Printers and Copiers:
The biggest IOT threat in
Offices?
Ronald Chestang – World Wide Senior Security Consultant
Managed Print Services
Marc Chartrand – Technical Consultant
Printing and Imaging Products
Security Threats & Breaches are Pervasive
End points in organization security practices
85%
96.1%
Desktops/Laptops
of IT pros reported they’ve experienced
a security breach or threat in the
83.7%
Servers
last 12 months.
39%
of
government entities
consider printers a
priority to secure1
50%
73.8%
Mobile Devices
of
government entities
actually deploy security
practices to printers1
1 GovLoop, Print Security Study of IT managers in U.S. Federal, State and Local Government entities, March 2016
50.6%
Printers
Risks and costs of unprotected printing environments
Cyber crime, internal breaches, compliance infringement, and more can hurt your business
60%
73%
64%
of companies surveyed
had a data breach
involving printers1
of CISOs expect a
major security breach
within a year2
of IT managers state
their printers are likely
infected with malware3
=
Financial loss
Fines, loss of business,
damaged reputation, and
class-action lawsuits
$
Ponemon Institute, “Insecurity of Network-Connected Printers,” October 2015.
Help Net Security, “Why enterprise security priorities don’t address the most serious threats,” July 2015.
3 Ponemon Institute, “Annual Global IT Security Benchmark Tracking Study,” March 2015.
4 Ponemon Institute, "2015 Global Cost of Cyber Crime Study," October 2015.
1
2
7.7M
Average annual cost
of cyber crime4
IoT
4
“I probe around for a multifunction printer and
see that it is configured with default passwords.
Great I am in” ………..Hackers Playbook by Peter Kim.
“YES! We've compromised a number of companies using
printers as our initial foothold…………………”
Google Search 11/1/16
39,500+ Hits
=30K+ HP printers accessible from internet
Today’s printers look a whole lot like PCs
Hardware
Firmware and
software
Internet
Email
Network access
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PC
Print
PJL / Post Script
134 different Vulnerabilities
Over 50 modules/attacks
250 different Vulnerabilities
Over 400 modules/attacks
The Basics — printing carries risk
Vulnerabilities across device, data and document need to be managed
BIOS and firmware
Compromised firmware
can open a device and
network to attack
Management
Undetected security
gaps
Network
Jobs can be intercepted as
they travel on the network
Control panel
Users can exploit device
settings
Storage media
Printers store sensitive
information
Capture
Can be used to send
scans anywhere
Input tray
Special media can be
tampered with or
stolen
Output tray
Abandoned sensitive
documents
Mobile printing
On-the-go employees
may expose data
Pwn – “All Mine”
Printer security breaches
Case studies
11
Security Risk: breach examples
Recent history can open our eyes to the cost, pain and extent of cyber crime
Breach
4
Affected
Estimated cost
Exploited vulnerability
Anthem Blue
Cross and Blue
Shield, 2015
Up to 80 million records, including
client names, dates of birth, physical
and email addresses, medical IDs and
Social Security numbers
>$100 million4
Sensitive data, including Social Security
numbers, was stored unencrypted5
Target stores,
2015
70 million credit and debit cards6
$148 million7
Phishing email sent to HVAC system
contractor with unsecured network access8
Aalborg Farve
og Lak
Systems disabled and encrypted with
ransomware. IT Infrastructure needed
to be replaced
1,000,000DK
Access to Corporate network achieved via a
Label Printer9
KPMG study in
Sweden, 2014
13 of 14 Organizations were
infiltrated by malware which was in
contact with external C&C servers.
Undisclosed
Multiple methods of infiltration used.
11 Organizations were exfiltrating data from
various endpoints.
