8
Locking Down Print Security Everything You Didn’t Think You Needed to Know About Print Security
Locking Down Print SecurityEverything You Didn’t Think You Needed to Know About Print Security
2
Why print security?With everything on your agenda — security
and otherwise — the last thing you probably
want to think about is print security. We have
some compelling reasons to rethink your
security priorities.
$7.7M73%64%is the average annual cost of cybercrime.3
of CISOs expecta major securitybreach within a year.2
of IT managers state their printers are likely infected with malware.1
$
Contents
Why print security? 2
• The new endpoints 2
• Print-related exploits are on the rise. 3
Securing your printers 3
• Fighting the enemy on 3 fronts 4
The HP solution —
secure printing from devices to data to documents 4
• Device protection 4
• Data protection 5
• Document protection 6
Monitor and manage printing environments. 6
• Set fleet-wide security settings,
and establish access and usage policies. 6
• Monitor for risks and maintain compliance. 7
• Get the help you need from the experts at HP. 7
The new endpoints You’ve probably heard how the
now-infamous Target hack was perpetrated
through its unprotected Heating, Ventilation
and Air Conditioning (HVAC) system. With
the proliferation of Internet of Things (IoT)
devices comes a proliferation of access
3
Figure 1: Potential vulnerabilities in a connected MFP device.
anti-Semitic fliers to workplaces and homes
across North America using a simple
Bash script.
No one wants to go back to a time when
printers were hard to access and difficult to
troubleshoot. But how do you secure your
printers while maintaining their flexibility?
Let’s take a look at how to lock down print
security without locking down
your printer’s functionality.
Securing your printersModern printers have a host of convenient
and productivity-boosting features, but
they also have a substantial number of
potential vulnerabilities.
Storage mediaImaging devices store sensitive data on internal drives, which must be protected.
BIOS and firmwareFirmware that becomes compromised could open the network to attack.
Output trayThe output tray is the most common place for sensitive documents to fall into the wrong hands.
Mobile printingEmployees who print on the go may accidentally expose data.
ManagementWithout adequate monitoring, security blind spots across your fleet may remain undetected.
NetworkPrinting jobs can be intercepted as they travel over the network to/from a device.
Input traySpecial media for printing checks, prescriptions, etc. can be tampered with from an unsecured tray.
Ports and protocolsUnauthorized users can access the device via USB or network portsor unsecured protocols like FTP or Telnet.
CaptureMultifunction printers can capture and route jobs to many destinations, potentially exposing sensitive data.
Cloud-based accessUnsecured cloud connectivity may expose data.
Control panelUsers can exploit device settings from an unsecured control panel.
points, or endpoints, that need to be
protected from attack. When a hacker can
access your network and your valuable
corporate data through your IoT-connected
HVAC system, you know you’re looking at a
new era in security.
Printers are another new kind of endpoint.
They’re connected to your network, and
many models are further connected over your
wireless network, heightening opportunities
for attack. A hacker could use a networked
printer to gain access to not just the printer’s
queue, but your entire directory.
Print-related exploits are on the rise. Just two years ago, a researcher at Red
Balloon Security developed the Funtenna
hack for networked printers. It takes just
seven lines of code to turn a printer into an
antenna that transmits data without even
using Wi-Fi or Bluetooth®. More recently, a
hacker exploited a vulnerability that found
many printers exposed to the internet through
port 9100. He then used that exposure to print
4
1. Protect the device. Your printer or Multifunction Printer (MFP)
is vulnerable through its firmware and device
settings. Upgradeable firmware allows you to
patch the printer when new exploits occur. The
best defense for your devices is firmware that
compares itself against the last known good
version at startup, shuts down and notifies IT
if there are unauthorized changes.
The HP solution—secure printing from devices to data to documentsUnderstanding the enemy is only a part of
the strategy. HP has a long legacy of print
leadership and has pioneered the field of
When it comes to changing device settings to
exploit a weakness, you’ll want to look for a
printer that can be automatically monitored
and remediated if the settings are changed
outside of your security policies. That way,
you can be certain your device settings stay
in a locked-down state.
