Tip of the Week: “Excuse me, but your printer is showing”

I was reading the Japanese newspaper the other day, and a report came out about yet another incident of devices (office printers in particular) that were exposed to unauthorized users. The modern office printer is a network connected device that accepts (and stores) print jobs, and in some respects, they also act as a file server. These print jobs do not necessarily have a short time span, because in terms of physical security, it would not be prudent to immediately print sensitive documents that another person could browse before the owner could reach it. Thus, the printer stores the print job until it’s released. The printer also stores print jobs in its cache, which presents yet another way the files may linger long after the print job is complete.

As network connected devices, they are interacting with a fairly large user population. However, many of these devices have rudimentary security measures, and some have none. As noted in the article, some devices do not even have username/password controls.  That’s because that these printers assume they are operating within a secure environment, but that is not always the case. Even the most security-conscious printer may have software with vulnerabilities, and these devices are not always easily patchable with security updates.

In the scenario that we see in the news story above, some of these printers were inadvertently placed on the network in a manner that’s exposed to an untrusted zones. Whether it’s from a misconfiguration of the network or the security measures protecting it, it leaves the device exposed to conditions that it’s not designed to withstand. Once the attacker locates an exposed device, they may try to gain access to the administrative functions, the stored print jobs, and the sensitive data contained within.

Finding exposed devices is easier than it’s ever been. Of course, the old standby method is to run a port scan on an IP range and see what’s been left open. This requires actually targeting a specific network, so it does take work on behalf of the attacker. Running a port scan is the equivalent of trying to turn door knobs and seeing which ones were left open.

Using Google Hacking techniques, it’s easier to find the devices, since Google will do the work for locating the exposed web console. The attacker would run a query on parameters for a particular web admin console, in hopes of finding one that Google has indexed.

Google hacking is still somewhat crude, because it only reports on what it stumbles upon. However, there are now search engines that are far more precise on looking for particular criteria on exposed ports, with the most notable one being the Shodan search engine. Originally, Shodan indexed the metadata for certificates found on the web, which created interesting ways to develop an understanding of where certificates were being used on various domains. However, Shodan has since evolved to look for the tell tale signs of various devices, which makes it trivial to locate exposed devices of a particular type.

All of these conditions listed above pertain to the device exposed to an untrusted zone, but even if the device was secured properly, traditional port-based security is not adequate. That’s because that once an attacker gains access to a user’s laptop inside the network, it could easily be used to stage an attack against internal resources. There must be far more precision on who and what can access particular device, even from the internal network.

The Palo Alto Networks network security platform provides several measures to ensure the safety of the devices that are placed on the network. First and foremost, one must properly separate the device from being accessed by untrusted networks. This includes places the device in the proper zone, and employing the positive policy control model of denying all access unless specifically permitted.

Second, the device should not have any privileges that it does not need. Does your printer need unfettered access to the Internet to run? Does it need access to the Internet at all?  Applying control over the policies that govern what passes through a particular zone (both inbound and outbound) can help you make sure that you don’t accidentally let your printer communicate indiscriminately with parties on the Internet.

Third, can you define who’s allowed to interact with the printer? One principle you might apply is to let only employees who work at a particular office with the rights to send jobs to the printer. Guests would only have access to a simple, dumb printer. In addition, don’t count on usernames/passwords to protect access to admin functions. Only system administrators and IT staff should have access to the administrative functions of the device, so why not ensure that these groups are the only ones with access to the admin consoles?

Fourth, think about employing device-specific policies for access. For example, companies may choose to only permit employees with corporate endpoints secured with GlobalProtect to access the printer. GlobalProtect can check the host to make sure it adheres to the software and patch requirement standards set by the IT organization before granting network access to the application.

These are but just a few of a ways that organizations are employing the Palo Alto Networks next-generation network security platform to protect the devices within their organization. It’s not just printers that are connected to the network nowadays, there is a growing list of devices that are also connected as well. It’s a topic we’ll be talking more about down the road, so stay tuned for more tips of the week in the future.