Episode 16 – All Things HP and All Things Security

Connection
Connection

Continuing our National Cyber Security Awareness Month podcast series, Sarah Bates, Partner Business Manager from HP discusses with our host, Penny Conway, and the Connection TSG Cyber Security Team, how HPs innovative security features can fit into your Organization’s security practice to help eliminate critical threats.   

Learn about visual hacking as well as other threats and best practices to prevent them. 

  • 60% of employees take computers out of the office. 
  • 9 out of 10 visual hacker attempts are successful.
  • 75% of Sr. Managers have not considered visual hacking as a threat.

Listen to more TechSperience podcasts.

This is the transcript of the TechSperience podcast – Episode 16

Penny Conway:

Good morning, and welcome to today’s episode of Connection’s TechSperience. I am Penny Conway, senior program manager for workplace transformation here at Connection. And I am lucky enough to have our entire TSG group back with me today. That is our Technology Solutions Group. And they focus on all things security. With a special guest, Sarah Bates, our partner business manager from HP, to talk about all things HP, and all things security. So, Sarah welcome to the show. And why don’t you tell us a little bit about yourself and what brings you to the podcast today?

Sarah Bates:

So, I’m a partner business manager. Which means that I am dedicated to supporting Connection from an HP perspective. I help out with everything from questions of account managers on the sales floor to, you know, helping build our brand within HP.

Penny Conway:

So, HP has a nice slogan that says that they make the world’s most secure PC’s and printers. Is that true?

Sarah Bates:

It is true. Legally it even lets us say it, so it’s really true.

Penny Conway:

That’s how you know it’s true.

Sarah Bates:

Exactly.

Penny Conway:

So today, the last time I had our TSG group folks on the line with us. We talked a lot about their strategy around protection, detection, and reaction. And the last thing that we left off with, with this group was talking about our end users or our employees. And awareness, and how we sometimes might see our employees as one of our security risks. And that is very near and dear to HP as I understand. They have some specific solutions around how to mitigate the risks that employees might be having. But, Sarah, you and I talked about an interesting topic all around visual hacking.

And the success rate of visual hacking, I believe nine out of ten attempts to visually hack someone’s information are successful. Which is really scary when you consider that 60% in a recent survey that was done, 60% of employees take their work computers on the road with them out of the office leaving them really open to that visual hacking. So, tell us a little bit about visual hacking. And what HP has going on in that space? And we’ve got a great group of security experts here that might agree with you, might challenge you, and might ask you some questions as well. So, let’s get in the ring and talk about security.

Sarah Bates:

Absolutely. So if we start with visual hacking it’s actual a really simple concept. It’s someone looking over your shoulder when you’re doing something on your computer. And you’ll find that, I’ve noticed that I do it, like not paying attention, while it’s like you’re sitting on a plane and your neighbor is doing something on their laptop and you’re like, “Oh what are you doing?” Oh, you’re sending emails. Most of the time it’s not very interesting and you don’t care. But it’s like you said, people are taking their work systems out on the road, and whether they’re sitting at Starbucks or an airplane, they’re looking at their email, they’re looking at their company data.

And it’s so easy for someone who’s in the wrong place at the wrong time, or someone who is actively sitting at Starbucks waiting, for someone from a nearby company to show up with some information to just take a look at your screen, and see what you’re typing and, if they’re really great they could snag your password. If not, they can just snag some information, whether it’s private financial data or some kind of new product a company’s coming out with. And people don’t think that it’s just as simple as looking at your screen. And they can grab that data.

Penny Conway:

So, looking to you guys, Bill, Steve, Mitch, and Rob. When you’re working with customers on your SLO process. What components of that sort of visual hacking come into play there when you’re working with companies to try to understand what that potential risk is?

Steve Nardone:

You know, we certainly talk about people processing technology through the process. And of course, we are looking at all types of potential risk that a customer may have. You know, this particular technology is really fantastic in the healthcare space, right? As an example, where there could be sensitive healthcare information that may be on a system. So, we do cover all those particular components and having the ability, we, you know, it, it might’ve been invented in California, we call it in the cybersecurity space Shoulder Surfing.

Penny Conway:

Oh, I like that.

