Another week, another installment of Print Geeks, the podcast all about print and technology, brought to you by PaperCut.
Security, security, security.
We’re always talking about security at PaperCut. How print security is an overlooked realm of security in IT.
And it is.
And we won’t stop anytime soon.
But! A recent faux pas of my own inspired me to do a podcast episode all about print security featuring our very own IT and Security Manager, Stan Chathuruthy. He joins the show to walk us through how to protect your printed output across each stage of the document’s lifeycle.
- Intro 0:14
- Forgotten password: a timeless tale 2:12
- IT and Security Manager - PaperCutter Stan 3:51
- Is print security overlooked in IT? 5:08
- Human error: the biggest security threat 7:08
- Phishing attacks 9:50
- Common print security leaks 14:53
- The print document lifecycle 16:49
- Securing print infrastructure 17:29
- Securing print workflows 20:38
- What is encryption? 22:20
- Balancing convenience and security 26:54
- Securing printed output 31:27
- The #1 thing to know about security… 35:59
- Attack surface area explained 37:00
- Hackers: blackhats, whitehats, greyhats 41:23
- Stan’s final print security tips 42:25
- Conclusion 44:11
Enjoying the Print Geeks of PaperCut podcast? Subscribe and enable notifications to never miss an episode.LISTEN NOW
Now with a (slightly edited) episode transcript
Kieron: Hello and welcome to Print Geeks. Your one-stop podcast for all things geeky about print and tech. I am your host PaperCutter Kieron, Tech Journalist. Scourge on word counts. Fresh Prince of Bel-Air meets Frasier Crane. Live on the air in a fresh pair of Nike Air Jordans. Freshly christened by Melbourne’s lovely morning weather on my way to work this morning. Nothing quite like choosing between your pair of sneakers and going, “I’ll go with the nice fresh pair that I’ve barely worn.” And then it rains all over them. But we press on. We journey on. we strive forward and we podcast about printers.
And today we’re going to dive deep into a topic which is top of mind all the time (that rhyme though) in IT and the print world. We are going to talk all about security. Print security, specifically. How your printing is an important part of your attack surface level in terms of your security vulnerabilities. It’s an overlooked realm of security; the printing environment. Which is what we talk about a lot on the PaperCut blog, and we’ve mentioned it before on the podcast. But today we’re going to talk about everything you need to know about print security. And to do so, I am joined by a very special guest.
However, before I introduce our very special guest, I’m going to do so by regaling you all with a tale. A tale as old as time. It’s a tale about a boy. And forgetting his password. We’ve all been there. We all forget our password. And then we set up a new password. And then when we enter it in, it tells us, “You can’t set that password because it’s a password you’ve used before.” And then you go, “Oh, I remember my old password after all, but I’m on the luge, I may as well continue going and change my password.” And this happened while at work. I was trying to log in to something and I could not remember my password.
So I reached out to our special guest today who is our security and IT head. Like you always do when something goes wrong with it, you hit up the IT department and you say, “I can’t log in.” And I was trying to log in and I couldn’t do it and I needed to log in to a different account in order to access a different password. And our special guest says to me, “Well, just log in to that one.” I go, “Oh, okay.” And I pull out my Moleskine diary because I’m old school. I’m an old-school journalist. And inside my Moleskine diary I pull out a sheet and on that sheet is all of my passwords. And the look of horror on our guest’s face was priceless. And then I thought, “You know what? Let’s do a podcast episode about security.” And that’s how this episode was born.
So the person that I am talking about that’s behind the veil of mystery is Stan, PaperCutter Stan, our IT and Security Lead. Welcome to the show, Stan. Thank you for joining me.
Stan: Thank you for the intro, Kieron.
Kieron: Tell us about the horror. Why were you so horrified when I pulled out my little password sheet?
Stan: In my world, that’s a cardinal sin, you know, and it’s not that uncommon, to be quite honest with you. I walked into many small businesses like just a few months back. I was in my dental practice, and you had password and username stuck under the monitor screen. So I see that quite often. So it’s not unusual, but it’s like, you know, one of the basics that we try to educate people on to never do, never physically write down your password or at least don’t put it in a form that can be easily read by someone else.
