Printers are notoriously hard to secure—but help is out there

April 27, 20174 Minute Read

Earlier this year, printers at campuses across the US began to spew large numbers of the same offensive flyers, but nobody seemed to be sending them to print. At a global level, the hack spawned a major conversation about the huge boost of IT security vulnerabilities. Eventually, a hacker calling himself Weev claimed responsibility. He said the whole thing had been an experiment. “In our chat, I asked aloud a simple question: How many printers are there on the open internet? I wasn’t sure of the answer at the time. It turned out to be upward of a million devices.”

In this case, the “open internet” is a euphemism for connected devices—from tablets to connected thermostats—that require zero hacking to access. They also rely solely on their own obscurity to keep out unwanted guests. Sometimes this is the product of incompetent security, but often it arises from the need to grant visitors easy access to printing.

Peripherals are meant to be accessed quickly and easily. In many cases security professionals are forced to choose between security and ease of use. Even when IT decision-makers do choose security—often dealing with criticism from justifiably frustrated coworkers—they can still be let down by the hardware and software security features of the printers themselves. From using a weak network password to accidentally installing fraudulent drivers, there are plenty of ways IT professionals can create or compound IT security vulnerabilities in a network.

An ongoing effort

Thankfully, security professionals are no longer in that unenviable position. As device manufacturers finally wake up to the necessity of providing next-level security solutions, they’re developing ways for networks to be both safe and accessible. Some of the most important changes come down to coordination, and the ability of a small IT security team to keep a uniform set of rules across sprawling networks connecting many types of devices.

HP Inc., for example, now organizes the security of its printers and other connected devices with the HP Security Manager interface, which makes it easy to widely enforce standardized rules for user access, software compatibility, and networking protocols. The system will automatically assign unique certificates to identify each HP device, saving IT workers from the laborious process of assigning each one manually.

But at the end of the day, the weakest point in any security system is always going to be the human element. You can’t protect users from themselves—and the changes to security software they can make, both intentionally and otherwise. Truly secure networks need to reestablish the rules of a secure network on an ongoing basis. The strongest software solutions make regularly scheduled checks for device compliance. Any deviation from security best practices and the system either imposes a solution automatically or suggests one to the IT security team.

This level of attention to ongoing security wasn’t impossible before, but it was impractical, because no IT worker had the time to monitor the state of every vulnerable device. Computers can automate the most labour-intensive aspects of security, allowing modern software suites to innovate by applying old abilities in new ways.

Keep your enemies close

The attacks that keep us up at night take a more aggressive form. Rather than taking advantage of glaring mistakes by the IT security team, these attacks exploit coding vulnerabilities in operating systems and other foundational pieces of device code. To protect against that, more proactive security is required. The SureStart system has a so-called “self-healing BIOS” that checks its own low-level programming to make sure hackers haven’t undermined its ability to perform basic security functions. It’s no longer enough to set up a wall and hope it remains secure; you have to assume your walls have been breached without your knowledge and maintain ongoing searches for those you assume have gotten inside.

The need for this level of paranoia about IT security vulnerabilities is why automated security software is a necessity for every device in every connected office. These days, the mentality runs from the top of the business printer business to the bottom; for full security, you need everything from full disk encryption to physical locks on the document trays. Remember that printers produce physical documents, which can present a security vulnerability all its own. The most powerful solutions incorporate document security measures like multistage authentication and advanced watermarking.

Businesses need solutions that use modern security technologies to oppose modern hacking techniques; more and more often, hackers use automated software suites to execute their most damaging attacks. To survive in that world, your company’s defences need to be increased the exact same way.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.