Campus Printers: A Major Security Risk in Disguise
By Ben Bowen | July 30, 2019
[This Pharos article was originally published on LinkedIn]
In June 2017, universities around the United States received a nasty surprise when mysterious print jobs claimed a bomber had planted explosives across their school campuses. Although the threat turned out to be fake, the hacker’s ability to compromise university printers was obviously real — and that should concern administrators.
Campus printers pose a security risk that few schools take seriously. Recent research found that just 16% of IT managers believe printers pose a serious risk.
Unfortunately, hacking an unsecured printer is too easy. In the case of the university “bomber,” the hacker simply targeted open printing ports (the default port, in most cases) and was able to gain access to campus IPs. IT professionals must improve their protection to keep networks and devices safe.
When it comes to protecting a university’s computing infrastructure, locking printers down is often lacking (or doesn’t happen at all). However, best practices exist for securing your printer fleet, and administrators should recognize printer-related risks and take steps to mitigate them.
Understanding the Printing Landscape
Typically, colleges have computer labs and libraries that contain several printers. Individual departments and schools (in separate buildings) typically have their own fleets of printers. Students print in their dorms, faculty members print in their offices, and staff members print all over campus. Every printer connected to the network is a potential access point for a malicious third party.
Scattered printers often serve college populations by segments, but every college is unique. Some offer specialty printers and 3D printers, which present many of the same risks as traditional office printers.
University printing vulnerabilities can often be traced back to open ports. Printers are typically delivered in an open state to allow for easy network connection. Even when these printers are properly locked down, they’re commonly reset when serviced (reverting them to their original vulnerable state). This means not even IT admins are likely to know which printers are left open at certain times.
School IT administrators shouldn’t rely solely on the security features in their campus printers. To properly safeguard your devices, networks, and documents, consider the bigger picture —your printer ecosystem — and attack it holistically. This can be challenging because print is so decentralized across most higher education environments. Still, it’s achievable.
Create a More Secure Printing Environment on Campus
Beyond the usual security concerns around printers as network endpoints, there’s also the critical issue of document security. Secure printing is about more than securing devices to prevent remote access; it’s about manual processes, too. Faculty, students, and staff must understand that documents left unattended in printer output trays lead to confidentiality breaches and legal risk.
This common practice also creates opportunities for data breaches and academic plagiarism. I can’t tell you how many times I’ve seen protected personal information lying around on printer trays in admissions departments.
Pull-printing software resolves this issue: Students and staff members submit print jobs as they normally do, but instead of going directly to a target printer for immediate output, print jobs are “parked” in a secure virtual queue. People can then release — or “pull” — their documents while standing at any convenient printer on the campus network.
This workflow ensures documents aren’t left unattended in output trays, while also preventing wasteful reprints and stacks of unclaimed documents collecting around your printers. Pull-printing software also integrates with common student payment systems for cost recovery, departmental chargeback, and grant debiting.
But software solutions alone don’t constitute a comprehensive print security strategy. In addition to deploying pull-printing software, IT administrators in higher education should do the following to reinforce network defenses and protect valuable print assets across campus:
- Change the default password on every device.
- Use “https” when accessing the printer admin control panel webpage.
- Use current SNMP standards.
- Close all unnecessary ports on every printer.
- Shut down any unnecessary services on every printer.
- Stay current with firmware updates and patches.
- Make printing available only on the local network segment by restricting network access with a firewall and/or routing rules.
- Set and manage each printer’s access control list.
- Disable as many file system access protocols as possible.
- Periodically use the Shodan search engine (or another online security tool) to determine which network devices are vulnerable across your organization.
School IT administrators should also consider replacing outdated printers with newer, more secure models. Data security practices improve every year — but so do the techniques that hackers use to break into outdated systems. Proactively upgrading printer fleets can help prevent unauthorized access and reduce risk.
School IT leaders have a responsibility to protect students, employees, and other stakeholders from the potential damage of cyberattacks (including those involving their network printers). Left unchecked, poor printer security invites hackers into the network, allowing them access to sensitive areas and valuable information.
When it comes to printers and their role in overall campus security, the most prepared university administrators and IT professionals are those who follow these best practices and stay current with the changing technology landscape.