Kieron: Yeah, yeah. Because it’s not very secure if it’s in one place and if they’ve got that sheet, which is like a master code for all of your different passwords. Now, I thought I was clever because all my passwords are different. But we’ll talk a little bit later about how we could possibly even make that more secure. Absolutely. I don’t want to give away all of our tricks. But let’s begin by asking you a question. At the intro there, I talked about how here at PaperCut Software, we talk about how the print environment is an overlooked realm of IT security. Do you find that to be true?
Stan: Absolutely. Like people don’t focus on it. There’s an increasing focus on digital hacking and online breaches these days, so there’s hardly any talk about print security, and the focus has shifted away from that. But, you know, just looking at the most common thing of, you know, printing a sensitive document that’s not secure, like it just spits out from the printer. So the very basic stuff that sometimes can be overlooked where there’s no secure printing or, you know, you send a print job and it’s jammed in the printer and you forget about it and, you know, someone else can have access to it and read something confidential. So yeah, it’s definitely an overlooked area of security, I would say.
Kieron: Do you think it’s because when we’re in the realm of IT (Information Technology) and a piece of paper we don’t think of that when we think of information technology because a piece of paper is physical. Would you find that if you’re a nefarious hacker out there in the world, what’s a more attractive target? Something physical or something that’s digital?
Stan: I would think the stats point to more digital. Because, you know, you can get a whole treasure trove of information by hacking into financial information. That’s a lot harder to get through physically. And I would say in today’s day and age, probably 99% of the hackers operate remotely. There is less of the physical hacking component, which is actually walking into a building or an office and actually trying to grab something there physically. So you see less of that these days. But it’s still a risk.
Kieron: Well, hacking is essentially an IT term for thief, right?
Stan: In some ways, yeah.
Kieron: In some ways. Well, on that note of hackers hacking. Is that the most significant threat when it comes to security and print security? Or is there another threat that is sort of, again, overlooked but more significant than attacks and hacks?
Stan: Um, in terms of print security, I would say that, yeah, there is some exposure, but I wouldn’t say it’s the biggest concern at the moment. Just looking at everything that’s happening in the media. I think the biggest hacking concerns at the moment is identity theft. When a hacker walks away with all your personal documents or enough points of ID to impersonate you, yeah, that’s the biggest risk that I see at the moment. Yeah. But yeah, it’s still an area that we can’t completely overlook and should have some awareness about.
Kieron: But part of what makes things like identity theft a ripe opportunity for some people out there is- I’ll give you another example; I’m not painting myself as a particularly secure person in this episode, but I learn. Once upon a time, I was in the hospital and I just took a photo and was like, I’m in the hospital and I posted on social media because I was one of those people at the time. And then someone, a very nice friend of mine, just messaged me privately and said, “Hey, you might want to take that post down because in that photo we can see your tag, your patient tag, and your patient tag has your date of birth and it has your address and things like that.” And I was like, “Oh, word.” So I took it down. And on that occasion, what would have opened me up for identity theft was something we’re all capable of, which is human error. And so talk to me about the prevalence of human error in the realm of security.
Stan: Absolutely. So the stats that I looked up recently on that, I think it points to about 95% of the hacks happen with human error and only 5% of the most sophisticated type of hacks happen. So it clearly shows the weakest link. So when we talk about weakest link, it’s most likely a human error that causes it. It’s far easier to hack into a system by sending someone a phishing email and getting someone to click on it, than trying to break through a corporate firewall. So the effort involved is monumentally more. You always go for the easier target. So definitely the human link or the human element is where we find the weakest link. And yeah, that’s why there’s an increasing focus of cyber education and awareness these days.
Kieron: Well, and those phishing emails and text messages, they’re, sophisticated. They’ll nearly get you. They’ve nearly tricked me a few times. And I know not to click things, but I just have to double check. I’m like, “Oh, is that real? Or is that from a scam?”
