Post on 27-Jun-2020
ISSA CISO Summit
Washington, DC
Michael Howard
Chief Security Advisor and Practice Manager
1
Staying One Step Ahead of Evolving Threats
Risks and costs of unprotectedIT environments…
• Cybercrime
– 92% of Forbes Global 2000 companies report data breaches in the past year1
• Compliance infringement
– Regulatory and legal noncompliance costs global organizations
• Internal threats
– Nearly 65% of breaches are accidental, employee negligence or business process failures2
• Financial loss
– Fines, loss of business,damaged reputation,and class-actionlawsuits
1 Ponemon Institute, “Mega Trends in Cyber Security Expert Opinion Study,” May 2013; 2 Ponemon Institute,“2015 Global Cost of a Data Breach Study”, October 2015.
$7.7MAverage cost to resolve a cyber-crime incident2
©2016 HP, Inc. All rights reserv ed. | The inf ormation contained herein is subject to change without notice. | HP Conf idential3
25 BILLION “CONNECTED THINGS”BY 2020
The weakest link
5
40%
https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked (Identity Thef t Resource Center)
More data breaches in 2016
AN UNPRECEDENTED AGE OF HACKING
EMEA PrintOn! 2017
State Actors
Crime as a
service
Hacktivist organisations
Script
Kiddies
PRINTER HACKS ARE NOT AN EXCEPTION
10
“I probe around for a multifunction printer and see that it is configured with default passwords. Great I am in” ………..Hackers Playbook by Peter Kim.
“YES! We've compromised a number of companies using printers as our initial foothold, we move laterally from the printer, find Active Directory, query it with an account from the printer and bingo, we hit GOLD”
11
2011
12
2015
13
20162016 April
More data
Ponemon Institute, “Insecurity of Netw ork-Connected Printers,” October 2015.
Ponemon Institute, “Annual Global IT Security Benchmark Tracking Study,” March 2015.
IT Report Likely Printer Malware
Infection
Had A PrinterData Breach
64% 60%
ITDMs ARE AWARE OF PRINTER THREATS
BUT FEW ARETAKING ACTION
“IT
PROFESSIONALS
IGNORE PRINTERS
IN THEIR
ENDPOINT
SECURITY
Only 18% of ITDMs
are concerned about
printer security, while
91% are concerned
about PC security
THE TIME TO BUILD A SENSE OF URGENCY IS
NOW
134 different Vulnerabilities
Over 50 modules/attacks
250 different Vulnerabilities
Over 400 modules/attacks
THE FEATURES OF A MFP – CARRY RISK
Vulnerabilities across device, data & document need to be managed
Mobile printing
Input tray
Storage media
CaptureManagement
Output tray
Network
Control panel
BIOS and firmware
More data
SECURE THE DEVICE
All 500, 600 series enterprise products now include security features
HP Sure StartKeeps the BIOS safe
Run-Time Intrusion Detection
Keeps the memory safe
HP JetAdvantageSecurity Manager
Keeps the fleet secure
WhitelistingKeeps the firmware safe
Security Drivers – Legal & RegulatoryCompliance
Security Assessment Focus Areas
Logical Access Governance Physical Security
Asset Management Security Configuration Data Security
Patching & AV Log Management
& Security Incident
Build & Release
Business Continuity Network Security Information Security
Personal Security System Acquisition
& Development
Access Control
Security Assessment Baseline Score – Initial Assessment.
No. of Controls Yes No % Compliant
Asset Management 6 4 2 66.67%
Security Governance 10 5 5 50.00%
Security Incident & Logging 6 3 3 50.00%
Logical Access 11 2 9 18.18%
Security Config. 8 0 8 0.00%
Patching & AV 5 4 1 80.00%
Build & Release 5 3 2 60.00%
Data Security 6 3 3 50.00%
Information Security 6 4 2 66.67%
63 28 35 Average = 49.06%
Vertical Industry = 65% , Global = 45%
Security Assessment Baseline Score – 6 months later.
No. of Controls Yes No % Compliant
Asset Management 8 7 1 87.5%
Security Governance 10 8 2 80%
Security Incident & Logging 9 7 2 78%
Logical Access 11 8 3 72%
Security Config. 8 7 1 87.5%
Patching & AV 7 6 1 86%
Build & Release 7 5 2 71%
Data Security 7 6 1 86.00%
Information Security 7 5 2 71.4%
63 28 35 Average = 79.9%
Vertical Industry = 65% , Global = 45%
Security Control Question
What controls are in place to identify and track each user activity who has privilege user rights across the print infrastructure ?
• HIPAA 164.312(a)(2)(i) Assign a unique name and/or number for Identifying and tracking user identity. Required.
• ISO27001:2013 A.9.2.5 Review of user access rights.
24 HP Conf idential
Security Control Question
Does an accurate CMDB (List of printer assets) exist which includes all printers noting the firmware version, owners, software, type of use etc.
25 HP Conf idential
• HIPAA Control164.310(d)(2)(iii).Tracking Assets.
• ISO27001:2013 A.8.1 Inventory of asserts, owners, acceptable usage of asset.
Security Control Question
What controls are in place to protect sensitive or private print jobs and scan jobs while in motion ?
• Reference: 164.312(e)(1) Addressable. ISO27001:2013 A.13.2.3
• HIPAA 164.312(e)(1) Transmission Controls.
HP Conf idential26
Recommendation Examples – Security Advisory Service
Suggested Roadmap: Good Better Best
April June October Jan FY18
Date: Roadmap Goals
Agree roadmap priorities
resources/constraints
Identify parallel projects
Unmanaged Printers
Secure MPS Review
Date:
Good
Patching schedule.
Hardware refresh.
HPSM deployment plan.
AD Integration and/or Secret Server Testing.
Review HP Inc. new policy security settings / NIST std.
Vuln Scans reporting project
HPAC Project Plan
Date:
Better
HPAC/Print Fleet Apps Policy Review
Secure MPS Reporting Status
Syslog Plan
Date
Phase 2 Security Governance Reporting
Follow up PSAS
Date
SIEM Correlation
Date
SIEM Plan
Date
Secure MPS Review
Cyber Security/HP Review
Date
SIEM/Collection
Date:
Best
SIEM Reporting
Account Review Reporting
Patching Reporting
Risk Reporting
Hardening Policy Reporting
Vuln Scan Reporting
Secure MPS GoLive
Secure Dashboard Reporting
Good
Better Best
Thank YouMichael HowardChief Security Advisor and Practice Managermichael.r.howard@hp.com303 887-0891
30