Written by Jeff Man, Paul’s Security Weekly co-host and information security curmudgeon. Watch Jeff’s technical segment on Paul’s Security Weekly about his trip:

Recently, HP Print Security hosted a ”Blogger Open House” for a select group of industry bloggers at the HP Customer Welcome Center in Palo Alto, CA. According to HP, the goal of the day was “to provoke online discussion amongst experts[…]and their audiences, in order to gain greater exposure for HP’s print security solutions and related success stories”. I was available to make the trip, so gladly accepted the invitation to attend on behalf of Paul’s Security Weekly.

The expectation of the bloggers who agreed to attend this event was to actively participate, ask questions, be skeptical, provide both positive and negative feedback, and to take what we learned back to our audiences to not only inform them, but to engage in an ongoing dialog about HP security efforts.

My initial thought after accepting the invitation to attend was that the Internet of Things (IoT) has been an ongoing topic on our podcasts lately, and network printers could easily be considered to be the original IoT device (a “Grandfather of IoT” of sorts). Not only was I eager to see what HP was doing in the area of print security; I was also looking for any guidance or principles that could be applied to our ongoing discussions about the security of IoT.

A Little History

We started with a welcome reception the night before the event at the “HP Garage” (which I confess, I had never heard of before). We were treated to a little bit of modern history, as the HP Garage is credited as being the birthplace of “Silicon Valley”. We learned about the founders, Bill Hewlett and Dave Packard, and received a tour of the house. The company dates back to the 1930’s, and the first commercially successful product they sold was an audio oscillator. Their first customer was Walt Disney, who used the oscillators during the production of Fantasia.
The tour guides shared that most people’s first memory of Hewlett-Packard is using scientific calculators from the 1970s (guilty), but HP has a long history of product innovations and patents, which include printers.

We were also given a glimpse into the values and corporate culture that the founders built into the company, which actually helps to explain why HP would take such an interest in print security, and be so committed to spreading the word with a group of industry bloggers.

Tech Day

The day began with an introduction by several HP executives who spent some time discussing the history of network printers, the challenges of building security into printers, and some of the efforts HP has made to promote printer security, as well as provide a secure printer to its enterprise customer base.

The point was made very early on, which I believe set the tone for the entire day, was that HP feels it has an obligation to provide both a secure product to its customers, and printer security awareness training in the areas of shared responsibilities (what HP can do, but what the customer must also do); user awareness (spreading the word to all employees), and knowledge transfer (the risks and pitfalls of attaching a multi-function printer to the enterprise network). I thought this was the first key takeaway for the hidden agenda of making recommendations for the security of IoT – vendors need to feel an obligation to produce a secure product.

 

Raising Print Security Awareness

There was a presentation given by the marketing team about past and present campaigns promoting both printer security and printer security awareness to its customers. They were very thorough in their description of all the ways that a printer might be compromised, and rigorously discussed the nature of the vulnerabilities and risks associated with printing and imaging technology being deployed on the network. One of the key points they tried to make us and their customers understand is that the printer is, effectively, an endpoint on your network (there’s that IoT overlap again!).

Figure 1: HP Print Security Imaging and Printing Vulnerability Points
 

The details of all the vulnerable points of network printing were quite overwhelming, especially since the focus was almost entirely on printer security. They touched on the three classic elements of data security – on the security of “print data” (confidentiality) before and after it is printed; protecting the data from being altered or modified before it is printed (integrity); and keeping the printer online and functioning properly (availability).

An interesting statistic that they cited, which speaks to the complexity of the problem of printer security, is that one of their largest customers manages nearly 47,000 printers worldwide. They added that statistically, HP’s customers typically deploy one printer for every ten employees. I kept thinking, “This is just the printer, what about everything else on your network?”
There was some discussion about how the recommendations and best practices they had incorporated into their awareness briefings and practice guidelines are all consistent with regulatory and industry compliance standards, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), NIST Cybersecurity Framework (CSF), and the ISO 27000 family of standards. They also confirmed that none of these industry standards or frameworks call out any specifics about printer security, so the user has to infer that the requirements include printers.

Hearing all of this, I found myself empathizing with all the customers I have had over the years that don’t really want to think about or deal with security; they just want a secure solution that works. There are certainly many companies that, for various reasons, don’t have the skills or personnel to make sure their printers are secure, but still need a secure printer that can be deployed in their network and maintain an adequate level of security.