Stan: Absolutely. Like the level of sophistication that I’ve seen over the last ten plus years in my career is that it has become extremely sophisticated to the point that it’s hard for even a techie to differentiate between, you know, a valid email or a phishing attack. And we are trying to always stay on top of it, but in reality, it’s always playing catch up. So we introduce, you know, security tools like email filtering, which are supposed to filter out 99%. But there is absolutely no system that can do 100%. So some will always get through. And then you’re relying on the user at the other end to use their judgment to not click on something like that. So it’s very easy to do. And often in the day where you’re bombarded with emails and information, you know, when you’re slightly distracted, it’s quite easy to make that error.
Kieron: Yeah. And, you know, some of the more sophisticated phishing, they’ll be doing things like looking at cookies and they’ll be able to see the websites that you’ve visited and they know what pain points to target. So they’ll see that maybe you were looking up, you know, paying a toll or something, and then they’ll send you a message like, “Your toll hasn’t been paid.” And you’re like, “Oh, what?” And then they get you that way. So, yeah, just don’t click on things is always the advice that I give to my friends and family.
I remember a few years ago I received a text message from a government body and it looked like- I was split. This looks like it could be a scam, but it also looks like it could be legit. So I called them and I said, “Hey, this is the message I got.” And you know, they had a web page on their website saying that you could report phishing scams. So I was like, “This is the message that I got, and I think it’s fake.” And then they said, “Oh, yeah, that’s, that’s totally not real. That’s well done. Good for calling us that. You can, you can ignore that.” I was like, “Alright, sick.” Hang up the phone. Go about my day. I get a phone call not long after that. It’s the same government body.
And they’re going. “We made a mistake. That’s actually real. It’s not a scam.” And I was like, “Okay…” And they’re like, “Someone’s going to call you and you need to answer their questions.” I was like, “All right.” They called me. And then they were asking me, you know, about the text. And then they started asking me a bunch of personal information, like, we just need to confirm your account, etcetera. And then I was very paranoid at that point. I was like, “Well, how do I not know that this is not a scam? How do I not know that you’re not the scam? Because I was told that it wasn’t a scam and now I’ve been told it is a scam. And now I don’t know what to believe. So, like, win me over. How do I know that you are this government body?” And the guy was very patient with me. And eventually I ended up, you know, answering the questions and we progressed forward. And then it turned out they were legit and that was fine.
And then at the end of the call, he was like, “I just want to say. I want to commend you for how seriously you take your privacy and your security because, yeah, you wouldn’t hold up until, you know, I proved that I was who I say I am.” And I was like, “Well, what else am I supposed to do?”
Stan: Absolutely. In fact, I would commend you to. It’s better to have to be a little bit paranoid because everything that’s happening around us these days and take that approach. I’ve had similar experiences where I’ve received a call and they have asked me to confirm my ID and details, and my response is often I will call you. So I’m not going to answer anything. You give me a valid number that I can reach you on and I do a reverse lookup to make sure that they are who they state to be. But I think we have all experienced at some point where you get a heads up to say you’ll be receiving a call in the next 30 minutes from an 02 number. Which in that case you can be a little more relaxed because you know that it’s a legitimate request that you have placed and they’re calling you back for that. But I think the sensible approach there is if someone randomly calls you, particularly when you’re not expecting it, to not give out any personal information and tell them that you would call them back.
Kieron: I adopt that philosophy. If someone calls me and asks me for information, I don’t give it to them. And on my phone, part of the firmware is that there is security enabled. So I get a little alert that says “Reported,” you know.
Stan: A spam or telemarketer.
Kieron: Yeah, yeah, yeah. So I often don’t answer my phone and people are always telling me I’m screening their calls. I’m like, “Well, I’m being secure.” So despite my Moleskine diary, you know, I’ve got a little bit of security nuance about me. Now let’s talk a little bit more about print security. We just touched on that the printed document is an overlooked realm of print security. Let’s just go through a quick list of what are some of the most common print security leaks that you find in a workplace.
Stan: So the most common one is forgotten print job. Where in a lot of places they still don’t have secure printing enabled.
Kieron: Yeah, they’re direct printing via group policy or something like that.
