Executive Summary of Thesis
The paradigm centres on the research question of ‘What are the risks posed by Multifunctional Printers (MFPs) to data and network security?’ which pursues a scientific approach. This is underpinned by a quantitative methodology into the different risk factors with risk being defined as the potential of threat[s] to exploit a vulnerability thereby placing an asset in danger (Chapple et al, 2018). The modern MFPs unlike the first commercially released photocopier by Xerox which only generated photocopies of documents, have been influenced by advances in technology to become computerised systems by incorporating software and hardware programs to perform and execute various functions. The paradigm is founded on the authors experience as a consultant in the information technology industry, observing inadequate security measures on MFPs and the absence of Print Management Policies.
The network design entailed configuring and implementing assorted hardware with the backbone of the network consisting of two Layer 3 Cisco Catalyst switches configured for SPAN (Switched Port Analyser). The hardware components consisted of HP ProLiant Servers operating as a Virtual Machine (VM) for two Microsoft VMs, one performing authentication and name resolution and the other tasked with the collection of data using Wireshark. Included in the design was a Raspberry Pi installed with Kali-Linux and a Lenovo laptop Windows 10 running Kali-Linux as a VM on Oracle VirtualBox. Kali-Linux incorporates preinstalled ethical hacking tools which were used to perform various penetration tests on the five sample MFPs and capture the generated data. The isolated network design delivers reliable and repeatable experiments in a controlled environment mitigating the potential for data corruption and supporting the verified and validated ethos of the research methodology.
The primary objective forms part of the research process of quantitative data capture using a port scanner (Nmap) and subsequent assignment of the discovered protocols on the MFPs to either the Management, Service or Uncategorised Protocols of the (i) Network Services threat category. The analysed data was compared to published threats in the research papers of Botha and Von Solms (2018) and Scott (2007) in addition to triangulation with the NIST National Vulnerability Database for known vulnerabilities for the five MFPs used during the experimentation phase. The analysis was performed on a total of five MFPs in a sandboxed networked environment which included three factory defaulted enterprise MFPs provided offsite at Principal I Ltd and two onsite to conduct the research into the potential risks posed by MFPs.
The secondary objectives relate to the threat categories of (ii) Unsecured MFPs including HDD and (iii) Unsecured Printout[s] and the risk of unsecured access to the MFP with the investigation highlighting the serious threat posed to an organization’s reputation and the potential of civil monetary penalties of up to £17 million or 4% of global turnover in breaching the Data Protection Act of 2018.
The analysed data from the Nmap scan of the five MFPs revealed that there was an increase to the attack footprint of 275% compared to the potential threats which were discussed by Botha and Von Solms (2018) and Scott (2007) in their respective publications. Causation dictates that the increase to the attack surface should not be used as the sole factor in determining risk but should include vulnerabilities identified along with the potential threat posed by the individual protocols and ports. To combat this security risk the attack footprint should be reduced by disabling unused or obsolete protocols or alternatively employing more secure protocols.
The biggest risk to an organization’s data security is the loss or theft of confidential and intellectual property with the consequences ranging from reputational and revenue loss to fines being imposed causing potential irreparable harm to business’s survival. This research demonstrates the ease of access of MFPs with the ability of an unskilled person to directly access system settings and controls with no accountability and even unintentional data breaches by staff members accidentally picking up and distributing confidential documents can lead to significant data breaches and subsequent penalties. This is supported by a report by Verizon where 58% of Healthcare Service security breaches across 27 countries over a two year period were initiated by insiders who were after personal data (Verizon, 2018). Even though not all of these were malicious it highlights the risk of businesses leaving devices vulnerable to internal exploitation. Through assessing the risk posed by MFPs to data and network security, this research shows that the most immediate threats are from the categories of (ii) Unsecured MFPs and (iii) Unsecured Printout[s] to data security resulting in potential financial penalties in contravening the Data Protection Act 2018 thereby requiring measures to reduce this risk. An attack on the (i) Network Services category requires an advanced skillset and wide ranging knowledge of IT technologies and techniques to be successful, but other targets are more lucrative and easier to access therefore posing a lower risk (Stewart et al, 2012).
The research used five MFPs which is a fraction of available devices but provides a representative sample of the models and functionality available. The rapidly evolving functionality of MFPs impacted the volume of relevant verifiable research available on MFP security, however the limited resources used for triangulation were in the forefront of MFP research and combined with the primary research data proved the paradigm that MFPs do constitute a risk to data and network security.
Botha, J. and Von Solms, S. (2018). “Security Threats and Measures on Multifunctional Devices”, ECCWS 2018 17th European Conference on Cyber Warfare and Security. Oslo, 28-29 June 2018. Reading, Academic Conference and Publishing International Limited, (pp. 38 – 48)
Chapple, M., Stewart, J., and Gibson, D. (2018). CISSP, Certified Information Systems Security Professional, Official Study Guide, 8th edition, Indianapolis, John Wiley & Sons Inc
Müller, J., Mladenov, V., Somorovsky, J., and Schwenk, J. (2017). Proceedings – IEEE Symposium on Security and Privacy, 213-230 [Online]. Available at https://www-scopus-com.libezproxy.open.ac.uk/record/display.uri?eid=2-s2.0-85024495259&origin=inward&txGid=dbcd1a0a61ed34866498ce06aa78cd6f (Accessed 29 November 2018
Scott, C. (2007). “Auditing and Securing Multifunctional Devices”, SANS Institute InfoSec Reading Room [Online]. Available at https://www.sans.org/reading-room/whitepapers/networkdevs/paper/1921 (Accessed 09 November 2018)
Stewart, J.M., Chapple, M., and Gibson, D. (2012) CISSP, Certified Information Systems Security Professional Study Guide, 6th edition, Indianapolis, John Wiley & Sons Inc
Vail, V. (2003). “Printer Security: Is It Really an Issue”, SANS Institute InfoSec Reading Room [Online]. Available at https://www.sans.org/reading-room/whitepapers/threats/printer-insecurity-issue-1149 (Accessed 02 December 2018)