The marketing folks acknowledged that their messaging had been perhaps a little overwhelming, and was not proving to be very successful. Another IoT lesson – how do you make the end user/consumer properly educated and aware of the secure use of technology, not only the intended usage, but ways in which the technology can be exploited?

Selling a Secure Printer

The next set of presentations gave us an introduction to the challenges and efforts to produce a secure printer for HP enterprise customers and an overview of what HP is building into their printers to achieve their stated goal of “cyber resilience”.

They summarized the challenges of printer security rather well, and this seems to be a good list for IoT devices as well:

• Port Security – what services are listening and/or responding to network traffic
• Configuration Settings – default settings/passwords, enabled/available services
• Firmware Updates – patching, security/bug fixes, restoring a clean copy

We learned about how HP is addressing these challenges through technology that is built into the printers themselves. They did acknowledge that these security features are only available for their larger, enterprise-capable printers and not consumer printers, and there is a cost associated with the features (though we did not discuss price points at all).
The approach that HP has taken with their print security initiative is to try to create a printer that fits into the philosophy of “cyber-resilience”, which was described to us as the ability for systems (and networks) to withstand or recover from deliberate attacks and accidents. To accomplish their goal of cyber resilience, they have developed a framework for printer security that focuses on five key areas that they have identified:

1. Secure Boot Process
2. Firmware Code Integrity
3. Run-Time Intrusion Detection
4. Continuous Assurance of Security Policy Settings
5. Real-Time Threat Detection and Analytics

To meet these security goals, HP has enabled components like encrypted hard drives to protect data while it is stored in the printer, the ability to transmit/receive print data over encrypted channels such as IPSec and TLS, whitelisting to enable trusted operation of embedded firmware/software, and built-in intrusion detection that monitors the printer itself against malicious attacks. These features are illustrated in the following diagram:

Figure 2: HP Jet Advantage Security Manager

Interestingly, the HP presenter commented that “this is what IoT should be doing” as they described how their printers can provide self-identification of issues and self-healing from all sorts of malicious activities.

Feedback

HP has taken some impressive actions to provide built-in security for their printers that addresses many of the major threats and risks associated with deploying printers on an enterprise network. HP has honored its obligation to provide secure printing technology to its customers, and has done a great job tackling the technical security issues that they are able to address while building an awareness/educational program around the practice of printer security by the end user.

Several questions/issues were raised during our discussions. HP had responses for most of the queries, but also acknowledged that they had some restrictions to what they could provide based on business requirements.

Someone asked the basic question, “Why, in 2017, do you still ship printers with insecure protocols like telnet or FTP?” (note: these are disabled in default/out-of-the-box configurations) The response touched on one of the classic problems of technology, which is the trade-off between securing systems out-of-the-box and the overwhelming demand for customers to be able to plug in these systems and have them work immediately. The official explanation was a combination of “our customers want the printers to work” and an explanation of needing reverse compatibility.
During the discussion of how HP print security measures up to the major regulatory/industry compliance standards, it was acknowledged that there is very little specific guidance directed toward printer security itself. There might be a benefit to speaking with the various standards groups to promote the idea that specific printer security requirements be developed and included in the various compliance standards.

While there was certainly an acknowledgment of the printer as an IoT device, there was no mention of any efforts being made to influence any governmental strategy or direction concerning the production of IoT devices by vendors. There was also no indication of any government-driven standards in the areas of best practices from a distributor, managed provider, or even a consumer perspective.

HP mentioned that they have security built into their development process and stated that they self-check, do their own vulnerability scanning, and conduct their own internal security and penetration testing. This is a great practice, and should be part of any IoT vendors product development life cycle, but a best practice would be to have independent third-party security testing performed by a respected, security industry specialist.

Parting Thoughts

HP is doing great things, not only in terms of research & development for new printing technologies (think 3D printing), but also in terms of trying to create a secure printer platform. The Tech Day was a tremendous success in terms of sharing HP’s history, vision, and security solutions, as well as giving a glimpse into the future. Many thanks to HP for hosting this event and allowing a bunch of tech/security bloggers to take a deep dive into what they are trying to accomplish.

For more information, visit the HP Secure Printing website at hp.com/go/reinventsecurity.

About the author

Jeff Man is a respected Information Security expert, advisor, speaker, teacher, advocate, and curmudgeon. He has over 33 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. He has held security research, management and product development roles with NSA, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty years, he has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies.