When Protecting Endpoints, Don’t Forget the MFP

Most people these days have heard the countless messages about the importance of data security.  Virtually every day there’s a new ransomware attack, a new virus, or a new device that hackers have discovered how to breach. In recent years, these bad actors have stepped up their activity and are using more sophisticated techniques to take advantage of the proliferation of endpoints that come along with distributed and remote work environments. To help ensure organizations are protected from these threats, strong endpoint security is essential.

What is endpoint security? Exactly what it sounds like, for the most part. Let’s start by defining an endpoint: “An endpoint is a remote computing device that communicates back and forth with a network to which it is connected,” according to Palo Alto Networks’ Cyberpedia. Examples of endpoints include desktop and laptop computers, as well as servers, tablets, smartphones, and of course, network MFPs (and printers). Endpoints are a popular attack vector, as malicious intruders can potentially gain access to an entire network through an entry point that is not well protected.

When talking about digital transformation and the digitization of paper files, MFPs are often referred to as “on-ramps.” But the same connected nature that makes them the perfect entry point for digital files makes them an on-ramp to the corporate network. MFPs and printers are often overlooked when it comes to security and can be a weak point that hackers can exploit. By ensuring that network MFPs and printers are properly secured, organizations can help protect their business from attacks.

As hackers have become more sophisticated, so must endpoint security protection. For a long time, antivirus software was the single best go-to for protecting computer endpoints. However, in today’s pervasive threat landscape, a well-balanced, multi-layered security strategy that includes antivirus protection is what’s needed – not only for computers, but for MFPs as well. There are a few steps organizations can take to go that extra mile to help ensure MFPs keep the on-ramp blocked from malicious intruders. 

BIOS and firmware integrity checks

A multilayered security approach is always the best way to protect against attacks, and this is especially true when it comes to protecting MFPs. One of the key layers of modern security is a BIOS integrity check at startup. BIOS stands for basic input/output system, and it essentially provides startup instructions to the MFP. Before the BIOS start-up file executes, the integrity check feature compares it to a known reference, which ensures the BIOS has not been tampered with and that it is running the correct version of the code. If the BIOS has been tampered with, it potentially could allow attackers to bypass other security measures and gain access to the MFP. 

Similar to the BIOS check is a firmware check. Firmware is low-level software that is embedded in a hardware device that controls operation. A firmware integrity check in an MFP will verify that the firmware on the device is valid by comparing it to a known reference value. If the MFP also has a self-recovery function, a mismatched value will result in the device loading a backup version of the firmware, thus protecting the device and network from any malware that may have infected the firmware. 

Application whitelisting

One of the more game-changing features of modern MFPs is the addition of integrated applications. Some OEMs even have app stores from which users can select and download a variety of apps ranging from scanning and content management to file sharing, and more. However, anyone who has ever used a smartphone or tablet is probably familiar with warnings of the dangers of unverified apps. It is all too easy for a bad actor to inject malicious code into an app and provide it for download (usually in unofficial, third-party app stores). Once downloaded, that app can be used to gain access to your device, and, eventually, the network. One way to help protect against this is to use application whitelisting. This security feature allows only known, trusted applications to run on the MFP. This helps prevent malicious code from running on the device and compromising sensitive data. In addition, application whitelisting can also help ensure optimum performance and stability by preventing unauthorized applications from running on the device. As a result, application whitelisting is a key security feature for any organization that relies on MFPs to store, process and share sensitive data.

Encryption and TPM

You’ve probably heard of encrypting a computer file or drive. Encryption is a security technique that renders data unreadable to unauthorized entities and is available on most MFPs today. Encryption is the process of converting a document, message or other data into a form that can’t be read or understood by anyone other than the intended recipient. This means that no one, including hackers who may try to gain access to the data, can read it without the proper encryption key. Encryption is an important feature, particularly for organizations dealing in sensitive data, such as healthcare, financial, or legal environments, for example.

An encryption key is typically a random string of code that is used in combination with an algorithm to scramble and unscramble data. Keeping the encryption key data protected is critical. TPM (Trusted Platform Module) is a security feature available on many MFPs that can help safeguard encryption key data. TPM is an industry-standard technology that provides authentication and verification of data. When access to encrypted data on the MFP is requested, TPM uses cryptographic values to compare the encryption key data to a stored reference. If the two values don’t match, access will be denied.   

Antivirus 

While you’re looking for MFPs with strong security, don’t forget about antivirus protection. MFPs that offer antivirus as part of a multi-layered security strategy provide added protection against viruses, trojans, and other forms of malware that are looking for ways to access the corporate network and valuable data. Hackers and malicious intruders never rest; they are always developing new techniques and changing their methods in order to find ways to breach or disrupt an organization. Antivirus capability can provide an added layer of protection against these threats, especially when combined with other security measures, such as application whitelisting.

Protecting an organization’s network these days is much more challenging than it used to be. When the network was contained in a geographic location and endpoints were limited to mostly computers and servers, it was hard enough to keep things safe. Now, with so many “smart” devices and endpoints on the network, MFPs and printers often get overlooked. So, when considering endpoint security, don’t forget those MFPs and printers connected to the corporate network. 

Associate Director, Hardware Product Management at | Posts

George Grafanakis is Associate Director, Hardware Product Management for Sharp Imaging and Information Company of America.