Steve Nardone:

But, you know, yeah. So, Shoulder Surfing is certainly something that we, we worry about. And, and you’re right, on an airplane it’s, you know, you’re sitting next to somebody and they kinda lean in over towards you. And you’re thinking, hmm, are they reaching for something out of their bag or are they trying to read my screen? So, you know, having that, that protection is really important. And, you know, the interesting part about this is fundamentally we kinda forget about those physical security kinds of things, right? We think about all those, you know, a guy sitting in a dark room with a hoodie typing away, creating malicious attacks that can attack a computer. But physical security is one of the easiest ways to capture and, and gain the information that is most sensitive.

Penny Conway:

Yeah. And I was, I was actually reading, and it goes back to the awareness and when you’re thinking about being on a plane, a study that I read said that 75% of, I think it was a survey of 1,000 employees. 75% of the senior managers that were, that reported back into that survey said that they didn’t think about things like that. Like the visual hacking the answering an email or clicking on, you know, a link from somebody that they by all means think that they know. Being an issue and so those, you know, that kinda level and above that’s, those are the people in your organization that actually have the sensitive information that you don’t want walking around. So, what is, Sarah, you had actually made a, I’m gonna make you repeat this comment. ‘Cause you said that you were sitting next to somebody on a plane who had what kind of privacy screen?

Sarah Bates:

So I was sitting, it was actually they were like across the aisle from me, one up. So, I would’ve then had a perfect view of their security screen, of their screen. But it did have like an external privacy filter on it. But it was scotch taped around their notebook. And then it also had like this huge crack in the corner. So, like I could see like a little tiny part of the screen like glowing out. And it was this young guy who clearly was… it was like a financial company ’cause he was talking to some of his colleagues about what he was doing.

And I just wanted to like lean over and tap him on the shoulder and be like, “You should ask your IT department for an HP computer (laughter) with Sure View.” Which is, so HP has like a built in privacy screen. And it’s like, you can turn it on and off with the click of a button, so it looks nice. And you don’t have to worry about scotch tape or cracked corners or anything. And so, it was just such, so funny. I wish I had done it but (laughter) he was protecting himself but not very attractively.

Related: National Cyber Security Awareness Month is Almost Here

Penny Conway:

I actually, I turned my, I have a HP computer in front of me with Sure View and I, I clicked it on. And I think there is a little bit of privacy envy going on in the room (laughter). I’m sorry my, we, we might have to equip some of our friends here with some Sure View, Sure View machines.

Sarah Bates:

Yeah. It’s funny, it comes in handy too when you least think about it. One another flight, ’cause I travel all the time, I actually was sitting down and there was another young woman next to me. And we were just chit chatting about what we were doing. We were heading down to Texas. And she’s like, “Oh I work for Dell.” And I was like, “Oh I work for HP.” (laughter) And I as I opened up my system and like pulled up my email I was like, “Privacy filter on.” (laughter).

Penny Conway:

So that, that kinda looks at the, you know, the Shoulder Surfing, which I actually really really like that, that term. It sounds a little bit cooler than visual hacking. But, along with kind of what people are seeing on your screen potentially there’s a ton of other, I think, end user or employee risks that are, to happening today around specifically phishing. We talked a little bit around how that looks like for, you know, enterprises. Steve you, you talked about a, a specific scenario with a casino whose fish tank thermometers, or thermostats were actually hacked.

Steve Nardone:

That’s right.

Penny Conway:

And that’s how they got in.

Steve Nardone:

Mm-hmm (affirmative).

Penny Conway:

But employees are seeing emails come in every single day from either maybe a fake source internally or maybe someone that they just… I mean, how many of our employees have kind of personal emails coming to their work address? You know, I’ll be 100% honest, my daycare emails, my work address, ’cause that’s the fastest way to get ahold of me. And I think that’s just like a, you know, a small example. But what are users doing on their laptops today that HP is seeing. And then of course our security team weigh in here, like what’s happening? And an everyday basis of me as a user, at my computer, what kind of threat am I to my organization when I’m just clicking through emails?

Steve Nardone:

So, you know, email comes from everywhere, right? And you’re right the- we do get personal email to our systems. And, you know, you get all kinds of advertisements that come in as well. And so, understanding what you can do to protect yourself against a phishing attack being executed on your system is something that takes a lot of effort to train people on. But it’s very effective. But certainly, you know, one of the best things you can do is have some type of technology that will prevent that from executing, you know, in an uncontrolled kind of way before the employee can really, you know, stop it, right?