ZDNET, February 2015, http://www.zdnet.com/article/anthem-data-breach-cost-likely-to-smash-100-million-barrier
The Wall Street Journal, http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560
6 New York Times, http://www.wsj.com/articles/SB10001424052702303754404579312232546392464
7 New York Times, http://www.nytimes.com/2015/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0
8 Krebs On Security, February 2015, http://krebsonsecurity.com/2015/02/target-hackers-broke-in-via-hvac-company/
9 Hacker kom ind via labelprinterHacker kom ind via labelprinter, April 2015 http://www.computerworld.dk/art/233684/hacker-kom-ind-via-labelprinter-tog-dansk-firmas-it-systemer-som-gidsel
10 Swedish Civil Contingencies Agency https://www.msb.se/en/Products/Publications/Publications-from-the-MSB/Information-Security--trends-2015-A-Swedish-perspective/
11 KPMG http://www.kpmg.com/SE/sv/kunskap-utbildning/nyheter-publikationer/Publikationer-2014/Documents/Study-report-UnknownThreats-in-Sweden.pdf
5
Printers at 12 Colleges Spew Hate Fliers in Suspected Hack
MARCH 25 2016, 4:06 PM ET
“DePaul University said it suspects their printers
were hacked are now taking steps to secure them
from future breaches.”
Hacker claims to have within minutes identified
roughly 29,000 printers that were connected to the
Internet and could be exploited through an open
port, then automated a procedure that asked each
vulnerable machine to print the hate flyer.
The fliers were discovered at Princeton, Brown,
Northeastern, UC Berkley, DePaul, UMass Amherst,
Smith College, Mt. Holyoke, among others.
March 2016
Unsuspecting students
and office workers were
surprised to find
offensive anti-Semitic
messages on their
printers last week,
courtesy of the hacker
"Weev."
Aug 2016
ho
next
previous
Columbia University
• A grad student in 2011 exposed a flaw in printing
devices that could let hackers hijack the devices to
spy on users, spread malware and even force the
devices to overheat and catch fire
• Printer did not have code signing validation, which
allowed the breach
Source: Scientific American “Printers Can Be Hacked to Catch Fire” November 29, 2011
http://www.scientificamerican.com/article/printers-can-be-hacked-to-catch-fire/
Affinity Health
home
next
• Multiple leased MFPs were returned to the leasing
agent without erasing the confidential medical
records and data contained on the hard drives
previous•
The company who later purchased the MFPs
discovered the records on the hard drive
• Affinity estimated that 344,579 individuals may
have been affected by the breach
• Breach resulted in $1.2 million in HIPAA violations
Source: cnsnews.com “Company Fined for Leaving Electronic Health Data on Hard Drive of Leased Photocopier” August 15, 2013
http://www.cnsnews.com/news/article/company-fined-leaving-electronic-health-data-hard-drive-leased-photocopier
The printer security conversation
“How are your PCs protected from cyber attacks? Do you protect your printers in the same way?
“Is your printer fleet safeguarded from data breaches and enabled to effectively log and track all activity?”
“How do you ensure confidential documents aren’t left unsecured on the printer?”
“Did you know that an unsecured printer fleet could be a compliance risk?”
“Do you have an asset disposal policy for your copiers/printers that includes disc removal or sanitization?
What about repair? Is a defective drive retained and destroyed?
“Did you know that the average office Copier can scan pages at almost 1 per second?
-If “scan to email” is enabled but without authentication, how do you prevent a contractor, visitor or other untrusted individual from
sending your inside information to the outside world?
Reasons to Develop a Print Security Policy:
External
audit
Regulation
(formerly CBP)
Compliance
Resources and Additional Information
2
Our Philosophy: Design for Cyber Resilience
Protect
Goal: No Downtime!
