Document Advisors | IDeAs blog, for better document strategies.

Document Advisors | IDeAs blog, for better document strategies.

Also on Twitter | @DocAdvisors

HP Print Security Announcements

What would you say if you worked for a large company, and someone told you that a hacker, on the other side of the world, could easily, within five minutes, and with no prior knowledge of your organisation, get access to a printer on your network – which would not only allow him to access all data processed by the printer, but also enable him to control and use the printer, and potentially, to be able to gain access to all devices on your network?
You would say, no, not us, we have firewalls and state of the art security in place. It’s just not possible.

Yet HP explained just how easy it would be for a hacker to do what is described above. First, using software which can readily be purchased on the Internet, they would search for and identify hundreds of network printers and their IP addresses, in organisations all around the world. Then, they would select a networked device (could be from any manufacturer) in an organisation that they wanted to target. HP explained how, with a few mouse clicks, using a default password, the hacker would be able to get access to the printer, and potentially control it. The staff at the target organisation would not even be aware that someone from outside had gained access to the device on their network.

Most of us in the room would not have believed this was possible, until we were told how easily it could be done. The point which HP are making here is just how vulnerable printers are to hacking, and the danger this represents, not only in terms of access to the data passing through the printer, but also as a potential gateway to the rest of the network. In addition, some hackers have used access to print malicious spam messages on an organisation’s printers, which opens up all kind of other issues, including the risk of being sued for spreading defamatory or threatening material. Most organisations go to great lengths to protect their network with a firewall and multiple layers of security, and are well versed in the need for anti-virus and anti-malware protection of PCs and servers. However, they overlook the humble printer as a potential security weak point.

 

So, what should organisations do to address this threat? HP is taking the lead among printer manufacturers, with a comprehensive range of security features and services, to help clients minimise the vulnerability of their printers to hacking. Most manufacturers have recognised the need for some printer security for a number of years, but this has tended to focus on the physical aspects of hardware, including features such as hard disc encryption and secure disposal, and locking down of vulnerable ports.

HP has already, with previous announcements, gone much further, with a range of features, including HP Sure start – Secure Boot (with self-healing BIOS protection), Firmware Whitelisting and Run-time Intrusion detection (also self-healing). They also already announced Print Security Compliance Tools and Advisory Services.

Now, with the latest announcements, HP have added a lot more, to provide multi-layer security with a comprehensive set of features and services. This starts with making the printer itself as secure as it can be, and moves out through device and data hardening, threat monitoring, access controls, to add custom requirements (e.g. to address specific customer workflows), and ultimately aims to secure all printers within the organisation’s own network security or firewall.

The net result is that HP is now offering print security as a complete service, and this forms a core component of their MPS offering.

This starts with the addition of an in-depth print security assessment (which typically takes three days, with a team of specially trained security experts), and leads to recommendations for a customised security plan. Other new services include management and reporting on security controls, and remote management to automate maintenance of critical security controls. To these are added new implementation services, to ensure deployment meets industry best practice, and active monitoring and reporting, to ensure ongoing compliance.

 

All in all, this sounds like a timely solution to meet what is potentially a very big issue for many organisations. It is also very important that this is taken up by the whole industry, something which HP say they recognise, and want to play a leadership role in. The key issue, as always, will be whether the execution can match the strategy.
This is not just a question of whether HP can deliver on what they are promising, although of course that is an important issue, but also depends on other manufacturers agreeing to work together, to promote common standards, and last but not least whether customers will be persuaded to take the threat seriously. Experience tends to suggest they will only do so when a major security breach occurs, and forces them to pay attention, but let’s hope that HP can be persuasive enough to encourage companies to address this threat, before they are damaged by it.

Leave a Reply

To subscribe to our monthly DocLetter, simply add your email below. A confirmation email will be sent to you!

Information

This article was written on 08 Dec 2016, and is filled under Business Forecast.

Shortlink

http://tinyurl.com/z74jnyv

Current post is tagged

, , , , , , ,