Black Hat 2017: Michael Howard talks sheep, hackers, and urgency

August 11, 20175 Minute Read

Select article text below to share directly to Twitter!


Does your organization have a target on its back? Chances are, it does—and you’d be right to feel concerned. According to Info Security Group, security breaches increased a whopping 40 percent in 2016. Between Petya, WannaCry, and the recent news shared at Black Hat 2017 that hackers can install a deadly exploit on the software used to power your local car wash, 2017 is shaping up to be the scariest year for information security to date.

But it’s not impossible to stay one step ahead of evolving threats. In a Black Hat briefing, HP’s chief security advisor, Michael Howard, shared just how much risk exposure organizations are facing—and why we’re not helpless in the face of today’s most common security threats.

Fact: Your endpoints are targets

Analysts project that by 2020, there will be more than 25 billion connected devices powering businesses. This includes everything from smart lighting and printers to mobile devices, thermostats, and maybe even your break room fridge. While your organization might consider employee laptops and mobile devices as pieces of your endpoint strategy, way too many of us fail to recognize that connected “things,” like printers and routers, are also endpoints. They may look innocent, but botnet armies—like the one used in the DDoS attack dubbed “Mirai Dyn”—are primarily comprised of connected “things.”

At least 70 percent of today’s successful data breaches originate from endpoints. Hackers worm themselves into a company’s network by manipulating human error, like sending a phishing email or convincing someone to release their password over the phone during a verbal phishing attack. But breaches may also originate from unsecured, connected endpoints, like a router or printer that’s completely unsecured and susceptible to attacks.

Fact: Printer hacks are nothing new

If you build technology, the hackers will come. While print technology is rapidly evolving to incorporate super-cool factors, like the ability to self-heal, print pizza, or create new parts for the international space station, it’s still been around for a long time. Howard reported that the earliest recorded incidence of a known printer or copier hack was during the 1960s, when cameras were hidden for the purpose of Cold War espionage. Today, the volume of printer hacks has grown drastically; recent targets include the US Chamber of Commerce and Integra.

Fact: IT pros know printers are risky

In one of the more shocking revelations shared in Howard’s presentation at Black Hat, it turns out that IT pros actually do know that printers are security risks. IT pros are aware printers can expose protected information and sensitive data in a number of ways, including unauthorized access, the exposure of printed materials left on the tray, the possibility of remote access to the printer, and difficulty identifying with certainty if printers have been breached or not.

One recent study cited by Howard revealed that 64 percent of IT leaders reported when their printers were likely infected with malware. Despite the fact that today’s IT pros know that printers are smart and that connected devices are potential points of entry to their networks, Howard’s research uncovered that only 18 percent of IT pros are actively concerned about printer security—which is worrisome when you consider that 91 percent are worried that PCs pose security risks.

Fact: You aren’t doomed to be a sheep

If you aren’t aware of the risks associated with your printers, you’re at risk of becoming a doomed sheep—easy prey for the hacking wolves of the world. That said, there’s nothing inherently risky about print technology. Michael Howard shared a number of ways IT pros can secure their networks from wolves, including the following steps:

  • 1. Know what you’re working with. Today’s average multifunction printer has more than 200 functions and an intuitive operating system. Even scarier, the average organization may have one printer for every 10 employees. Teen-hacker-turned-good-guy Michael Calce (aka MafiaBoy) says that IT tends to go wrong when it comes to printers by looking at them as output devices that strictly print documents.
    There are risks in leaving documents on the printer trays and your printer’s firmware if it’s not sufficiently secure, but Howard advises today’s IT teams to think holistically about all 200-plus functions of multifunction printing processes—everything from storage, mobile printing, BIOS, and beyond. Each of these attributes can be an attractive target to your hacker foes.
  • 2. Rethink secure printing. The goal of printer security shouldn’t be meeting the bare minimum compliance and regulatory requirements. While strong policies and management practices are better-than-average, the ultimate objective should be proactive management via smarter, self-healing technology and more effective employee education and security awareness programs.

That’s not all—if you want to learn more tips and tricks from Howard, check out the following video:

With great printers, comes great responsibility

The problem isn’t technology—it’s the way it’s used. Howard recommends that today’s organizations draw from compliance, smart print technology, and measurable goals to ensure their print technology isn’t the equivalent of sheep just lying in wait of a wolf attack. Inventorying your current print technology and policies surrounding printer use and creating better controls can be the first steps toward making sure you don’t ignore your organization’s potentially risky endpoints.

Today’s hackers are sophisticated. Briefing sessions at Black Hat 2017 and Defcon revealed a host of cutting-edge tactics, including the fact that hacking into US voting machines is as “easy as cutting soft cheese.” In the era of sophisticated wiperware and open source code to decrypt Skype talking sounds, you definitely don’t want to let your printer become your weakest link.

Continue the Black Hat 2017 journey on Tektonika with “Black Hat 2017: Chris Olson talks shadow IT and website security” and if you’re looking for some coverage of Black Hat’s shadier cousin, Defcon 2017, check out “Daniel Regalado schooled us on IoT cybersecurity at Defcon 2017!”

  • Recommended for you
  • Recommended for You