Monthly Archives: February 2018

HP Canada Printer Security Tech Day – How Did I Get Here and What Did I Learn?

As documented by my friend Jeff Man, HP hosted a Printer Security Tech Day for a select group of information security practitioners in the US last year. By all accounts, it was a success and they wanted to put on a similar event here in Canada. Considering Jeff’s wide reach via the Security Weekly podcast, they asked him if they knew of any fellow influencers in Canada.

As a result, I was lucky enough to be one of seven security practitioners invited to visit the HP Canada offices in Mississauga earlier this month. I gladly accepted the invitation on behalf of Securicy.

How did I get here?

I got to know Jeff Man while we both worked for Tenable Network Security. After I left the company, we kept in touch. I was lucky enough to have him keynote the Security B-Sides Cape Breton conference and he has spoken at AtlSecCon (I sit on the Board of Directors).

Jeff asked if I was interested in learning more about HP’s secure printing technology from a Canadian perspective. Of course I said yes, and he made the introduction.

What did I learn?

I learned that HP has the strongest, most comprehensive, print security protections in the industry. HP print security isn’t just about securing printers, it’s about helping to secure the entire network with real-time threat detection, automated monitoring, and built-in software validation that no one else offers.

Why should you worry about securing printers?

Attackers are targeting networked devices including printers to easily exploit brand & customer data. Users can change device settings, access data, or send scanned documents anywhere. Unsecured printers can open the network to attack.

Printers are a surprising, but real, source for a data breach. In addition to documents that lay unprotected in output trays, printers store information in memory that can be recalled or intercepted. Too many confidential print jobs are left uncollected.

Printer Security Tips

Secure your data: Sensitive data is vulnerable as it traverses the network to the printer and when it sits in the printer memory or storage.

After a document has printed, do not store the document or even data about the completed job on your printer.

Encrypt your print jobs to protect data in transit in the event they are intercepted, and use encrypted storage as documents wait to be printed.

Protect data before it reaches the device tray by authenticating users and tying them to their specific documents. Require that document owners authenticate themselves to the printer before pages will print.

Protect your documents: How often have you gone to pick up your document and found multiple documents in the printer tray or sitting around nearby? These can be viewed or carried off by anyone, creating a security risk. If your printer has the capability, activate pull or push printing to reduce unclaimed documents. Users can print to a secure network, authenticate themselves, and retrieve jobs when and where necessary.

Secure your printers: Move your printers to a controlled access area, or physically secure your devices. Disable physical ports to prevent unauthorized use.

Require authentication and authorization for access to device settings and functions to help eliminate security breaches. Deploy options such as PIN authentication, smart cards, or proximity badges. Use your printer’s built-in access control software (if available).

Before retiring a printer, remove any data that may be left in the device’s memory. Ensure the device’s hard disk is erased, destroyed or removed upon retirement.

To be honest, at the end of the day, we were all surprised at how much HP is embracing security across its’ entire product line and why we hadn’t heard about it until now!

As an added bonus, we had the pleasure of meeting Michael Calce (aka Mafiaboy). It was very interesting hearing his side of the story and how he has turned his life around.

Many thanks to HP Canada for hosting this event and I will be keeping an close eye on what they have to offer in the future.

Learn more about HP’s Secure Printing Technology.

What is classified as “Personal Data” in the General Data Protection Regulation (GDPR)?

The GDPR defines personal data (aka PII) as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.”

This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business). The definition of personal data applies to any piece of information which can used to identify an individual, based on ‘all means reasonably likely to be used’.

For example, a user ID number is classed as personal data, because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual.

Personal data includes:

  • Identifiable information such as numbers
  • Factors specific to a person’s physical, physiological, mental, economic, cultural or social identity

However, it goes on to clearly state examples of this personal data, and specifically adds new identifying types of data to its definition. This includes:

  • Names
  • Location Data – Data that has any kind of geographic position attached to it. This is classified as personal because it could be used to identify where an individual lives, works, and sleeps, or to find out social, religious, or cultural identities.
  • Online identifiers – Digital information such as IP addresses, cookie strings or mobile device IDs. For example, as an IP address can be used to find out where an individual is located, it is clearly personal data.

As a subcategory of personal data, sensitive data refers to a more specific type of personal data that should be treated with extra protection. The current definition of this includes information such as:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Health or sex life

Under the GDPR, sensitive data is given more enhanced protection, with explicit consent required for its processing. Two new information types are added to this classification too: genetic data and biometric data.

Genetic data specifically refers to gene sequences, which are used for medical and research purposes. Biometric data includes fingerprints, retinal and facial recognition.

If you can identify an individual from any data held, then the data is “Personal Information” and it therefore falls within the scope of the GDPR.