Don't let hackers have a party

5 April 2017

Video

Your printer might be an open invitation for hackers to party on your network. It’s time to throw them out.

Hackers don’t just want access to your printers for the material on your printers; they have their eyes on a more valuable prize – your network. One click, and malware encoded in an email attachment installs software on the printer, laying the entire corporate infrastructure at their feet. Quickly and quietly, without any chance of an alert, a hacker has an open gateway to your network, bypassing all your security provisions.

Now think about what’s stored on that network: financial data, customer data, corporate strategy, Intellectual Property, confidential agreements. Even the personal data of employees may be leveraged to steal identities or develop new vectors of attack. And the irony? Your company may have invested many thousands – even millions – of pounds in network security, but left the printer wide open to assault.

Of course, the hackers can’t always do it on their own. Often it takes someone inside the company to click the wrong thing at the wrong time or give the wrong information to the wrong person. CompTIA’s 2015 Trends in Information Security Research found that 52% of US companies believed that human error was the leading cause of data breaches, with general carelessness and failure to follow policies and procedures the top examples.

A NODE4 UK report from 2016 came to similar conclusions; while 97% of the companies surveyed had a fundamental security policy, almost half said it wasn’t well adhered to by staff. High profile data breaches at the Pentagon, eBay, the US healthcare company, Anthem, Snapchat, Seagate Technologies and Sony Pictures Entertainment all involved human error, sometimes a thoughtless response to a phishing attack, sometimes malware installed through an attachment or a website link.

Real risks, real consequences

The dangers aren’t theoretical, and the printer makes a particularly tempting vector of attack. When the Ponemon institute surveyed 2,000 IT Professionals across EMEA, North America, Latin America and Asia Pacific in 2015, only 44% said that their organisation’s security policy stretched to networked printers. That’s a security gap hackers can use to install a hacked firmware or malware, and an infected print job might just be the perfect vehicle. Not only can this provide instant and continuing access to data stored on the printer and new print jobs, but access to the network the printer resides on. From there, malware can reach out not just to other printers, but to corporate email servers, data servers and individual PCs. After all, the printer’s sitting pretty inside the firewall, within easy reach of a host of networked devices and resources.

Given such a foothold, malware can proliferate. In 2016 the security researcher, Chris Vickery, noted that thousands of office printers, each housing GB of storage, were vulnerable through the Internet to attacks that could see them hosting scripts and malicious Web pages, or calling executables from other locations. Other researchers have pointed out that printers could be ideal building blocks for a botnet, ready to wreak havoc in the network or online. After all, if you can pull off a Denial of Service attack with a botnet of IP cameras, how much more damage can you do with more powerful office printers?

Secure the printer, secure the network

We don’t have to give cyber-criminals the keys to our networks. For a start, we can work to guard against the human factor, not just creating and publishing security policies, but educating employees on why they matter, what hackers are trying to do, what the consequences could be. They need to know what they should and shouldn’t do and why – and the steps they can take to confirm that a phishing email is or isn’t legitimate.

Beyond that, we need a different approach to printer security; one that recognises the risks unsecured devices pose to the network and is effective in patching vulnerabilities. That starts with steps that work across a wide range of printers, including applying the latest firmware updates, disabling unused ports and changing the default security settings and passwords in line with the kind of security practice you would apply to any other piece of major IT infrastructure. The days when printers can accept a firmware update from any unauthorised source, remote are local, should be long gone.

It also means developing an ongoing strategy, so that patches continue to be applied and security policies rolled out across the fleet. Here tools like HP Web Jetadmin can be particularly useful, reducing the workload of securing and managing the fleet as a whole. HP JetAdvantage Security Manager goes even further, enabling you to create one security policy and roll it out across your fleet immediately. ID and CA certificates can be installed, integrated and renewed automatically, while printers and MFPs are assessed periodically for compliance with policy, with automated remediation to bring them in-line. What’s more, HP Instant-on Security configures new printers as they join the network, instantly minimising risks.

Printer security redefined

For real peace-of-mind, however, it makes sense to replace older printers or printers without robust security features with printers designed to meet today’s Internet threats. HP’s 2015 and 2016 office and multi-function printers bring in a trio of technologies that could halt the attack seen in the video in its tracks. HP SureStart extends technology from HP’s business PCs to printers, enabling detection of and self-healing recovery from a malicious attack to the printer’s BIOS. If the BIOS can’t be validated, the printer rolls back to a protected ‘golden copy.’

Whitelisting technology ensures that only known, good firmware can be loaded and executed, preventing hacked firmware with an open door to the network from being installed. If the firmware can’t be validated during the loading process, the device reboots and holds at the pre-boot menu to stop any malware loading.

Finally, Run-time Intrusion Detection detects potential malware intrusions in the printer’s system memory, permanently working in the background to check the memory space and rebooting if a possible intrusion is discovered. If auto-recovery is disabled or a possible intrusion occurs twice within thirty minutes, the printer reboots and holds at the pre-boot menu to prevent any malware from executing.

Any one of these technologies may have prevented the kind of attack seen in the video from succeeding. Together, they close off attack vectors that hackers have been free so far to exploit. For too long, the printer has been an open back door, just waiting for cyber-criminals to sneak on in. With the right technology and security, you can make it so much harder for the hackers to break in.