By Sean Hope
Senior Managed Printer Service Specialist
Perhaps you have heard the term “Zero Trust” at some point over the last couple years. If so, hopefully it was in the context of cybersecurity and not as part of a couple’s therapy session. Even if you have heard the phrase…even if you understand the technical aspects of how to execute a Zero Trust network architecture…or perhaps because you already know just how difficult it is to actually migrate to such an environment…it remains light years from being the reality for most organizations.
That is not to say that the principles of Zero Trust are to be ignored. On the contrary, IT departments across the country have largely begun applying these principles and best practices to their most valued and high impact security policies and procedures. Despite this, there is a ubiquitous type of network end point that is typically overlooked in this regard…printers.
As the name suggests, Zero Trust is in many ways a constant state of paranoia, but as the expression goes, “just because you’re paranoid doesn’t mean they’re not out to get you.” The concepts of eliminating open pathways allowing lateral movement within the network from device to device, multi-factor authentication, vigilant monitoring and expeditiously patching vulnerabilities are all part of the Zero Trust mindset. The challenges preventing organizations from switching to a full Zero Trust environment are both technical and cultural. On the technical side, it can take significant investments of labor and capital to enact such architectural changes to the network. Culturally, there is always some degree of resistance to change especially when that change can be costly and come with an end result that some view as negatively impacting convenience. Let’s face it, dual factor authentication alone is one (or two) steps more than some less technically inclined employees/employers are accepting of as standard operating procedure.
Why should organizations apply the principles of Zero Trust to printers? I’m glad you asked (even if you didn’t). In February 2021 the NSA published a document titled, “Embracing a Zero Trust Security Model” CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF (defense.gov). This article is a great in-depth explainer of Zero Trust as a whole, but one of the foundational tenets of the guidance provided is the mindset that, “a breach is inevitable or has already occurred.” Once we accept the reality that maintaining a strong firewall is not where security stops, we must look at how to minimize exposure to risk and exploitation. It is often said that security is a layered approach and incorporating printers into security strategies simply adds another layer to this approach.
Zero Trust principles can be applied to printers in both procurement and management. First off, understanding the differences in security features of different makes and models of printers is necessary to make strategic buying decisions. One telltale sign of a printer’s degree of built-in cyber protections is what the manufacturer emphasizes in the product’s marketing collateral. If a model has a competitive advantage in cyber security features, it most certainly will be emphasized in marketing materials from the manufacturer. Conversely, if a model only has the bare minimum of cyber security features, it will be reflected in how little detail regarding endpoint security is included on in a product brochure.
Supply chain attacks are an increasingly common tactic and a zero-trust mindset demands that steps be taken to protect the organization from such endeavors that by their nature are able to circumvent a network’s firewall. When it comes to printers and the supply chain the potential threats of a supply chain vulnerability are not just in the printer itself. Toner cartridges have chips in them that allow the cartridge to communicate with the printer. Every time a new cartridge gets put into a printer, you have an outside chip being introduced to a network endpoint behind your firewall. When applying the principles of zero trust the question here is regarding the supply chain security of the chip. Compatible toner cartridges are historically less expensive than OEM cartridges, but the security of their supply chain around them is a gray area considering that by their very nature these are reprogrammable chips.
While OEM toner cartridges provide can offer more peace of mind, it is important to note that even OEMs may be outsourcing production of their toner cartridges. According to this Keypoint Intelligence report from October 2021 (hp-cartridge-iso-20243.pdf (keypointintelligence.com), HP is the only manufacture to have all of their toner cartridges ISO 20243 certified for the entirety of the product’s lifecycle including the supply chain.
When adopting a zero-trust mindset, the security features of the printer and the toner cartridge need to be factored into strategic purchasing decisions. However, security concerns do not end with procurement. One critical element of zero trust is to apply firmware patches from the manufacturer in a timely fashion. Exploiting unpatched known vulnerabilities has been a hallmark of state sponsored hackers including groups that U.S. intelligence agencies have attributed to Russian intelligence services. Printers as an attack vector has become so common that the hacktivist collective known as Anonymous took advantage of known vulnerabilities in some printers to hijack over 100,000 printers in Russia to printout how-to instructions for citizens to circumvent the censorship of information regarding the Russian invasion of Ukraine.
Most organizations do not have a patch management process in place for their printers nor the bandwidth to develop and implement a recurring process. A printer that is unpatched for a known vulnerability and/or a printer that is so old that it is no longer supported by the manufacturer for security updates needs to be viewed as untrusted and not acceptable. Manufacturers today have begun offering tools to aid in the patching of printers, but these tools are not all created equally. Even those manufacturers that offer such tools are simply providing a capability to aid in the patching process, however, an unused tool is essentially a useless tool. This is where working with a Managed Print Services provider (like Usherwood) that has both the tools and the process to keep your printers up to date with security patches becomes vital.