Focused effort to ensure
we provide continuous
business productivity,
and lower TCO by
providing seamless
Recover
recovery
Continue to increase
protection at all levels of
platform compute
Detect
Even when
protections fail, and
they will, detect that
things have gone
wrong
Security is Built-in, Not Bolted On; Platform is Secure by Default
Design is Holistic, Comprehensive, and System Agnostic
The Basics — strongest embedded device protection
The world’s most secure printers
1
HP SureStart
Bios Integrity checking at startup with self-healing capability
2
HP Secure White Listing
3
HP Run-time Intrusion Detection
4
Device loads only ‘known good firmware’
Constant in-device monitoring for malicious attacks
TPM Chips: Trusted Platform Module (optional)
Industry Standard tamper-proof module to store
Key security credentials
The Basics — strongest embedded device protection
• The worlds most secure printers
INTRUSION DETECTION
VIDEO
1 Based on HP review of 2015 published embedded security features of competitive in-class printers. Only HP offers a combination of security features for integrity checking down to the BIOS with self-healing capabilities. A FutureSmart
service pack update may be required to activate security features on the HP LaserJet M527, M506, M577. Some features will be made available as a HP FutureSmart service pack update on select existing enterprise printer models. For list
of compatible products visit: http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA6-1178ENW. For more information visit: www.hp.com/go/LJsecurityclaims
HP JetAdvantage Security Manager
A simple, intuitive and efficient process for securing your fleet
Review 6
results
Renew 5
certificates
Remediate 4
devices
1 Create
review
policy
HP JetAdvantage
Security Manager
2 Add
devices
3 Assess
devices
HP Security Manager makes it easy to monitor
and protect your entire fleet
Secure your fleet of HP
devices with the solution
Buyers Laboratory, LLC
calls “trailblazing”
Direct
connect
ports
Types of
policy
settings
Control panel
lock
Authentication
Services 802.1x
Authentication
FTP Firmware
Update
Novell remote
configuration
Device PIN
presence
File erase
mode
LDAP Server
Authentication
250+ security
settings
available in
HP enterprise
MFPs
PJL password
Device
Control
Fax speed
dial lock
File system access
protocols
SNMPv1/v2 SNMPv3
Credentials
Admin (EWS) password
File system password
Fax PIN
Bootloader password presence
Network
Services
User authentication
Remote
Firmware
upgrade
Public
username
Job storage
authentication
Device
Discovery
Allow return
email address
change
Email
Secondary email authentication
Restrict Addresses
Send to fax
authentication
Authentication
Walk-up
authentication Send to e-mail Send to folder
Service Location
Protocol (SLP)
Telnet
Credential
type
Copy authentication
I/O timeout
Command load and execute
Maximum
attachment size
authentication
authentication
Job creation authentication
Bonjour
Web Services
Discovery
(WS-Discovery)
Link-Local Multicast Name
Resolution Protocol
TCP/IP Printing
(P9100)
Printing
File Transfer
Protocol
Internet Printing
Protocol
Novell (IPX/SPX)
JetAdvantage Security Manager Customer
A major banking customer needed to secure 30,000 devices.
BEFORE
AFTER
Less than
25%
97%
Assessment:
3 Hours
of fleet complies with
the security policy
of fleet complied with
security policy
12
servers
4
hours
daily
effort
More than
2 servers
HOURS
saved
every day
by built-in
reports
HP Access Control Software Suite
Securing the information, the device and creating an audit trail
HPAC for Pull Printing and Authentication Functions
• Limit device & document access via card and/or
password/PIN
• Authenticate and track users for walk-up functions and
print job release
• Encrypt documents to protect confidential information
• Enable users to print or authenticate to any HPAC
equipped device for greater productivity
• Date at rest security: NO jobs sitting in output bin
Devices, Solutions and supporting Managed Print Services
The most comprehensive device, data and document security to protect
your business, revenue and reputation
Secure MPS
Secure Devices
The world’s most secure printers with
self-healing security features
Security Solutions
Security Solutions to detect, protect,
monitor and manage your fleet
Security Professional Services
Experts to assess your current risk, build
and maintain a secure print environment
Sure Start
JetAdvantage Security Manager
Printing Security Advisory Service
Security management & compliance
Environment assessment and recommendation
Whitelisting
Access Control
Printing Security Implementation Service
Secure authentication & job accounting
Software & Process deployment
Intrusion detection
Secure Private Print
Printing Security Advisory Retainer Service
SIEM integration
JetAdvantage Partner Solutions
Printing Security Governance & Compliance
Print security
Safecom, Troy, Pharos, JetMobile, Equitrac, etc.
TPM Support
MPS
Recurring security updates
Security management & compliance
Thank you