SINGAPORE—If the Philippines does not want to suffer the same fate of the Bangladeshi central bank in 2016, when it lost $81 million in a cyberheist, then it should only do one thing: secure its printers. So says executives of HP Inc.
What was thought out to be a simple printing system error by officials of Bangladesh bank, turned out to be one of the biggest cyber robbery incident of last year, executives told reporters the company flew here.
At the usual routine, printers at the Bangladeshi bank would automatically print all the acknowledgement messages of transactions made through the bank over the weekend.
However, that Friday of February 5 was exceptional. The printers were empty. Bangladesh bank officials tried to print the messages manually but failed.
It was not a printing error. It was a system malfunction.
The men behind the robbery? Hackers. They infected the printing system with a malware that disabled the machine from doing its chore: printing.
Aversion
THE unusual system intrusion could have been averted if the “usual” printers were secured, according to network analysts and experts.
For security expert, Joseph Wagle, worldwide director of HP Inc.’s Security and Industry Solutions Consulting arm, it is high time that government entities treat their printers as not mere machines but of a security threat.
“We recommend this to a lot more sensitive government entities, not only to the Philippines. There a lot of very important government entities and corporate entities that should look into this very very closely,” Wagle said in a news briefing here on June 6.
“A lot of organizations spent a lot of time and money securing their PCs [personal computers] and data centers, but they have not given the same focus in their printing system,” he explained. “The printing system is a vulnerable endpoint that could allow hackers to perpetrate their system.”
HP Printing Systems General Manager for Asia, Pacific and Japan Ng Tian-Chong said companies tend to overlook printers as mere machines and not as a valuable piece of their whole network.
“The printer sits in the IT [information-technology] infrastructure. And any government in the region, in the world, should consider that very carefully,” Ng said. “They are securing their PCs to protect their networks but they forget about their printers. They just see it as for printing, faxing and scanning, that it is a minimal threat—but it’s not.”
‘Endpoint vulnerability’
INTERNATIONAL Data Corp. (IDC) Asia Pacific Practice Group Vice President Sandra Ng said the print system is considered to be one of the “weakest links” in a business-network infrastructure, leaving it a loophole for hacking attacks.
“When you think about security threats and think about hackers, they will going to find the weakest link in the environment. And the weakest link can be your printer, and unfortunately large majority of you don’t have a secure print environment,” Ng said.
In its AP Printer Survey 2016, IDC found out that nearly half of all the business entities in the Asia Pacific excluding Japan (APeJ) region do not include printers in their respective IT security program, according to Ng. IDC surveyed 3,053 companies on the inclusion rate of printers in their security program.
Furthermore, the survey revelead that only one in every five companies in the APeJ region include at least half of their printers in their security program, Ng added.
“No one really talked about that it’s [printer] 100 percent secured and part of IT security program. And almost half of all organizations, never study printer logs for security purposes,” she said, citing the 3,053 companies surveyed by IDC.
She added that 2/3 of all organizations “never defined print security” in RFPs (request for proposal).
“And almost half of all organizations, never scan printers for malware.”
HP Inc. Southeast Asia Managing Director Koh Kong Meng said the companies’ lax printing-system security could be attributed to two factors: timing and awareness.
“Security has always been a big issue but it’s only recently that security on printers has been talked about. Because most resources and discussion about security has always revolved on PCs and notebooks,” Koh said. “Nowadays, everything is connected. Printer is nothing but a PC that happens to be able to print…and people are beginning to realize that.”
Moving forward
WHEN asked whether HP is doing something to address the lack of awareness of corporate entities and government agencies on the weakness of printers, Koh said: Yes we do.
“We have discussions not only with individuals, government and organizations across Southeast Asia, but also with the agencies in countries that have responsibility for cyber security. We have discussions with cyber-security agencies to also educate them about the risk inherent in some of the devices of technologies,” Koh said.
“As Joe [Wagle] mentioned, many people have done a lot to strengthen their PC’s security, even their mobile devices and tablets. But not many considered the printer as a point of vulnerability,” Koh added. “And we are here to say that they are.”
Citing the case of Singapore, Ng said the national government has mandated financial institutions to secure all endpoint devices, including printers, in order to secure their respective monetary systems.
“The government is starting to pay attention that it is happening,” Ng said. “They are not jusy buying printers for printing per se, but for the security features it provide.”
Wagle noted that installing a “secured printer” would not be sufficient in having a fully secured printing-system structure. Wagle added that agencies—may it be public or private—should employ certain regulation and standards of practices that would revolve on print security.
“Because regulations, external audits and compliance requirements change. You need to know how does that regulation apply to print security, how that standard of practice apply to print security,” he said. “Agencies must develop, implement and maintain tools and procedures covering the detection of potential cyber-security incidents, incorporating: counter-measures against malicious code; intrusion detection strategies; audit analysis; system integrity checking; and vulnerability assessments,” he added.
HP is the “first” technology company that rolled-out a copier line series that have built-in security features, according to Ng.