Executive Summary of Thesis
The paradigm centres around the research question of what are the risks posed by Multifunctional Printers (MFP) to data and network security which pursues a scientific approach. This is underpinned by a quantitative methodology into the different risk factors with risk being defined as the potential of threat[s] to exploit a vulnerability thereby placing an asset in danger (Chapple et al, 2018). The modern MFPs unlike the first commercially released photocopier by Xerox which only generated photocopies of documents, have been influenced by advances in technology to become computerised systems by incorporating software and hardware programs to perform and execute various functions. The paradigm is founded on the authors experience as a consultant in the information technology industry, observing inadequate security measures on MFPs and the absence of Print Management Policies.
The network design entailed configuring and implementing assorted hardware with the backbone of the network consisting of two Layer 3 Cisco Catalyst switches configured for SPAN (Switched Port Analyser). The hardware components consisted of HP ProLiant Servers operating as a Virtual Machine for two Microsoft VMs, one performing authentication and name resolution and the other tasked with the collection of data using Wireshark. Included in the design were a Raspberry Pi 3 installed with Kali-Linux and a Lenovo laptop Windows 10 running Kali-Linux as a VM on Oracle VM VirtualBox. Kali-Linux incorporates preinstalled ethical hacking tools which were used to perform various penetration tests on the five MFPs and capture the generated data. The isolated network design delivers reliable and repeatable experiments in a controlled environment mitigating the potential for data corruption and supporting the verified and validated ethos of the research methodology.
The primary objective forms part of the research process of quantitative data capture using a port scanner and assigning the discovered protocols on the MFPs to either the Management, Service or Uncategorised Protocols subsection of the (i) Network Services category. The analysed data was compared to published threats in the research papers of Botha and Von Solms (2018) and Scott (2007) in addition to triangulating the analysed primary data with the NIST National Vulnerability Database for known vulnerabilities for the five MFPs used during the experimentation phase. The investigation was performed on a total of five MFPs in a sandboxed networked environment which included three factory defaulted enterprise MFPs provided offsite at Principal I Ltd and two onsite to conduct the research into the potential risks posed by MFPs.
The secondary objectives relate to the threat categories of (ii) Unsecured MFPs and (iii) Unsecured Printout[s] and the risk of unsecured access to the MFP with the investigation highlighting the serious threat posed to an organization’s reputation and the potential of civil monetary penalties of up to £17 million or 4% of global turn over in breaching the Data Protection Act of 2018.
The analysed data from the Nmap scan revealed that there was an increase to the attack surface of 275% compared to the potential threats which were discussed by Botha and Von Solms (2018) and Scott (2007) in their respective publications. Causation dictates that the increase to the attack surface should not be used as the sole factor in determining risk but should include vulnerabilities identified along with the potential threat posed by the individual protocols and ports. Failure to consider other factors risks the validity of the project objectivity and arriving at a flawed conclusion. To combat this security risk the attack footprint should be reduced by disabling unused or obsolete protocols or alternatively employing more secure protocols.
The biggest risk to an organization’s data security is the loss or theft of confidential and intellectual property with the consequences ranging from reputational and revenue loss to fines being imposed causing potential irreparable harm to business survival. This research has shown that the threat categories that pose the most immediate threat are (i) Unsecured MFPs and (ii) Unsecured Printout[s] however (i) Network Services is only less of a risk due to the attacker skillset needing to be highly advanced as it requires a wide ranging knowledge of IT technologies and techniques and other targets are more lucrative and easier to access (Stewart et al, 2012).
The case-study used only 5 MFPs as part of the research project which is a fraction of available devices but provides a representative sample of the types and functionality available. The limited academic research existing on MFP security together with the rapidly evolving functionality of MFPs had an impact on the research as it reduced the different resources for triangulation used as part of the secondary research into proving the paradigm that MFPs do constitute a risk to data and network security.
Botha, J. and Von Solms, S. (2018). “Security Threats and Measures on Multifunctional Devices”, ECCWS 2018 17th European Conference on Cyber Warfare and Security. Oslo, 28-29 June 2018. Reading, Academic Conference and Publishing International Limited, (pp. 38 – 48)
Chapple, M., Stewart, J., and Gibson, D. (2018). CISSP, Certified Information Systems Security Professional, Official Study Guide, 8th edition, Indianapolis, John Wiley & Sons Inc
Müller, J., Mladenov, V., Somorovsky, J., and Schwenk, J. (2017). Proceedings – IEEE Symposium on Security and Privacy, 213-230 [Online]. Available at https://www-scopus-com.libezproxy.open.ac.uk/record/display.uri?eid=2-s2.0-85024495259&origin=inward&txGid=dbcd1a0a61ed34866498ce06aa78cd6f (Accessed 29 November 2018
Scott, C. (2007). “Auditing and Securing Multifunctional Devices”, SANS Institute InfoSec Reading Room [Online]. Available at https://www.sans.org/reading-room/whitepapers/networkdevs/paper/1921 (Accessed 09 November 2018)
Stewart, J.M., Chapple, M., and Gibson, D. (2012) CISSP, Certified Information Systems Security Professional Study Guide, 6th edition, Indianapolis, John Wiley & Sons Inc
Vail, V. (2003). “Printer Security: Is It Really an Issue”, SANS Institute InfoSec Reading Room [Online]. Available at https://www.sans.org/reading-room/whitepapers/threats/printer-insecurity-issue-1149 (Accessed 02 December 2018)