Channel Chat: Securing the Office
on Thursday, June 07, 2018
When it comes to industry hot topics, some things come and go, but security is very likely here to stay. What do the experts think is important in today’s fraught environment?
Is the MFP truly a threat to an organization’s security, or is it overblown hype?
Phil Boatman: The MFP is a connected device with full processing capability, hard disk and access to your corporate network. The majority of the time these devices are connected with limited to no security for physical access or network access. Would you allow any other peripheral on the network without at least having someone authenticate by sending an email? One of the most overlooked issues of MFPs is outdated firmware. All manufacturers periodically provide firmware and security updates for devices. In our studies, a large number of MFPs are connected to the customer infrastructure and never updated from out-of-box firmware. Recent security patches including Meltdown and Spectre cannot protect organizations that do not download the new firmware.
Todd Croteau: The MFP is an endpoint device and therefore it is vulnerable to an attack from inside the firewall. From the network perspective the device is somewhat a risk point; however, this is more hype than reality.
The significant risk is posed by any unprotected personally identifiable information (PII) or confidential data that may remain on the MFP’s hard drive during the life of the MFP, while it is active within the client’s network, and especially at the end of life or at the end of a lease contract. Hence, we recommend to our clients that the MFP’s hard drive is either sanitized or replaced at end of life.
Vince Jannelli: External, malicious attempts to gain unauthorized access to networks leverage even the smallest vulnerability to gain increasing levels of access. These threats extend to the MFPs that are commonly used in any organization. Weakness in these network systems can expose network information, such as network resource addresses and naming conventions, username credentials and even latent image data that can be leveraged for Denial-of-Service (DoS), phishing or even virus attacks onto the network.
We need to also consider insider breaches. Keeping in mind that these network devices are typically located in common areas, they are easily accessible by employees, contract workers and maintenance staff alike. If so inclined, any of these individuals could access detailed network information should the devices not be fully protected. On a more mundane level, in the everyday use of the MFP, confidential information could be accidentally left on the output tray, where it could be easily copied, emailed or faxed without authorization.
How do you educate your clients on security best practices?
Boatman: We have a variety of methods of educating our clients on security best practices. Lexmark’s Secure Software Development Lifecycle details our development training and practices for developing secure firmware and software. Our on-staff global principal security consultant leads a team of secure subject matter experts to perform security assessments and best practice recommendations. In addition, we publish white papers on our security settings and offer a checklist to our customers to ensure proper practices are implemented. Our customers may also access training, webinars, customer success stories and how-to guides.
Croteau: Security best practices are built upon our portfolio, which includes hard drive protection services, network protection services, user authentication, audit trail enablement, etc. It is included in every MFP sale — the customer can opt out if they don’t want it, but most choose to keep it.
We provide comprehensive MFP security guides for our clients as well as security white papers, vulnerability statements, security checklists (best practices) YouTube videos and PowerPoint slides with voice over. We also recommend various ways to enable secure printing within their organizations.
Jannelli: This is an ongoing process. We start by talking about the different types of threats and the type of employee behaviors that can increase their vulnerability to those threats. Then we discuss the steps that can be taken to mitigate those threats. We do this with a mix of information, both from a general educational perspective and a technology perspective.
For IT services customers, we regularly generate reports on the state of client systems, letting our customers know of any potential problems that fall outside safe parameters of our managed IT services. With these comprehensive assessments, clients will always have the best information for choosing the most effective options.
From an MFP perspective, we offer our customers best practices on how to mitigate the security risk throughout the device’s lifecycle, including at the end of lease.We do this through a layered approach from both a device or fleet-based perspective. We cover authentication, access control, network configuration, malware protection, password and firmware management. Additionally, we provide an audit trail of activity and address print, email, mobile, fax and data security.
Gus Malezis: At Imprivata [which focuses on healthcare IT] we believe that cybersecurity best practices start, and continue, with 1) cybersecurity education, 2) an effective architecture and 3) continuous structured operations and response.
Every user in the healthcare enterprise should have a basic level of understanding of the types of cyber threats that exist and should recognize that security education is a key element in preparing healthcare enterprises for attacks. We recommend that our clients undertake internal education campaigns, including circulating fake phishing emails asking users to enter passwords and other personal information. In one client hospital, IT periodically collects names of every user who fell for a fake phishing attack and requires them to take a security refresher course. While this targeted approach is helpful, it’s also important to recognize that a truly successful education campaign must be multifaceted, hitting all users in the healthcare enterprise on a regular basis.
