Well Duh!

Pleeaaaze, not only is this old hat to some of us, but yes it is generally ignored by the major corporations that utilize networked MFPs heavily. But the reality is there is already corporate policy in place within IT. Its called a corporate security policy. The only thing that needs to change to utilize it is realize they are SERVERS that just happen to spit bits of plastic on paper.

That networked multifunction printer sitting innocently in the corner of your office just might be the most significant entry point for hackers to hijack sensitive data from your business.

Even worse, security researchers warn, they are a forgotten risk in every enterprise, featuring hardware that combines several functions in a single unit—fax, copier, printer and scanner.

“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006.

“When I was doing my research, I had dozens and dozens of MFDs under my control, and no one in IT knew what I was doing. The idea of an attacker having equipment completely under their control on a company’s internal network is a frightening proposition,” O’Connor said in an interview with eWEEK.

Continuting…

Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
“Should my mom be worried that a hacker is living in her printer? No. But, if you’re a Fortune 500 company, vulnerable printers on your network is a scary thing,” Ptacek said in an interview with eWEEK.

“There are several of these printers on every floor of every business, basically working as file servers for important documents,” Ptacek said. “Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They’re altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are.”

In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.

“He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It’s the perfect catbird seat,” Ptacek said.

What is missed by most IT types is the concentration of information flow that hits a printer. Some of it at the very top, in executive row. For all the data that sits on servers to mine by some hacker it is a diffuse chunks of data compared to what would come out of a hacked printer from the Executive Assistants in the typical board room row of the Fortune 500. It is all nicely condensed, formatted and forward leaning in what the company is preparing to do for the future. It also carries with the considered assessments of the 1/4 of management as to actionable thinking.

[Shameless Plug Dept.: So still concerned and don't know what to do? I am available to consult, having 10yrs experience in corporate print methodologies and cost reductions in this area of IT for a fortune 10. link.]

Linky