Multifunction Printers (MFP), Multifunction Devices (MFD), and the office copier are all similar pieces of office equipment. MFP’s can scan to email, scan to folders, scan to cloud storage, fax, integrate with multiple types of workflow solutions and, oh yeah, they copy and print as well. MFP’s have all of the components a computer has on your network; hard drive, operating system, and network connection which can be wired or wireless. During SymQuest's assessment process with potential clients we pose this question to IT professionals; why treat MFPs any different than computers on your network? In this guide you will learn how to protect your multifunction printer as part of cyber security for your business.
MFPs are vulnerable to attacks from your network and can be compromised. Once compromised, an MFP can be used for acquiring information about your network, which an attacker will use to penetrate mission critical targets, such as servers. Attackers can also use the MFP for spamming, network scanning, and Denial of Service (DoS) attacks (downing a network). Threats can even come in the form of routing all scans from an MFP to an unintended user. This guide is not intended to scare you, but to inform users and IT staff of how to prevent these occurrences and protect your business assets.
Password protect your device. Changing the default password from the factory password to a stronger level of password will help prevent unauthorized users from accessing important information. MFP factory default passwords can be easily found either on the internet or within user manuals. The MFP holds pieces of information such as IP addresses to email and file servers, email addresses, and network folder addresses. This information is used by attackers, like pieces of a puzzle, once the puzzle is complete attackers can access a company’s vital data or use email addresses for phishing, spamming and/or malicious activities (shutting the MFP down).
Stop printing paper. Instead of printing directly to the MFP, print to a secure mailbox at the MFP or use private print features. The end user will print their files to a secure mailbox on the copier. Print jobs are secure and not visible. Users can enter personal identification and purge print jobs from their MFP. These are common features that are inherent to most devices. No additional items or cost are needed. Leaving Patient Health Information (PHI) or any type of private information leaves room for comprise, and could also be a breach of certain federal regulations.
Create more levels of security on the MFP by:
- Disposing unneeded protocols (Bonjour, IPP, SMB, IPX/SPX, FTP). Make sure you check with your service provider for more detailed information.
- Disable unused management protocols. Leave SNMP enabled for print management software and enable HTTPS communication.
- Some devices can be configured to allow a list of IP addresses that it can communicate, which is called an Access Control List (ACL). The MFP will not communicate with any other computer unless its IP address is in the list.
Lock down control of the MFP by using either built in account controls or optional access control software (Equitrac, Papercut, etc...). These systems or functions allow only authorized users to access the MFP base of network credentials or account codes. Some MFP devices allow function level control, where users can copy all they want, but when they scan, fax, or print they need to log in.
Turn on standard or optional security measures to prevent unauthorized tampering. These security features include:
- Automatic Overwrite of HDD Data
- Hard Drive Sanitization
- IP Filtering
- HDD Locking
- Encrypted Email
- Encrypted PDFs
These steps are the introductory steps for securing your MFP. This article is intended to provide information, make users aware, but also trigger a conversation with your service provider regarding securing your assets and best practices. Remember; "You're only as strong as your weakest link.” So don’t let it be your MFP.