I just lately launched a Ricoh IM 6500 printer on the workplace community, and it jogged my memory that we have to deal with printers like computer systems. These gadgets must be given the identical quantity of safety sources, controls, processes and isolation as want for another pc in your community.
Deal with these eight areas to maintain you printers from being a degree of entry for attackers:
1. Restrict entry privileges to printers
Like another know-how, restrict printer entry to solely those that want it. Outline the community IP addresses of the gadgets with permission to entry every printer.
2. Disable unused protocols
Disable unused protocols which are energetic on every system. Solely arrange these protocols which are wanted. Be sure that you evaluate this course of repeatedly because the wants on your community modifications.
Many printers have default safety settings that preconfigure printer connections and protocols primarily based on requirements set by authorities businesses. FIPS 140 is an ordinary stage of safety protocols that’s typically used and might be preconfigured. It should robotically disable TLS1.0 and SSL3.0 in addition to set the encryption to be AES 128 bit/256 bit. It additionally robotically disables Diprint, LPR, RSH/RCP, Bonjour, SSDP, SMB, NetBIOS and RHPP. It additionally robotically units the Kerberos authentication and encryption algorithm to be AES256-CTS-HMAC-SHA1-96/AES128-CTS-HMAC-SHA1-96/DES3-CBC-SHA1.
3. Evaluation printer firmware stage
Evaluation all tools for his or her firmware stage. Restrict who can improve the system and the way the system obtains its patching processes. Evaluation as properly the IP addresses that the printer might want to report its standing in case you go for that course of.
4. Watch out for computerized experiences of printer exercise
Most leased printers require a standing report of the pages processed. If it’s not acceptable on your gadgets to robotically report these quantities, have a course of to gather and report such data. When you go for computerized knowledge assortment, decide out of your vendor the IP deal with that your gadgets will likely be utilizing to attach and report this data. Notify your firewall administration administration of this anticipated site visitors.
5. Know what data your printers course of
Evaluation the knowledge that every system processes and the extent of safety wanted. If will probably be used for faxing and can want safe processes, allow IPsec and evaluate which personnel in your agency ought to have rights to evaluate the folder to scan to. Additionally evaluate if you’d like the doc server function arrange and who ought to have rights to that perform.
6. Correctly handle printer log recordsdata
Evaluation the log file features and be certain that logs are saved in a most well-liked log storage course of whether or not that’s to a cloud log server or an area Splunk server. Evaluation what time zone you need the printer to be set to and if it must be set to a clock synchronization course of.
7. Affirm safety controls
When deploying printers into delicate areas, evaluate and ensure their safety controls. Usually programs are vetted below Frequent Standards for accepted gadgets. These Frequent Standards embody:
Safety audit: The system generates audit data of person and administrator actions. It shops audit data each domestically and on a distant syslog server.
Cryptographic assist: The system features a cryptographic module for the cryptographic operations that it performs. The related Cryptographic Algorithm Validation Program (CAVP) certificates numbers are famous within the safety goal.
Entry management: The system enforces entry management coverage to limit entry to person knowledge. The system ensures that paperwork, doc processing job data, and security-relevant knowledge are accessible solely to authenticated customers who’ve the suitable entry permissions.
Storage knowledge encryption: The system encrypts knowledge on the exhausting drive and in reminiscence to guard paperwork and confidential system data if these gadgets are faraway from the community.
Identification and authentication: Aside from an outlined minimal set of actions that may be carried out by an unauthenticated person, the system ensures that each one customers should be authenticated earlier than accessing its features and knowledge.
Administrative roles: The system offers the aptitude for managing its features and knowledge. Function-based entry controls be certain that the power to configure the safety settings of the system is offered solely to the licensed directors. Authenticated customers can carry out copy, printer, scanner, doc server and fax operations primarily based on the person function and the assigned permissions.
Trusted operations: The system performs power-on self-tests to make sure the integrity of the TSF parts. It offers a mechanism for performing trusted replace that verifies the integrity and authenticity of the improve software program earlier than making use of the updates. It makes use of an NTP server for correct time.
Gadget entry: Interactive person periods on the native and distant person interfaces are robotically terminated by the system after a configured interval of inactivity.
Trusted communications: The system protects communications from its distant customers utilizing TLS/HTTPS, and communications with the LDAP, FTP, NTP, syslog, and SMTP servers utilizing IPsec.
PSTN fax-network separation: The system restricts data acquired from or transmitted to the phone community to solely fax knowledge and fax protocols. It ensures that the fax modem can’t be used to bridge the LAN.
Picture overwrite: The system overwrites residual picture knowledge saved on the exhausting drive after a doc processing job has been accomplished or cancelled.
8. Evaluation newest steerage for sensible card authentication
In July 2021, Microsoft made modifications for CVE-2021-33764 to harden printing processes that depend on sensible card authentication. As of the August updates, Microsoft will not put in place this momentary mitigation. When you use sensible card authentication for printers, evaluate KB5005408 for extra recommendation in coping with potential points when the August safety updates are put in in your area controllers.
Copyright © 2022 IDG Communications, Inc.