We also align and offer direction on cybersecurity architecture, mostly aligned with SAN20 security controls, NIST cybersecurity and ISO 27001/2 cybersecurity architectures.
Mac McMillan: We do it through an integrated combination of our interactive workshops, advisory services, educational events we sponsor each year and thought leadership through writing. Education is not something gained once and retained, nor is it ever static in cybersecurity. The landscape is constantly changing. The technology evolves, the threats change, the environment shifts, generations of users respond differently to their technology, etc., etc., etc. If you are not continuously sharing new ideas, new knowledge, new applications of tried and true principles with your clients, then you are failing them. We have our interactive workshops after every engagement to make sure our clients understand our deliverables and can associate best practices with our recommendations. We are continuously available to our clients for advisory requests. We participate in nearly 100 regional healthcare related cyber/privacy-focused educational events around the country and participate in many other national conferences. And finally, we write or publish more than 600 articles, blogs, and interviews in healthcare periodicals a year. Information is something you are either committed to sharing or you are not.
Don Meyer: Education around cybersecurity best practices is an ongoing process. Emerging and innovative technologies are revolutionizing modern IT networks and ushering in new eras of business agility and process efficiency, but they can and often do increase risks from cyber threats. However, technology is just one component of the overall security puzzle; security is an alignment of people, processes and technology all working together to mitigate risk. When any one of those areas is compromised, the entire security posture of an organization is at risk. As such, education is a critical component that we pay close attention to.
We’ve amassed a tremendous amount of knowledge of not only the latest trends in IT networking but also how the threat landscape and the threat actors have been evolving as well. This unique point of view drives our product roadmap and keeps our finger firmly on the pulse of the most relevant issues and challenges customers face as their networks evolve. We utilize this knowledge and our ongoing research of emerging threats and new threat vectors in a variety of ways to provide relevant and actionable information to our clients; from classroom hands-on training to online certification courses, customer and industry events, regional hack-a-thons, webinars, videos, blogs and more.
Greg VanDeWalker: We publish best practices in our "Island of Truth," along with email marketing blasts and quarterly webinars. We also have a section of our website that is dedicated to our security offering that we use to further educate our customers.
What are some of the new security challenges that come with the ever-increasing amounts of data – both structured and unstructured – that are being collected and stored by companies?
Boatman: Data is everywhere in the workplace. Whether it is printed information that needs to be scanned into digital, or digital data that needs to be printed for processing, the challenges revolve around placing controls on access to this information without making it inaccessible or unusable. Mobile access, remote workers, and even new policies such as GDPR are causing churn in areas that were previously thought to be secure and off limits.
With specific regards to SMB, independent dealers must proactively consider how to best educate their customers that may have high turnover, less secure environments, or not readily understand all the threats that abound.
Croteau: With the proliferation of MFP scanning and the never-ending volume of faxes that are transmitted from and received to MFPs, now more than ever, our clients require solutions to capture and manage unstructured data. It is also equally important that our clients protect the vast amounts of unstructured data that are being generated within our client’s environment.
From the MFP and document side, we are offering several solutions that address this challenge. We offer various ECM solutions for capture, storage and retrieval, as well as intelligent and secure scanning, and platforms that offer the ultimate elimination of unsecure and costly analog fax systems.
Malezis: The rapid expansion of 1) cloud apps, 2) availability and ubiquity of mobile devices and 3) desire or need to access info from any place anytime have all introduced new challenges for information security and data protection and privacy. As healthcare becomes more mobile and users across the enterprise bring work home, they are using USBs and mobile phones to move sensitive patient data and patient identifiers in and out of their hospitals’ networks. Today, users access hospital systems on personal devices from anywhere in the world with an internet connection. In many cases, these personal devices aren’t secure, and any data accessed or contained on them can be accessed by third parties if the devices are lost, stolen or breached by a hacker. Healthcare IT leaders need to take steps to minimize the security risks created by portable drives, peripheral devices and anything that can sync to the cloud. Healthcare security leaders are locking down these devices with encryption and two-factor authentication for remote access, but much work remains to be done to keep up with this growing challenge.
Meyer: The biggest challenge stemming from ever-increasing amounts of data is the potential for massive data breaches on a scale we have yet to witness. Now a breach or hack into these Big Data warehouses can potentially expose hundreds of millions of records, affecting greater numbers of individuals and organizations alike. At the same time, structured and unstructured data are all finding their way onto the cloud as organizations look to leverage the elastic scale and economic benefits of both compute and storage in multitenant cloud environments. As such, a great deal of attention is being paid by the “bad guys” to cloud environments, especially since the cloud is a shared security responsibility between cloud customers and the cloud service providers (CSPs). Often times this shared model is confusing to implement which leaves cloud environments exposed and unprotected.