Stan: Exactly. So in that case, you could be printing a secure document that’s available for anyone to see if you’re not standing right there. That’s the most common issue that I’ve seen. But then from there on, you try to step into, you know, sophisticated hacking of print devices where you can spread malware so that we can get into that a bit later. But to answer your question, the most common ones are forgotten print jobs. Related to that is like a print jamming issue where your print job is stuck halfway through a print job and you forget about it. And then later, you know someone else is trying to clear the jam, and then they see the document. Those are the most obvious common ones that we see. Gradually I see more and more organizations improve on that and implement secure printing. Which, which definitely makes it a lot more secure.
Kieron: And another one related to that, we’ve spoken about this on the podcast before, is disposing of your documents and/or your devices in a secure way.
Stan: Absolutely. So remember to shred any printed work that’s confidential, anything that’s confidential or is considered to have PII information. So securely putting it in a secure document disposal unit that gets shredded or something like that is also critically important. So being mindful of that.
Kieron: We’re going to kind of jump all over the shop here today. We’ll begin with the, there’s a PaperCut philosophy to security. And that philosophy is that you need to protect your document across the three stages of its journey. And those three stages are: before you press print, while you’re pressing print, and then after you press print. So, Stan, the security man, let’s talk about how you can secure your print job before you press print, what are some of the steps that you can take?
Stan: Sure. So before you press print, we have primarily focused on securing the infrastructure, the print infrastructure. So we look at things like system access control device and network security, secure printing software that we spoke about earlier. So the focus before printing is on these areas.
Kieron: So when we say system access control, we’re talking about who has authorization and access to print in the first place. And how do you implement that?
Stan: So we can set up control groups to say that, you know, X number of employees can access certain printers and certain print queues. So yeah, it’s implemented at a software layer.
Kieron: And in that before stage, where’s the potential for leaks if you haven’t got any of those secure practices in place?
Stan: So if you do not have any security systems put in place then pretty much it’s free for all.
Stan: Yeah, exactly. So you have no controls put into place at all and that makes it highly insecure.
Kieron: Which I would say is common because when people are thinking about, you know, let’s look at a small to medium business, you know, they’re in their start-up days. They’ve got their office lease, they’ve got all of their desk chairs and everything. They’ve got their computers and they’re setting up the security for their computers. And then part of that piece of the puzzle is their printers, their multifunction devices, and their copiers. So they might not even think about securing those things. Talk to me about, as part of this before phase, something that I love, just because I love the visual is like physically locking your devices. Talk to me about the best practices for that.
Stan: Absolutely. So you should make sure that the physical printer or the multifunction device sits in a secure area of the office that generally has access card or swipe card access to get into the building. And then best practice is always having RFID scanners or readers attached to your multifunction devices. So you need login access to actually get your print jobs or authenticate yourself an ID yourself as a part of the printing process. Yeah. So those would be the best practices in that area that I would think of.
Kieron: Yeah. And what about like physical bolts and locks, attaching the printer to your premises?
Stan: Yeah, absolutely. I mean, I see less of that these days, but yeah, it like for example, laptops used to previously have, you know, like the security cables attached to it. These days I don’t see that often. Like, yeah, it’s rare for me to actually see that but, yeah, having your device physically locked to a wall attached to a wall is the best practice. But if your printer generally sits in a secure area of the office, it’s less of a concern. But yeah, ideally if it’s possible to secure it physically by bolting it down, that would be great.
Kieron: All right, so let’s talk about the while you’re pressing print during the journey of this physical data, you’ve pressed Print, Control + P, or Squiggly line + P and you are sending your digital document to the printer. Where is it vulnerable in that journey and how do you protect it?
Stan: Yes, during that phase, we look at securing print workflows. So we look at things like secure print release, device errors 2FA or MFA comes into play during the print phase. So taking on the last thing of MFA, it’s these days, you know, pretty much every system we recommend to have a multifactor multi-factor authentication mechanism set up. So it is not a single point of failure and you have more than one way to like typically it could be a pin code, an RFID, a physical card or biometrics. You know, pattern recognition or multiple ways of achieving it and the more factors that you put into place, the more secure it is.
Kieron: Well, even after my boo-boo the other week, because we had multifactor authentication set up, when I tried to sign into my computer again on my phone, it popped up and it was Google being like, “Hey, is this you?” And you go, “Yeah, it’s me.” Check the IP address and that sort of thing. So that’s an example of MFA that most people will come across if they’re using Google. Now let’s talk about something else that enters into that during stage. Well, it links the before to the during and it links the during to the after and that is encryption. Talk to me about what encryption is and how it protects your data.
