Admin (EWS)
password Fax
File system password
PIN
Bootloader password presence
30
I/O timeout
Command load and
execute
Direct
Network Remote
Firmware
Services upgrade
Telnet
Public
usernam
e
Copy authentication Send to fax
Authentication
Walk-up
authenticatio
n
Job storage
authentication
Service
Location
Protocol (SLP)
Send to e-mail
authentication
Job creation
authentication
Bonjou
r
Device
discovery
Allow return
email address
change
Email
Credentia
l type Secondary email authentication
Restrict
Addresses
authentication
User authentication
Maximum
attachment size
Send to
folder
authenticatio
n
Web Services
Discovery
(WS-Discovery)
Link-Local Multicast
Name Resolution
Protocol
TCP/IP Printing
(P9100)
File Transfer
Protocol
Printing
Internet Printing
Protocol
Novell (IPX/SPX)
Industry Security Examples
31
32
Diane Schwarz CISO said “You almost
need to have that pit in your stomach
every day to say, ‘Wow, I’m not sure I’m
comfortable in this area’. That means
you’re pushing boundaries and you’re
building new skills”
HP Access Control: Two factor authentication
Two-factor authentication to securely pull print jobs from print server
Badge Identification
Vor-/Name
Access Control
User/Password
User:
PW:
User Pin ID
1
2
3
4
5
6
7
8
9
*
0
#
HP Access Control: Enforced Secure Pull Printing
• Send the print job to a secure print
server
• Secure Pull-Printing is enforced via
HP Access Control
• Pick up the printout at any printer on
the network
Vor-/Name
Document
Confidentiality
Security Monitoring Before & After with Security Manager
Major banking customer
• BEFORE:
•
A Managed Print Service requires 12 WJA servers with
continuous network traffic to monitor the fleet of 30K devices
•
MPS spends about 4 hrs per day to report status, and to
address issues the customer’s Security Team reports to MPS as
being out of compliance
•
On first HPSM Assessment, we could see that <25% of the fleet
was compliant to the security policy (3200 device sample,
approximately 10% of their fleet)
• AFTER:
•
The customer’s fleet is now >97% compliant to the security
policy
•
This reports was on 10,500 devices (approx. 33% of their
fleet) using a single HPSM Server
•
Assessment/Remediation completed in ~3 hrs, after which,
there was no network traffic.
Next Time You Press Print !