Mobile devices are another interesting challenge as they are increasingly accessing more and more of this data for both business and personal use. Securing mobile devices is somewhat of an afterthought for most organizations – and the research we’ve conducted around threats targeting mobile devices, networks and applications really brings this issue to light. Since mobile security isn’t a top priority in most organizations, coupled with the fact that more mobile devices are making their way onto corporate networks and accessing corporate data, enterprise mobility will be a huge area of interest for bad actors and an ever-growing challenge for organizations. What’s more, the sheer volume of increasingly network-enabled devices contributing to these large amounts of data is also an interesting area of challenge, since many of these devices utilize vulnerable chipsets and are not “security hardened,” providing a handy exploit avenue for hackers to either infiltrate an organization or recruit the device into a massive bot-net for wreaking further havoc.
VanDeWalker: Systems are so intertwined, with everyone wanting access to data from anywhere. Standards must be put in place. Firewalls and anti-virus are the low hanging fruit. Today, Master Security Service Providers (MSSP) need to be providing Unified Threat Management (UTM) solutions with intrusion detection systems and intrusion protection systems, two-factor authentication, security information event management and a true rollback disaster recovery solution to stay in the game.
Do you currently offer vulnerability testing to your clients? If so, what are you seeing?
Boatman: We perform internal vulnerability testing on our devices and software. On the client side, our security experts perform audits and reviews to analyze customer fleets. It’s not uncommon to see older device fleets, out-of-date firmware or unrestricted ports. We know that a majority of devices are installed and never configured in a locked down method. Incorporating an output device lifecycle that includes device updates, firmware updates, and basic security settings allows for a much more secure environment.
Croteau: MFP penetration testing is part of our ISO 15408 Common Criteria Certification. The certification reports are available publicly. We also offer penetration testing for our clients’ network infrastructure as part of a vulnerability assessment. The penetration tests are available on a regularly scheduled basis. We also provide comprehensive HIPAA assessments.
Jannelli: Yes, we offer vulnerability testing as part of our managed IT services offering, which is designed to support and protect the entire office environment; e.g. network, peripheral, mobile and workflow. Our broad-based assessment process provides a comprehensive evaluation of the office environment. After every assessment, clients are provided a thorough report identifying any discovered weaknesses and a proposed resolution plan. Our top priority is to deliver a strategy for securing the entire office environment and provide ongoing monitoring/support for our clients.
McMillan: We do and have since day one in 2004. Unfortunately, what we see are many of the things that lead to incidents. Misconfigured systems, poor patching processes, risky services running, obsolete operating systems, shadow software and devices on the network, etc. – the things that hackers and cybercriminals look for and that malware preys on to exploit a network. There are many reasons for all of these things – legacy applications or systems that cannot be updated, devices that are inherently insecure from the manufacturer, lack of resources to apply to the problem, an operational tempo that does not support proper administration and maintenance. Regardless the reason or the issue, it all means greater opportunity for bad guys and risk.
Meyer: Yes – we offer our clients a “Security Check Up” that is a passive tool that looks for policy exposed threat vectors and exploits targeting customer networks, endpoints, cloud environments and mobile devices. We see everything from known threats affecting easily preventable exploits to the latest phishing attempts, browser exploits, data leakage, zero-day attacks and more. In many cases, we also help organizations identify and get a better handle on “shadow IT” environments operating within their network to plug these potential security gaps before they can be exploited as well.
VanDeWalker: Yes, we do currently offer both Vulnerability (VUL) and Penetration (PEN) testing. We are seeing very few VUL/PEN issues in our UTMs, with the Line of Business (LOB) applications being the major weak link in the chain.
We’ve learned that a lot of the recent major breaches occurred because systems were not patched. How do you ensure that your clients are keeping their software and systems current?
Croteau: From the MFP and documents solutions side we constantly monitor the US-Cert Government website (https://www.us-cert.gov/) to see if any published vulnerabilities could affect our MFPs or document-based applications. If we determine that there might be a risk, we would issue a service bulletin to our service providers with instructions on how to mitigate the risk. If deemed necessary, we would create a firmware update (or a software patch) and issue a service bulletin with instructions on how to download and install it. Most recent examples include Meltdown and Spectre and the SMBv1 vulnerability.