Stan: Um, sure, Kieron. So in layman’s terms, encryption is taking your human-readable data and converting it into a form that’s non-human readable. Typically using something like an encryption key. And then during transit, it’s encrypted or locked and no packet sniffer (getting a bit technical), but trying to keep it in layman’s terms-
Kieron: This is the place. This is Print Geeks. People, even if they don’t know too much about tech, they come in here to learn. So, go for your life.
Stan: Sure. So something like a man-in-the-middle attack cannot just read the data because it’s in easily readable, human-readable form. So by encrypting it, you’re jumbling it and attaching a key, converting it into a form that’s nonhuman readable. And at the other end, you decrypt it and convert it back to a human-readable form. So that simple process of encrypting and decrypting makes it a lot harder for a simple man-in-the-middle attack or a packet sniffer to read your information.
Kieron: And it’s the backbone of all modern technology. iPhones, your Androids, they’ve all got encryption. And your print network needs to have the same. And going back to my little moleskin password debacle, how may I have solved that myself with encryption? Because I could have encrypted that myself, couldn’t I?
Stan: Absolutely. Even if you did choose to write it in a paper-based form. Which I highly don’t recommend. But even if you choose to do that, if you had a basic encryption or jumbled it in a way that only you can make sense out of it. That is basic encryption 101 right there. As long as it’s not something that someone can easily guess by looking at it. Then you’ve achieved know basic form of encryption.
Kieron: Yeah, we’ve all seen those movies and TV shows where someone’s sitting at a desk and they look around at the office and they think, “Hmm, what would this person have used as a password?” But that’s not necessarily false like people do think of passwords in that way, like, “Oh… ‘plant.’”
Stan: I mean, if you look at the stats on it, it’s just shocking. You know, like the most commonly used passwords where people use just the word “Password.”
Kieron: Password. 1234. ABCD.
Stan: You know, like social engineering, we can just guess someone’s password because they have pretty much provided all the information in social media. Combining their pet’s name or their children’s name or, you know that kind of stuff or what I’ve commonly seen as people use a password, they use a common word and just change the last few digits for the month. And you know, when the old practice was recommended was to periodically change your passwords - which actually we have gone away with. The latest recommendation is not to change your passwords.
That’s a different topic. So the old school practice was periodically change your passwords. Now the thinking around password is you create a complex password. Diving into passwords: the complexity is not just about using alphanumeric characters, it’s the length of the password. So a four-character password is not secure compared to a 12-character password. As you add more digits or more numbers to your password length, you’re adding it makes it exponentially harder to do something like a brute force attack and try to guess your combination of your password.
Kieron: Yeah, it’s just a numbers game. If there’s more characters that you have to account for, then it’s going to be harder.
Stan: Takes a lot longer to hack it. So yeah, the recommendation there is to set a long complex password like a passphrase or something like that. Definitely make it as long as you can easily remember it.
Kieron: And even if it wasn’t like a bunch of different special characters and numbers, even if it was just like three four-letter words that are completely random. That only you know, that is simple to remember, but it’s better than just like. “Dogs."
Stan: So pick a long password and don’t change it often, combined with MFA is probably the best practice recommendation at the moment.
Kieron: Well, let’s jump back into what you just touched on there about how the most common passwords and there are probably people out there listening who are like, “Oh, my password is password or 1234.” Why do you think human nature is capable of that? Is it that we don’t value security like we prioritize convenience over security? It’s like, well, I don’t want to have to forget this thing. I know I’m going to forget it. So I’ll- “Password.”
Stan: Absolutely. It’s just human psychology. And these days we have typically… I don’t know. Like, I can talk to my own personal case. I probably have 200 or 300 passwords for multiple websites, logins, and systems that you use. So trying to remember a different password, which is another recommendation: to use a distinct password for every single website using the same password, which is again another human trait trying to use the same password every single place. It’s a convenience factor not having to remember a lot. And we have information overload in the digital age as it is. Struggling to remember unique passwords for every system is what makes people pick a very basic, simple password that they seem to use everywhere.
Kieron: Well, that’s why my little physical piece of paper was born into existence. Because a few years ago I got notified of a hack of a forum that I was frequenting and it said, “Oh, big, big hack.” Like, you know, it was a big egg on the forum’s face. And I realized that my password was pretty much the same everywhere. So I went and created individual passwords for every little, single little thing. And then it was around the time of the Edward Snowden case. And I just got very paranoid about, you know, the visibility of my data on the internet. And I was like, you know what? Physical piece of paper! Only I know its whereabouts. And it never leaves my side. And those are my passwords. It’s interesting that the advice has shifted now because at the time it was like they’re all different. And now it’s like, “Oh, they can all be the same.” And in general, we’ve spoken about this before at PaperCut when we’re talking about a workplace and we’re talking about print security, it’s a fine line between security which isn’t too inconvenient. And that’s why we have things like swipe card release and putting in a PIN code because anything that has too many touch points or becomes too inconvenient actually becomes counterproductive. So would you agree that there’s a fine line between productivity and security?
Stan: Absolutely. So this is something that we are always thinking about. There are two ends of a scale. So if you want to make it convenient and make your life easier for staff and be as productive as they can, then you have to go low on security. At the other end, you know, I can keep three factors of authentication and make life as hard as possible and make the system super secure. And then it affects your productivity. You’re reluctant to do something because it’s too onerous or too hard, and you have to jump through too many hoops. So it’s always a balancing act to find the sweet spot of productivity versus security. It’s always a challenge. It’s in front of our mind to, you know, find the sweet spot and say that, okay, this is a reasonable balance between not making it too hard at the same time, not making it, you know, easy for a hacker to get in because you have not implemented any measures.
Kieron: And obviously, there are workplaces out there where they need that inconvenience. They need those multiple steps of authorization and access. Thinking of every Mission Impossible movie I’ve seen where, you know, two people’s retinal scan is required, two people have a different password, there’s two keys, they’re turned at the same time. And while that example right there is quite animated and exaggerated, there are agencies like government bodies who do have a very high level of security access like that, don’t they?
Stan: Absolutely. So it comes down to the business case. So if you need something that requires a high level of security, then you implement additional layers of security to make it a lot harder. So, yeah, that’s standard practice. So if you’re hiding the blueprint to anything that’s highly sensitive, then you have to implement and you know, your staff are aware and accept the risk that, okay, you have to go through these additional steps to get the information that you need.
Kieron: Now, we’ve dived well and truly into how to secure your print workflow. We’ve touched on secure print release, and multi-factor authentication. Now let’s talk about what I think, in this overlooked realm of print security, is the most overlooked element of the print document’s life cycle: after you’ve pressed print. Well, overlooked in a way. We’ve talked about, forgotten print documents is probably one of the biggest leaks. But there’s very simple ways that you can secure your documents after you’ve pressed print. So, Stan, tell me about how you can do that…
Stan: Sure. In that realm of, you know, post-printing, once the document has come out, there are a few things that we typically look at, like audits and reports, archiving and logging, and the classic watermarking and digital signatures. So where you can trace. Watermarking and digital signatures is basically gives you the ability to trace the print job back to the owner. So that’s the whole idea of, you know, achieving that objective. So yeah, often quite an overlooked feature. But if your document requires it, it’s of sensitive nature, then you have to look at implementing features like that.
Kieron: Which is good for an organization - sometimes not too good for the owner of the document, if they’ve left that document somewhere, they shouldn’t have. But then let’s talk about, a watermark or a digital signature. I would say that’s probably not too useful. So let’s say that you’ve got a print document of like payroll or something and you’ve got it in your briefcase and you leave your briefcase on the train, and then you remember and you try and go back and the briefcase has disappeared. Now it’s all well and good that that document is watermarked and digital signature, but the document’s gone now. You’re not getting that. But how can you account for the whereabouts of that document?
Stan: That’s in the realm of physical security? So yeah, it is hard. There’s no simple workaround to it. You have to be careful around anything that’s sensitive and physically securing it is important. So as you said, yes, it’s great that you can trace back who committed the boo-boo of actually losing the document, but it does not actually help if the information has been leaked. So it is something that we have to be aware of and be conscious about not physically losing anything sensitive.
