Does NIST Really Matter for Printer Security?

By ASE Direct Team
on Oct 3, 2018

NIST Printer SecurityNetwork-enabled printers are a serious security threat for businesses of all sizes. Despite the risk, IT specialists rarely take necessary steps to secure their print fleets.

In fact, printers are often the last thing on IT professionals’ minds when it comes to cybersecurity. Cybercriminals know that 43% of companies ignore printers as endpoint security assets.

It is very easy to hack an unsecured printer. Most are automatically set to accept all incoming connections – which means that an unauthorized intruder on your network can take control of your printer and gradually work their way to any IT asset it’s connected to.

This is why a non-regulatory government agency called the National Institute of Standards and Technology (NIST) has issued guidelines for protecting data, systems, and networks from cyberattack. Only federal agencies have to comply with NIST security standards, but commercial office environments can benefit by independently maintaining compliance themselves.

NIST Security for Copiers, Printers, and MFPs – an Overview

NIST security guidelines outline the most prevalent cyberattack scenarios for modern IT environments and suggest ways to close security vulnerabilities. The institute’s most important report concerning imaging technology is a February 2015 report entitled Risk Management for Replication Devices.

This report put a spotlight on six potential security breaches related to imaging equipment. It demonstrated how organizations can effectively protect their data from being compromised through the print network.

Default Administrator Passwords. Any device that comes with a default administrator password is a security risk. IT teams tend to leave administrator passwords as is, making them an easy guess for cybercriminals.

Data Capture Methods. Whenever data is transmitted over a network from one device to another, there is a chance a third party intercepts it. End-to-end encryption is key to preventing cybercriminals from obtaining device passwords, sensitive customer data, or configuration settings through data capture.

Service Disruptions. NIST security for MFPs, printers, and copiers offers guidelines for mitigating the risk of service disruption by controlling vulnerable user interfaces and internal components.

Spam. Imaging hardware is usually configured to accept any incoming connection out of the box. Organizations need to establish systems for print authorization in order to reduce the chance of print fleet exploitation.

Data Corruption or Alteration. Devices that are automatically set to accept any incoming connection can have documents replaced or altered before print. This can generate confusing production bottlenecks and security vulnerabilities that are very difficult to track down and detect.

Outdated Firmware, Operating Systems. Embedded commercial operating systems can become security risks when not kept up-to-date with the latest releases. Patches and upgrades often serve to close security vulnerabilities – which can become a problem for older devices whose manufacturers no longer release updates.

Security Steps You Can Take Today

Addressing these security vulnerabilities in a comprehensive manner requires an expert print assessment. However, there are key steps you can take to improve printer security right now.

Disable USB Ports. USB printing is convenient, but it is also a security risk.

Routinely Wipe Hard Drives Clean. Don’t let encrypted data sit on printer hard drives indefinitely.

• Implement Follow Me Printing. Use your network to send documents automatically to the printer nearest the person who orders the print.

• Establish Protocols for New Devices. Whenever you procure a new copier or printer, wipe its hard drive clean and set up authenticated network access from the start.

Does Your Company Have to Follow NIST Guidelines?

NIST security for printers, copiers, and multifunction devices (MFPs) apply exclusively to government agencies. However, a broad majority of security-minded companies look to NIST guidelines as an example of security best practices for a range of industries.

The idea is that if a security compliance framework is good enough for the federal government, it should be good enough for a small business or an enterprise. This is true, and NIST guidelines help businesses achieve compliance with industry-specific regulations like HIPAA, FISMA, and SOX.

Organizations that need to become compliant but don’t have the proper infrastructure in place can look to NIST for a starting point. For instance, NIST guidelines include nine steps for FISMA compliance:

  1. Categorize the data that needs security protection.
  2. Develop a minimum control baseline for protecting that information.
  3. Refine baseline controls by conducting risk assessments.
  4. Document baseline controls with a comprehensive security plan.
  5. Roll out the refined security controls to IT assets.
  6. Monitor performance to measure security control effectiveness.
  7. Determine risk based on security control assessment.
  8. Authorize IT assets for processing.
  9. Monitor security controls continuously.

Improve Your Print Security to NIST Standards

Expert guidance can pave the way for you to obtain optimal security for your print network. While following the NIST guidelines can patch the most glaring security vulnerabilities your network might exhibit, implementing best-in-class security requires contacting experienced print security professionals.

How long will your print network remain unsecured? Contact ASE and have us conduct a comprehensive assessment today.

Topics: government, NIST, cybersecurity, print

Author: ASE Direct Team