“You missed a spot…”
Yes, I know. I hate this phrase too. It indicates that someone is watching over my shoulder when I am concentrating on some important task. This unwanted surveillance frequently diverts my attention from something I feel is crucial and draws it toward something I find unimportant or trivial.
Has this happened to you? If so, you might admit that sometimes this annoying feeling is unwarranted. Often the small issue that the uninvited critic catches, once corrected, saves a great deal of time and effort later in the project. The truth is, this probably happens more often than we would like to admit.
October is Cybersecurity month, and I believe that many organizations have indeed missed a spot in their protection plan. Guess what? It’s the same spot that is always missed… scan input and print output.
Okay, I know you’re rolling your eyes right about now. Nothing seems less vulnerable than these simple print transmissions – text, images, special data streams, etc. But the truth is that while companies largely ignore it, many hackers have noticed print as a vulnerability and are developing exploits for this area every day. Last year’s PrintNightmare vulnerability is one good example, but it is not the only one.
PrintNightmare exploited the low-level authority of the Windows spooling system and the underlying SMB protocol to transport ransomware throughout corporate networks. As you probably remember, fixing this vulnerability caused as many issues as the vulnerability itself.
In addition, modern multifunction devices (MFD’s) are sophisticated computers running operating systems like Android and JAVA environments, both of which have long lists of known vulnerabilities. Sadly, few administrators think about doing the firmware updates needed to seal up known holes.
So what’s the answer? Better admin? Even more time searching databases and sealing holes in the traditional Castle-and-Moat security systems that continually prove they are not up to the task?
No. The answer is going back and cleaning up that spot. Yes, that spot you missed.
Many large customers are realizing that the path for vulnerability is the large, unwieldy hub-and-spoke network that has long been a mainstay of their environment. But as applications have changed, many companies have altered their new systems to pass only authenticated, verified packets through their networks. That way, their systems can run on the open Internet, and no VPN is required for application access. Several very successful companies have taken this concept to heart, encapsulating legacy applications in such a way that this same concept is in play.
This brings significant benefits: VPNs, leased line connections to remote offices, and even LAN access in corporate networks can be eliminated. There is no “logging on” via one’s workstation that can suddenly grant higher levels of access to malware. As a result, those workstations cannot act as a conduit into corporate resources for virus distribution. This vulnerable path simply no longer exists. In fact, the method one uses to log in to the workstation no longer matters at all. Which is ideal for the world of “Bring Your Own Device.”
Hoorah! Security is now done by verifying every transaction, so everything is solved, right?
Nope. You missed a spot.
If those networks are severed, how can printing from central resources (like an enterprise application) occur? The reality is, it can’t. And what about that print traffic that originates from my workstation? Can that path still be used for distribution? Yes it can. That path to the sophisticated computer that you call a printer is still wide open. And that printer may share network resources with critical applications because of the first problem I mentioned, right?
LRS anticipated this issue, and everything you need to function in this new world of modern security is available today. Unlike any other vendor in the market, LRS can authenticate to any central resource outside of the workstation’s basic abilities. Just like your trusted applications do.
While you may have brought your own personal Mac to work, and your account is Admin (like everybody else), LRS software will challenge your authentication credentials when you try to print. Once you are authenticated using your system of choice, LRS components will issue a secure User Token to both that workstation and the user.
Now, at print time, LRS processes can intercept output from the operating system, encrypt the data, and send it to a central spooling mechanism along with that User Token for handling. That Token must be checked with every print transaction to ensure authenticity. Just like your critical applications are doing today.
But what if I want to print to my MFD or printer without using the central spool? These security concepts still apply. The print cannot happen unless the authentication happens. While the data is sent directly to the device (after being intercepted and encrypted of course), it can be passed to the device using secure IPPS methods for printing.
And what about the device? Well, what if it requires you to authenticate as well, and still gets a Token from the authentication system? To make it simple, maybe you enter a PIN code or tap a proximity card to initiate print. Then the output device actually reaches back through the network to the LRS software to pull any output that you have printed. Though it is pulling it from a system on the open Internet, the data itself is encrypted, and both ends of the connection are authenticated to ensure security.
This secure environment extends to mobile devices as well. These use the same tokenized concept for transactional needs as your workstations. As a result, print from mobile devices is protected as well. What’s more, if you want to Scan into LRS components from either the mobile device or from the MFD, the same stringent authentication requirements apply.
So maybe you missed a spot. And maybe it’s more than a spot. But be assured that LRS has your back when it comes to security. Give us a call, and we’ll help you clean things up.