Kieron: But it does give you some accountability because, you know, let’s say that all of a sudden something’s being accessed and you’ll be like, “Well, what happened here?” And then you could go through the archive and be like, This has been printed and, “Oh, you printed this document on the 12th of April and ten days later the data that was in that document was accessed. So what happened to that document?
Stan: So that’s going into the realm of audit logs so you can actually trace it back in your system to clearly show an evidence trail of who printed what. So that way if something does come out and it becomes public knowledge, then you can at least see who actually printed that document. Because, yeah, if it has gone at the other end, there’s no way you can actually check or verify the watermark or the digital signature. But at your end, at the system end, you can actually verify who actually spat out the document.
Kieron: It just gives you that, that visibility into your printing environment. We’ve spoken about before on the podcast, like let’s say someone’s leaving the business and then in the last two weeks, all of a sudden they’re printing off like, you know, invoices and-
Stan: Their customer database. Yeah, that stuff.
Kieron: Which, again, that is an actual concern and that actually happens. That’s why we have things like offboarding when people are leaving a business so they can’t take their information to competitors.
Stan: So anything that’s intellectual property that is of concern. If you have your audit logging and your offboarding system set up properly, you are able to trace and find out or put in proper systems in place to prevent it from happening in the first place.
Kieron: So of those, you know, the print lifecycle steps we’ve got: Before - securing your infrastructure. During - securing your workflows. After - securing your output. And then all of those different forms. We’ve touched on different realms of physical, procedural, and technical security. Now to wrap up, I just want to ask, Stan, we’ve touched on it a few times in this episode. We’re going to do two things. First, I’m just going to ask you this question and then we’re going to wrap it up. We’re going to ask you for some tips, for some friendly tips for people out there. But. My hard-hitting question: what’s the number one thing about security you wish everybody knew?
Stan: If you’re specifically talking about print devices and IoT devices in that realm, is: changing the default password that comes out of the box.
Kieron: Right. Yeah, same with your internet modem and stuff like that.
Stan: So that’s the most common, something that we can all relate to and which I’ve seen quite often is security cameras. Yeah, hackers have a field day when people install security cameras, open it up to the internet and they don’t change the default system. Password. Now you have a feed that hackers can access that you set up very conveniently for them. So that applies to printers as well. If you deploy a printer and open it up to the internet and don’t change the default system passwords, a hacker can easily get into it.
Kieron: So what we’re talking about there is a term that I glossed over at the beginning of the episode, which is attack surface area. So if you have not switched your default password, your attack surface area widens in that your IoT device or whatever system it is, is more hackable and therefore more appealing to a hacker out there.
Stan: Absolutely. Do you mind if I share a story? This is quite a recent story-
Kieron: This is Print Geeks, share all the geeky stories you want, Stan!
Stan: Sure. In fact, I’ve got two interesting stories. One is going back more than a decade. It was a couple of researchers in the University of Columbia, I believe it was in New York. They did some analysis and found that it’s possible to hack into a certain brand of printers, cause it to overheat and catch fire. So that was an extreme example of showing that you can have a physical element to hacking. And the manufacturer of the printer ended up upgrading their firmware to prevent device from overheating and they did patch it up. But I found that story just fascinating when it came out. That you can actually cause physical damage by a hacker sitting remotely.
Now coming to a more recent story that happened about six months back.
So I think an organization of researchers from an organization called Cyber News, they went to an IoT search engine and they found about 800,000 printers that are open to the internet. So they search for common printing protocols that are opened up. And they created a sample of 50,000 printers. Trying to hack into them. And they succeeded in hacking into, I think, about 28,000, which is about 56% of the printers they managed to hack into. And they printed out like a five-page document on print security on these devices.
Kieron: So they used their knowledge for good.
Stan: Not that we are encouraging hacking. It just proves the point that if you stretch that to the entire sample of 800,000, that would mean that roughly 400,000 devices out there could potentially be not secured. I’m pretty sure the stats have not changed a lot even if you go and do it right now. So that kind of shows the lack of awareness of people that, “Hey, you’re opening up these print and IoT devices to the internet. And you have not done the very basics to secure these devices.” Which is scary.