2. Protect the data. The best way to protect data residing on or
in transit to your printer is encryption. Look
for printers that include hard disk encryption,
along with advanced authentication controls.
Mobile printing is another possible security
vulnerability. You need to make sure you use
a mobile device solution that includes user
authentication and data encryption.
3. Protect the document. One of the most common printer security
breaches is also one of the most low-tech:
Someone grabs something off the printer
that contains sensitive information about
your employees or your business. When you
protect privacy, you protect your documents.
Pull-printing solutions like HP JetAdvantageTM
Private Print allow you to store your print
jobs in the cloud and then release the prints
at the device via a code or ID badge. When
you remove the chance for documents to be
exposed at the printer tray, you exponentially
increase your print security.
print security to win the title of “World’s
Most Secure Printers.”4 Let’s look at how
HP® print security features combat threats
to your security.
Device protection
HP’s features and add-on solutions can
help you defend your printers and teach
simple but effective security habits to
your user base.5
Embedded security features HP Sure Start works behind the scenes
when printing and imaging devices power
on—helping to safeguard your device from
attack. HP Sure Start validates the integrity
of the BIOS code at every boot cycle. If a
compromised version is discovered, the device
restarts using a safe, “golden” copy of the BIOS.
White-listing works to ensure only authentic,
known-good HP FutureSmart firmware that’s
digitally signed by HP is loaded into memory.
Any tampering will invalidate the firmware so
that it will not pass the white list, and a notice
Fighting the enemy on 3 fronts What to do when you have so many potential
points of entry for malicious individuals?
Divide and conquer. Concentrate your efforts
on three fronts and win the war:
5
Data protection To ensure print security, you need to
protect your data from the client to the
printer to the cloud.5
Secure keys, credentials and certificates. HP Trusted Platform Module (TPM) is an
accessory that you can add to your devices
to strengthen protection of encrypted
credentials and data by automatically
sealing keys to the TPM.
Encrypt print jobs in transit. Make print jobs virtually impossible to
read if intercepted. Protect your network
and documents with a variety of encryption
options, and, for added security, choose
end-to-end Secure Encrypted Print. The HP
Universal Print Driver provides true symmetric
AES256 print job encryption and decryption
from the client to the page, based on a user-
defined password using FIPS 140 validated
cryptographic libraries from Microsoft.
will be sent to administrators warning of the
intrusion attempt.
Run-time intrusion detection helps protect
devices while they are operational and
connected to the network, which is when
most attacks take place. It checks for
anomalies during complex firmware and
memory operations, and automatically
reboots to recover if an intrusion is detected.
Physical security It’s also a good idea to secure any physical
access points to prevent unauthorized use.
Lockable input trays, for example, secure
sensitive paper stock, such as prescription
paper or check paper.
Control access to the printer. Require authentication for access to device
settings and functions, and enable user access
controls like PIN or LDAP authentication,
smart cards or biometric solutions. HP Access
Control Secure Authentication offers
advanced authentication options, including
touch-to-authenticate with NFC-enabled
mobile devices.
Encrypt stored data. HP devices come with built-in encryption
to protect sensitive data stored on the internal
drive or hard disk, both vulnerable locations
for data loss.
Remove sensitive data. Storing data about completed jobs on
your devices creates unnecessary risk of
exposure. Use built-in device capabilities
to securely overwrite stored data, and
safely remove sensitive information. This
is especially important when disposing of
devices or returning leased equipment. HP
custom recycling services can ensure data is
eliminated from hard drives before they're
responsibly recycled.
Secure capture and route. Ensure scans are protected with document
encryption features or encrypted email.
Control where users are able to route scans
and monitor content for information
governance. HP also offers a rich portfolio
of HP JetAdvantage Workflow Solutions
6
that combines advanced capture and route
capabilities with enterprise-level security.
Document protection Protecting your documents is crucial
to overall print security.
Secure pull printing. Pull printing holds print jobs on a server,
in the cloud or on your PC until your users
identify themselves with a PIN or other
verification method. The job then prints
securely, right into their hands. HP has two
pull-printing options:
• HP JetAdvantage Private Print is cloud-
based, reducing complexity and providing
all of the functionality without the setup,
installation and maintenance.
