With 21 years under his belt, Jason O’Keeffe is one of the world’s foremost experts in IT security. As lead HP Print Security Advisor, he has firsthand knowledge and unrivalled expertise about cyber defense and compliance when it comes network security and securing print infrastructure. Here, he shares what advice he gives his clients when it comes to securing their data, protecting their customers and staying compliant in the face of strict new regulations.
Security is now a business critical, executive-level issue
When we conduct our security assessments, we ensure that business owners are present in the room, along with the IT team. That way, everyone is there to engage in an executive review. Often, we see light bulb moments, when business owners suddenly make the connection between the loss of data due to poor practices and vulnerabilities. Security can make or break a business and executives are beginning to realise the importance of working together with the IT team.
We recently worked with a customer on the East Coast of America, assessing their environment and the business. We discovered that the business had minimum to no policy on their printers – anyone could do anything, such as gain administrator access and brick the device thus putting a $8,000 MFP printer totally out of service. What they didn’t realise was that they’d given administrator rights to a huge amount of people in their organisation. On top of this, these administrator rights were generic, meaning the user name could have been ‘guest’ and the password was ‘guest’. When we explained how that risk could expose private company data, it suddenly clicked with everyone in the room. Part of our role is to educate two departments – IT and senior management and the business owners on the risk to their data.
Organisations aren’t taking printer security seriously enough
Customers see printers as a dumb device in the corner with no need for any security focus. Printers are not what they were five years ago, they are extremely intelligent with full operating systems and embedded web servers. Customer’s think they’re protected because they’re behind firewalls, but firewalls are no longer enough to ensure proper defense. When they buy printers today, or an IoT device for that matter, customers need to start thinking about the security that’s attached (if there is any) and what configurations they need to make immediately. Hackers are always looking for alternative ways to get into your network and no better way than a printer deep behind 2 layers of firewall vendors, behind IPS, IDS, SIEM, HIPS etc. Never underestimate a hacker’s mindset, they are a creative bunch of people and I have seen first-hand how they can bypass firewalls, IPS, IDS etc. to reach your printers.
It’s easier than you think to apply new security standards
Smaller businesses see the security measures required in regulations like PCI, HIPAA, and now GDPR in 2018, as overwhelming challenges. I always tell them that they aren’t as difficult as they appear. In fact, it’s very easy to translate any standard into specific actions by just reading the regulations or standards and compare to the internal controls they already have in place. At HP, we help customers by translating security standards like PCI, HIPAA, GDPR and show them how it applies to their printer infrastructure. Immediately customers see how they can protect 100’s or 1,000’s of devices on their network and align themselves to industry regulations. As a result, we have seen plenty of customers and executives becoming the new security heroes for their business.
Stay on top of security regulations by signing up to industry blogs
Regulations are constantly changing and being updated and small businesses are unlikely to afford a resource dedicated to monitoring regulations. Stay on top of regulation updates (to ensure you stay compliant) by subscribing to security newsletters. Do your research, sign up and set up alerts to be the first to find out about the latest major updates that could have an impact on your business IT practices. Customers should also talk to their industry peers and their vendors to ensure any products they buy are aligned to good industry security best practices. Believe it or not I am still seeing vendors (even some of the major vendors) out there not advising their customers on what I call basic security 101 practices. For example, how many businesses out there have changed the default account names and passwords on devices like printers on their networks? Are your printers accessible by the default accounts and passwords from the manufacturer? Do you know you can easily find the manufacturer’s default administrator accounts or other accounts types on the internet with a simple search? Again, here’s a simple security control I like to refer to as security 101 good practices. Be aware, some device vendors out there make it extremely difficult to change default accounts and passwords. Select products from vendors that make it very easy, almost automatic to change the administrative passwords. PCI & HIPAA regulations have controls to ensure passwords and administrator activity is tracked, take for example HIPAA control 164.312(d) which refers to the ability to verify that the person accessing information is that person and not someone else. I have often seen print administrators sharing out generic administrator passwords amongst ten and sometimes hundreds of people. This means they can have the same generic user name and password and they do this so often because it’s ‘just easier and saves time’. There is no accountability and traceability here, yet when I work with them to show them how easy it is to implement a security control to align to this HIPAA requirement, they are extremely surprised at the value it brings to their business and security department. Quickly they become security heroes, this is just one example of a HIPAA control and what it may mean to printers, it is very similar in other regulations.
Compliance requires every change to be accounted for and traceable
Businesses are failing to put controls in place that take account of who is doing what across print devices. Printers have multiple access points and businesses need to know whether it’s server access or people who are making administrative changes. Compliance regulations are designed to ensure businesses account for every situation – are they recording who’s accessing their printers? If they’re not, those administrative accounts can be taken, leveraged and used to exploit those printers. Not only could hackers get access to the printers, but printers can become a platform for moving laterally inside the organisation to web servers and databases. In the words of one anonymous IT hacker at Black Hat EMEA 2016, ‘printers were sitting ducks on the network’. Make sure you’ve got accountability and traceability for any action taken with printers.
Look at Peter Kim’s book The Hackers Playbook, an excellent book for security. It is somewhat technical but Peter who is a leading industry pen tester really hits home the importance of testing your network for offensive attacks and defensive situations. His book looks at the ways to compromise networks and businesses. Hackers don’t care what the device is, once they can get a foothold inside your business. Peter Kim has a quote in the introduction on this point “I probe around for a multifunction printer and see that it is configured with default passwords. Great, I am in…”. And Peter goes on to note ‘“We’ve compromised a number of companies using printers as our initial foothold. We move laterally from the printer, find Active Directory, query it with an account from the printer and bingo, we hit GOLD…”
As Peter has done, I too have seen how easy it is to compromise a printer to get a foothold into a network.
Businesses must take advantage of new, built-in security technology
At HP, we’ve built new features into our devices that can detect malware and automatically and instantly reboot to go back into a self-healing mode to make sure that the malware doesn’t succeed. ‘HP Sure Start’, Run-time Intrusion Detection and Firmware Whitelisting not only protect the device, but these features also collect security intelligence that IT teams can analyse and learn from. This technology helps businesses to mature their organizational security.
Improve your security by going back to the basics
For any endpoint device on the network, whether it’s a printer or a camera, go back to the basics, start with the protocols. Find out what protocols are being used for both sending and receiving data. It’s very easy to collect that data. If you buy a printer today and put it on your network, that printer will be accessible to lots of software programs via a large range of protocols. Someone needs to go through those protocols and decide if they need them or don’t. Printers can send data via older, less-secure protocols that can leave data exposed to be captured by anyone. Businesses need to understand what technology is in these devices, how they are communicating and go through the process of deciding whether to turn-on or turn-off a protocol. At HP, we now ship printers with older less-secure protocols turned off. It might be a bit of a nuisance for businesses that have old print applications that require these less-secure protocols, but it adds an extra layer of protection, and from my security perspective I would much prefer to ship a hardened secure device that has protocols locked down and then force IT to turn on what is needed per business requirements.
The future of security is consulting expert advice
At HP, we’re expanding our security consultancy services. We go into organizations and educate them on the risks then help them with securing their infrastructure and addressing compliance requirements. Whether an organisation buys 10 printers or 100,000, they need to be aware of how to secure their print infrastructure, ensure they can adequately protect their customers, their company, their data, and at the same time align to industry regulations and standards.
Download our CyberSecurity 2018 eGuide to find out more about upgrading your security.