Meyer: Our approach is to build a layer of protection on top of tools like patch management systems, to help organizations build a robust set of protections to keep their data and systems secure from even the most sophisticated attacks. As such, our security architecture leverages the latest common vulnerabilities and exposures (CVEs) data, with regular vendor patch updates and real-time threat intelligence gathered from over 100,000 customer deployed solutions around the globe. This data is then fed into all of our products to ensure that even if a customer has not yet patched a given system, our protection profiles can prevent exploit payloads from reaching their intended targets.
Who do you think is the more dangerous threat to network security – insiders or outsiders?
Jannelli: This is a great question because it highlights that technology alone cannot secure a business’ IT infrastructure and digital content. Processes that drive internal user behavior are also key.
A word of caution is that the internal policies can’t be so restrictive that they hamper productivity, otherwise they will simply be ignored. In a recent survey, we found that employees often disregard corporate policies in favor of increased productivity. For example, 41 percent of employees use their own device at work because it is easier to use and 24 percent of workers store information on the public cloud even though they are not permitted to do so.
Malezis: While insider activity cannot, and should not, be ignored, the pace and volume of risk activity that is highest relates primarily to external actor(s). When you consider the scenarios that lead to a cyber hit, they almost always involve insider error. Phishing and malware will always be pushed on users – it’s the insider who actually opens the door. Inevitably, it’s inside users who are going to click on a bad phishing link, and you can’t completely prevent this user behavior. The question becomes, what can you do to minimize the infestation and impact? If you know that too many users have admin privileges, how do you limit privileges? If you have too many unsecure endpoints, how do you remove them? The best approach is to be prepared to go down, but, more importantly, plan to recover and resume business as quickly as possible if and when that happens. When it comes to these types of cyberattacks, patching alone doesn’t stop the problem, it only stops the propagation of the malware. Why? Because the real source of the problem isn’t the systems, it’s the users who initially downloaded them onto their computers.
McMillan: In healthcare, it’s a balance. We still have far too much criminal and inappropriate behavior by insiders that lead to embarrassing and costly situations for our hospitals. But, in the last couple of years, the external threats have mounted a serious threat to these organizations particularly those that disrupt operations or medical support activities. Unfortunately, we have seen more and more of these disruptive type attacks that have cost healthcare millions and undermined public confidence in an organization’s ability to protect their information. Many hospitals deal with smaller outages and incidents on a regular basis now which constantly erode valuable dollars through reaction and recovery costs.
Meyer: Insiders and outsiders each pose credible threats to an organization’s cybersecurity posture and thus a defense-in-depth approach that takes into account and enforces desired behavioral characteristics as well as seeks to prevent malicious outsiders from gaining a foothold is essential to combating today’s cyber threats.
VanDeWalker: Insiders. We can monitor, manage and control outsiders’ ability to access our trusted networks. But it is much more difficult to control user behavior.
What should be the goal of any organization when it comes to information security?
Boatman: The goal of information security should be to protect the information regardless of its content. If we treated every piece of paper that was printed or scanned as if it held the most confidential information about your company, those processes would be the standard practice. This would allow companies to manage information security as the rule and not the exception, which requires a comprehensive discussion around security including the devices themselves, the data being processed, and the network to which they are connected.
Croteau: A comprehensive end to end policy which protects essential assets, endpoints, perimeter, BYOD, authentication, print fax, documents and yes, even paper. End-user education is critical.
Malezis: We recommend that our clients focus on resilience and rapid recovery as primary information security goals. Ransomware and other attacks are going to happen, so organizations should think beyond their perimeter. At some point, a cyberattack will get through, and you will be impacted. So, if you recognize the reality that your systems are going to get compromised, how do you build resiliency around your users? That is a key goal when it comes to information security. Both as individual organizations and as a healthcare industry, we must focus beyond keeping the bad guys out – we also have to focus on keeping our systems running.
McMillan: Balance. You still have to balance the mission of the organization and the cost of security, which is not just dollars, but can also be operational and workflow impacts. All organizations need to be more vigilant today and recognize that investing in cybersecurity is not just a cost, but is a real cost avoidance measure. It’s not if you are going to experience a cyber event, it’s when and when it occurs, it will cost. The more prepared you are to meet it, the less it will cost.
VanDeWalker: Prepare for the worst and hope for the best. When the worst happens, know that your data is safe and secure off-site, with the ability to roll back to an image of your systems before the worst hit. In addition, we recommend all companies implement user security training to educate their employees on best practices and operating procedures around security.