• HP Access Control Secure Pull Printing
is a robust, server-based solution that
offers multiple forms of authentication,
including badge release, as well as
enterprise-level security, management
and scalability.
Enable secure mobile printing. Printing from a smartphone or tablet is
extremely convenient and productive for
employees, but it could be less than secure
if you don’t establish a business-grade
mobile print solution. With HP’s wireless
direct printing, employees can print from
their mobile devices without connecting to
your network via a secure WiFi Direct®,
peer-to-peer connection. Alternately, HP has
several business solutions that enable secure
mobile printing:
• HP JetAdvantage Connect offers
intuitive, reliable mobile printing
designed for business that seamlessly
leverages existing IT network tools
and policies to manage mobile printing.
• HP Access Control Secure Pull
Printing leverages your existing email
infrastructure, allowing mobile users to
email a print job to their print queue and
then pull it from any enabled printer.
• HP ePrint Enterprise allows users to
print from their mobile devices to
company-networked printers, including
guest printing, PIN printing and
integration into many major Mobile
Device Management (MDM) solutions.
Monitor and manage printing environments. Securing your devices, data and documents
plays a vital role in establishing sound print
security practices. However, you need to go
one step further in order to defeat security
concerns for good. Managing your policies
and monitoring their activity is imperative
for continued print security.
Set fleet-wide security settings, and establish access and usage policies. Centralized management allows you to apply
a single security policy across your fleet to
prevent protection gaps. Choose from built-in
options or added software applications to
7
establish access and usage policies for groups
and individuals.
HP JetAdvantage Security Manager is
the most comprehensive printing security
solution on the market, offering effective
policy management.6 Reduce cost and
resources to maintain fleet security by using
automated monitoring and HP Instant-on
Security, which automatically configures new
devices. HP JetAdvantage Security Manager
also provides efficient fleet management of
unique identity certificates.
Monitor for risks and maintain compliance. Get all of the details at a glance with
software or services that let you track
compliance to your security policies and
supply audit reporting. Accurate data
allows you to zero in on vulnerabilities and
unnecessary usage. With integration into
industry-leading Security Information and
Event Management (SIEM) tools such as HP
ArcSight® and Splunk®, IT can easily view
printer endpoints as part of the broader IT
ecosystem to take corrective actions.
Get the help you need from the experts at HP. HP Secure Managed Print Services can do it
all, from delivering a full-service, no-hassle
solution to developing a customized strategy
to help resolve the imaging and printing
security areas you specify.
Keep your guard up.Every day can bring a new challenge in the
security world, and with endpoints like printers
proliferating constantly, the challenge of
keeping them secure can seem overwhelming.
However, with a little forethought and
preparation, you can keep your printers
secure and the bad actors guessing.
About InsightFrom business and government organizations to healthcare and educational institutions,
Insight empowers clients with Intelligent Technology SolutionsTM to realize their goals.
We provide the guidance and expertise needed to select, implement and manage
complex technology solutions to drive business outcomes.
1 Ponemon Institute, “Annual Global IT Security Benchmark Tracking Study,” March 2015.2 Help Net Security, “Why enterprise security priorities don’t address the most serious threats,” July 2015.3 Ponemon Institute, “2015 Global Cost of Cyber Crime Study,” October 2015.4 Based on HP review of 2015 published embedded security features of competitive in-class printers. Only HP offers a
combination of security features for integrity checking down to the BIOS with self-healing capabilities. A FutureSmart service pack update may be required to activate security features. Some features will be made available as an HP FutureSmart service pack update on selected existing Enterprise printer models. For a list of compatible products, see hp.com/go/ljcompatibility. For more information, visit hp.com/go/printersecurityclaims.
5 Solutions may not be supported in all HP devices; solutions may require additional purchase.6 HP JetAdvantage Security Manager must be purchased separately. To learn more, please visit hp.com/go/security-
manager. Competitive claim based on HP internal research on competitor offerings (Device Security Comparison, January 2015) and Solutions Report on HP JetAdvantage Security Manager 2.1 from Buyers Laboratory LLC, February 2015.
To learn more, call 1.800.INSIGHT or visit insight.com.
