HP: Putting Print Security on the CISO Agenda
Amidst a rapidly evolving threat landscape, where malware and exploits continue to proliferate, endpoint security often fails to adequately protect networked printer and multifunction printer (MFP) devices. With its new enhanced LaserJet enterprise printer range, announced on 22 September 2015, HP is demonstrating its serious commitment to closing the print security gap.
In today's increasingly mobile and interconnected digital enterprise, cyberattacks are increasingly sophisticated, designed to inflict maximum damage to an organisation's systems and networks. The loss of sensitive information - be it personal or financial - can have huge repercussions - both financial and legal - not to mention the impact on brand reputation. According to the Ponemon Institute, the average consolidated total cost of a data breach is $3.79 million. Meanwhile, Quocirca's recent enterprise managed print services (MPS) study revealed that over 70% of organisations have suffered at least one data breach as the result of unsecured printing. Yet printing is an overlooked area in the Chief Information Security Officer (CISO) agenda. While focus is given to protecting traditional IT endpoints such as laptops, PCs and mobile devices, ignoring printers as a vital endpoint in an overall information security plan can leave an organisation exposed and vulnerable.
The print security gap
So what is the importance of securing these supposedly "peripheral devices"? Today's MFPs are advanced and intelligent document processing hubs which print, copy, scan and email. Information resides on hard disk, in memory and with most MFPs now running advanced web servers, these devices are exposed to the same risk as any PC device. At a basic level, there is the opportunity for uncollected sensitive or confidential information to be picked up from output trays - accidentally or maliciously - by the wrong recipient. Fortunately there are a range of simple tools that enable user authentication (either via a smartcard or user PIN) to ensure print jobs are only released to authorised users. But at a deeper level, networked printers and MFPs need to be protected at the firmware and network level. Without adequate protection, the web server on an MFP can be exploited and compromised, providing open access to an enterprise's network. Indeed, it is not specifically the data on an MFP that may be targeted, it is an entry point to the wider network.
HP's security enhanced enterprise LaserJet products
HP's recent announcements aim to address these vulnerabilities and demonstrate a significant advancement in printer security. It boldly claims its new HP LaserJet Enterprise 500-series printers are "the world's most secure printers" because they support a strong set of default security features and settings, but perhaps, most importantly include advanced embedded security capabilities, specific only to HP devices. These include:
- HP Sure Start. To prevent an attack at the point of start-up, HP is implementing BIOS-level security with HP Sure Start. This applies the same BIOS security protecting HP's Elite line of PCs since 2013 to new HP LaserJet Enterprise printers. In the event of a compromised BIOS, a hardware protected "golden copy" of the BIOS is loaded to self-heal the device to a secure state.
- Whitelisting. This ensures that only HP authentic code and firmware can be installed and loaded onto devices.
- Run-time Intrusion Detection. This protects the printer by continuously monitoring memory to identify, detect and highlight potential attacks to Security Information and Event Management (SIEM) tools like ArcSight. The device will automatically reboot flushing memory and bringing it back to a safe state. This technology was developed in partnership with Red Balloon Security, a US based embedded device security company.
Additionally, HP will retro fit legacy devices, allowing customers to benefit from these security features for devices from 2011. According to HP, with a firmware update, all three features can be enabled on the HP LaserJet Enterprise printers delivered since April 2015. For HP LaserJet Enterprise printers launched since 2011, two of the features, whitelisting and Run-time Intrusion Detection, can be enabled through an HP FutureSmart service pack update.
Notably, HP is also addressing the needs of enterprises which operate a mixed fleet environment. HP JetAdvantage Security Manager, currently the industry's only policy-based printer security compliance solution, enables IT to establish and maintain security settings such as closing ports, disabling access protocols, auto-erase files and more. When a reboot occurs, the HP Instant-On Security feature will check and reset any impacted settings automatically to bring devices into compliance with the organisation's policy. Quocirca believes this is a real opportunity for HP to set industry standards with integrated print security management, much in the same way HP Web JetAdmin has become a standard tool for enterprise print management.
HP also offers a comprehensive Printing Security Advisory Service, which evaluates an enterprise's current print security position and recommends solutions to address an organisation's print security risk exposure. Indeed, Quocirca is seeing that managed print services customers are most advanced here, often undertaking security assessments which identify vulnerabilities. In fact 90% of organisations using MPS had started or completed a security assessment. Certainly, this is having a positive impact, with Quocirca's research revealing that data loss is much lower amongst those that have conducted an assessment. Almost half of those that had conducted a security assessment indicated no data loss compared to 14% of enterprises that have started the process.
Print is often an afterthought in the security equation, leaving an organisation's data and networks exposed to unnecessary risk. While all manufacturers offer some form of built-in security features along with third party secure print solutions, there remains the opportunity to educate enterprises on the real risks that unsecured printers and MFPs pose. Consequently enterprises remain uncertain of how to implement a secure print strategy that integrates with a broader information security strategy. Quocirca recommends that enterprise clients consider a managed print service that offers a broad security assessment and addresses the need for a layered approach to security, dependent on the business needs.
HP certainly now has a comprehensive set of hardware, software and services offerings to evaluate and minimise the risk exposure for their enterprise clients. This enterprise LaserJet product range introduction will certainly raise more awareness of the need to better secure the print environment and we expect that HP's competitors will respond by highlighting their solutions and services in this area. HP's market dominance positions it well to lead the market and potentially set industry standards.
Chief Information Security Officers (CISOs) need to tighten print security, not only to protect information that resides on printer endpoints but also recognise that an unsecured printer is a potential gateway to the corporate network. Ultimately, any security strategy is only as strong as its weakest link.