VIEWS: 3 PAGES: 3 POSTED ON: 4/22/2012
ASSURANCE AND RISK MANAGEMENT SERVICES THE UNIVERSITY OF QUEENSLAND AUSTRALIA Corporate Printer Security Guidelines 1. Standards/Guidelines Printer technology has advanced – printers were no longer dumb devices that had no memory. Common multi-function device (MFD) or multi-function printer can perform all or most of the following tasks: Printing Copying Stapling/stacking Digital sending to email Digital sending to a network folder Document Management Confidential and/or sensitive data often flow to printers and MFD. Without adequate security, this data could be subject to unauthorised access. It is not sufficient to rely on security policies and procedures as they are not always specific regarding the configurations. Ideally, there should be detailed standards, procedures or guidelines for the management and configuration of all networked printers and MFD. 2. Default System Passwords Networked printers and MFDs should not be deployed without changing their default passwords as these default passwords may be exploited. A printer configuration that is not locked down via strong passwords may be subject to man-in-the middle attack carried out through IP address modification or the use of easily obtainable freeware/shareware tools. Written procedures or guidelines should require that the default factory-set passwords changed as one of the first steps of deployment. 3. & 4. SNMP Simple Network Management Protocol (SNMP) is an application-layer protocol that helps administrators monitor and manage network devices, including printers. It uses community string to authenticate connections. In the earlier versions of SNMP (versions 1 and 2), the community string travels across the network in clear text or sometimes, weak encryption, which left remote administration susceptible to packet sniffing. SNMP v3 has more robust encryption and authentication mechanisms. If an intruder gains access with write privileges, they can potentially change most parts of the printer configuration. The changes an intruder can make depend on the management information bases defined by the printer vendors. There are also some vulnerabilities that may lead to a printer leaking the Telnet and HTTP administrative passwords or information about the documents printed. 5. Central Management If printers and MFDs are centrally managed, changes can be made to the control configuration file and pushed out to these networked devices. If not, there is a need to develop more than one printer-specific standard that gives detailed settings and instructions. 6. Location Ideally, critical printers and MFDs (used for printing, photocopying, scanning or faxing critical and private/personal information e.g. cheques, patients’ health information, student’s academic transcripts and testamur) should be located in a secure area. This is to prevent unauthorised access to confidential and personal or private information. 7. & 8. Modify Rights If any user has the access to modify files located in a buffer or print server, there is a risk of unauthorised changes to the data (data integrity risk). 9. Auditing If auditing is turned on, print logs should be monitored using a risk-based approach, e.g. a printer in a library may not need audit logs turned on. Logs of print jobs can be reviewed as an adjunct to determine if the individual who printed the job is authorised to print the job and other suspicious activity such as volume of print jobs can be reviewed. 10. & 11. SFTP/TELNET ASSURANCE AND RISK MANAGEMENT SERVICES THE UNIVERSITY OF QUEENSLAND AUSTRALIA Corporate Printer Security Services such as File Transfer Protocol (FTP) and Telnet should be disabled if not used. With FTP, an end user could employ the “put” command to print a document directly to a printer. Telnet could be used for administrative purposes, and hence is dangerous in the wrong hands. 12. HTTP/HTTPS HTTP services are sometimes vulnerable to a variety of attacks, e.g. denial-of-service, cross-site scripting and directory traversal. Were an unauthorised user to gain access to the interface, there is a potential risk of the user downloading documents, faxes and history logs. HTTPS services should be used instead. 13. JETDIRECT If the JetDirect port is not properly restricted, there is a possibility that almost anyone can connect directly to it and gather information about the printer configuration or download documents. 14. & 15. Patch Management To further prevent remote unauthorised access to print files, security patches should be applied in accordance with the patch management policy as and when they are released. In addition, system management and security procedures must be reviewed frequently to maintain system integrity. 16. & 17. Printer HDD Security Hard disk data “encryption” and hard disk data “overwrite” features should be turned on where available. Hard disk data encryption secures data on the hard disk drive by storing encrypted, rendering the content inaccessible should the drive be removed. Hard disk data overwrite automatically erases data on the hard disk after each job is completed. 18. Disposal The amount information contained in the printers and MFDs can be significant and sensitive. Hence, it is necessary to ensure that information and records are appropriately managed and removed prior to disposal of the printer or MFD. In accordance with Information Standard 13: Procurement and disposal of ICT products and services (IS13) disposal of government-owned Information and Communication Technologies (ICT) resources must be: a. conducted with approval from the accountable officer or delegated personnel; and b. supervised and certified upon completion by a person delegated by the accountable officer. For further information on how to ensure records are appropriately managed, please refer to Information Standards on Retention and Disposal of Public Records (IS31) and Recordkeeping (IS40) before undertaking ICT resource disposal processes. 19. - 21. Information Security According to the Queensland Government Information Security Controls Standard (section 2.7 QGISCS), printer ribbons, programmable read only memory (PROM) and read only memory (ROM) “cannot be sanitised and should be destroyed if they contain or may have contained security classified information assets” and if the information is not subjected to recordkeeping requirements as outlined in Public Records Act 2002 and UQ Records Management Policy. “Other media including various forms of erasable or alterable PROM (EPROM), laser printer and photocopier drums, and magnetic media such as hard disk drives may be sanitised for reuse by wiping or by using a suitable degaussing tool. Sanitisation of magnetic media by erasure should be performed using specifically designed security erasure software to effectively wipe the contents of electronic storage media.” It is also important to ensure that any encryption keys are removed from the media. As outlined in Queensland Government Information Security Classification Framework, the classification schema for security classified information are: a. National Security Information b. Non-national Security Information ASSURANCE AND RISK MANAGEMENT SERVICES THE UNIVERSITY OF QUEENSLAND AUSTRALIA Corporate Printer Security “National security information is any official resource (including equipment) that records information about, or associated with, Australia’s: security from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia’s defence system or acts of foreign interference defence plans and operations international relations, that relate to significant political and economic relations with international organisations and foreign governments national interest, that relates to economic, scientific or technological matters vital to Australia’s stability and integrity. “ “Non-national security information is any information asset that requires increased protection and does not meet the definition of national security information. Most often this will be about: government or agency business, whose compromise could affect the government’s capacity to make decisions or operate, the public’s confidence in government, the stability of the market place and so on commercial interests, whose compromise could affect the competitive process and provide the opportunity for unfair advantage law enforcement operations, whose compromise could hamper or render useless crime prevention strategies or particular investigations or adversely affect personal safety personal information, which is required to be protected under the Information Privacy Act 2009, the Public Records Act 2002 or other legislation.” Section 2.7 of QGISCS states that, “security classified material may be disposed of by: pulping: transforming used paper into a moist, slightly cohering mass, from which new paper products will be made burning: (in accordance with relevant environment protection restrictions) pulverisation: using hammermills with rotating steel hammers to pulverise the material disintegration: using blades to cut and gradually reduce the waste particle to a given size determined by a removable screen shredding: using cross-cut shredders. Where the disposal method is shredding, classified material should be destroyed using a cross-cut shredder that reduces waste to a particle size of 2.3mm x 25mm or less.”
"Guidelines - printer security webpage"