So there’s a couple of recommendations that I can put forth on what you can do - very simple things. Make sure that your print device sits behind a firewall. Moving on to only enable internet printing if it’s absolutely required. So anything that is purely local to your network, it’s better to make sure that it doesn’t have access to the internet at all. The next thing I would recommend is disabling every protocol that’s not required. So the current standard is IPS, which is over Port 443, which is secure printing. So there’s a whole heap of SNMP, SMB, and HTTP printing etcetera, which you can disable. So you know, and then other stuff that we’ve already gone through, secure printing etcetera. But these are a few very simple steps that you can take. To make sure that, you know, your print device is not easily accessible and hackable over the internet.
Kieron: Yeah, so we talked about disabling internet access, disabling all ports on the printer that aren’t required. Before we get into these, these next little tips, I like in those anecdotes you shared, the 2011 one sounds like something out of Star Wars. In that, you know, there’s this one little small vulnerability and the whole Death Star will blow up. And little did you know, in your office, your printer might be that small hole that’s going to blow up the Death Star. And then in that other story, you know, we talked about how there was some nice hackers out there. So I just want to quickly touch on. Explain to me: white hat, black hat, and grey hat hackers.
Stan: Oh, okay, that’s just a common industry term that we use. In pretty much layman’s terms, explaining it to a non techie person. Black hats are your bad guys who do nefarious stuff and with malicious intent. White hat are the good guys who are working on sitting on the other side try to protect and defend against the black hat hacking attempts. And grey hat are somewhere in between so they can change roles depending on the circumstance, they can switch camps and be like a gun for hire. They can do something for you if you pay them the right amount of money.
Kieron: Like the Dungeons and Dragons character index, you’ve got like, chaotically good, chaotically evil or chaotically neutral?
Stan: Absolutely. So that’s a very layman’s explanation of what the different kinds of hackers are.
Kieron: Now, let’s get back to these tips. So we’ve done disabling internet access, and disabling all ports. What are some other steps that you could take?
Stan: Another big one is patching. So we talk about patching firmware. So your print device - similar to your operating system on your endpoint device, like a laptop or a desktop, even phones these days. You would notice that the device manufacturer often releases security patches and the best practice recommendation there is to keep it as up-to-date as possible. So frequently, patching and checking are setting your devices to auto-update. There is some caveats there. There are some systems that you probably shouldn’t auto-update without running through a proper test cycle. But for the average user, it would be a recommendation to keep your systems up to date and patched up as possible. This applies to printers as well. Make sure your printer’s firmware is regularly patched. And we have already mentioned, you know, securing passwords, making them as strong as possible. 12 characters or more.
Kieron: And then, we just had the terms black hat, white hat, and grey hat. Talk to me about how you should set up a white list for your printing.
Stan: So basically, only accept jobs from specific IP addresses. So narrow down your attack surface as we say. So if you are allowing internet printing, you could narrow it down to very specific IP addresses and lock it down. So you know, only authenticated or users coming in from a very specific IP address can print. So that’s all part of closing down your attack surface as best as possible.
Kieron: All right. Well, I feel as if we’ve covered about all that we can, uh, in today’s podcast episode. Stan, thank you so much for coming on Print Geeks and for talking to us about security today. I’d like to get you back on some future episodes and we can dive even deeper into very specific print security topics.
Stan: Thanks, Kieron. Thanks for having me. I’d love to be back.
Kieron: Okay, well to everybody else out there in podcast land. Thank you for tuning in to Print Geeks. We’re nothing without you, so thank you very much. If you’re a fan of this show, please make sure you’ve subscribed on whatever platform you’re listening to us on. Just go hit subscribe, ding notifications or ding the bell, whatever the UX is there so that you get notified of episodes when they release. Which is every two weeks on a Wednesday down here in the Australia Pacific region, or that would be a Tuesday if you’re in the Americas region. And I think it’s a little bit of both. If you’re in Europe, and other realms of the world. Thank you so much for tuning in. Until next time, keep printing securely.