Sarah Bates:

Yeah. And so one of the things HP does, and we look at it as your employees are going to click a link at some point, some employee somewhere is gonna click a link that they think is real, or that they didn’t mean to click. And with that phishing scenario. So one of the things HP thinks about is, “How do we kind of the forefront, you know, and obviously not the be all end all of security. But how do we do at the hardware level or at the system level, build in solutions that can help protect a company or an organization when their employees just go about their normal day but do something that’s gonna negatively affect them?” So we have a couple different technologies that we usually build right into our systems that can help either when users click links, open them up in like a sandbox opportune… in a sandbox, syst, situation. Where (laughter), you know, so the user has to say, “All right do I really actually trust this source? Yes I do. And I can now open this link up in a true fashion, so it has access to my system.”

Or, and if they do click something that, you know, downloads some kinda malicious code onto their device, we actually are able to kind of constantly monitor the BIOS level of a system. So where hackers typically tend to go to write code, where an, a typical end user isn’t gonna notice something is off with my system. But that’s how they, like a hacker will use that level to access into a company’s network or into their data. And so we’re able to say, “Hmm. Someone’s made a change to the BIOS. The core, you know, code of this device. And it, they shouldn’t have.” So we have a separate special copy, we called it the golden copy, that sits in a separate physical location on the motherboard, and we can say, “All right. This BIOS that’s running the machine isn’t right, let’s shut it down and restart it, and pull that actual real official BIOS from that golden copy.” So just some really quick and easy ways that HP is thinking about protecting their, you know, customers before any actual intervention from IT or full software-based solutions come in.

Penny Conway:

And what’s interesting is you, the, the BIOS level threats, that’s different than, you know, maybe some other… I’ll let you guys kinda maybe talk about the difference of threats. Because from what I understand, and Mitch I think you’re gonna you’re getting ready to go. But BIOS threats or attacks are not detected as easily, right? As maybe some others that are happening. So, share with us a little bit of clarity around that?

Mitch Tanaki:

Before I get to that (laughter) I just have some-

Penny Conway:

He’s like, “No, no, no. I want to say something else.”

Mitch Tanaki:

Does Sure Click have an option to like report the file?

Sarah Bates:

Yes, it does.

Mitch Tanaki:

Okay. ‘Cause I think that’s, that’s huge if, you know, it comes up and you’re unsure if it’s safe or not, it would be great to-

Sarah Bates:

Yeah.

Mitch Tanaki:

… send it somewhere to go actually get looked at.

Sarah Bates:

Yeah. And the, so the system can notify through a couple of different ways. And then there’s also, the company wants to get above and beyond. We do have some security solutions that are a part of our device as a service organization, that will actually take that security, monitoring and reporting, like up to the next level.

Mitch Tanaki:

Cool.

Penny Conway:

So, what, I’m sorry. I’ll ask another question about the, the Sure Click. Is, you know, say, say you have an end user that, that opens something, it asks them if they trust it or not. But they say, “Maybe not.” And they open it up into that window. But then they just kind of arbitrarily say, “Yes, I, I do trust this. Even though I don’t really know if I trust this.” What happens with that? If they release it, is that now just released? Is it just kind of like a, a temporary blockade? Or does it have some other sort of info collecting or quarantine attributes in it?

Sarah Bates:

So, for the most part it is just kinda that first level attempt where if a user says they trust it, it will kinda open up onto the system. And that’s why there’s the other pieces involved like Sure Start, which is that BIOS, BIOS level protection I was talking about. And then again, how I’m sure the experts in the room will tell you, you know, you don’t need just one security feature you need layers.

Penny Conway:

Right.

Sarah Bates:

So it’s just one of the first line of defense pieces. And then there’s other solutions. And some of which again are built in with that HP system from the start. But other pieces that will help mitigate any risks if a user says, “I trust this.” Even though-

Penny Conway:

They don’t?

Sarah Bates:

They don’t.

Penny Conway:

(laughs) They just want to open up their document (laughs).

Steve Nardone:

Yeah. I mean, it’s a great point about layered security. You know? It’s not any one thing that, that will provide you with complete and total protection, so what you want to do is make sure that you’re covering all the potentials associated with the threat of the risk you perceive. And having something like a next gen AV that can do machine learning, or behavioral analysis on something, on the end point added on top of the HP platform is certainly a great idea.

Bill Virtue:

Or at least privilege approach.

Mitch Tanaki:

Mm-hmm (affirmative).

Steve Nardone:

Right.

Penny Conway:

And what do you mean by that? Privilege approach?

Bill Virtue:

Ensuring that the user doesn’t have local administrative rights. You remove all of that because once the hacker does get into the BIOS and they start to work laterally in the system, they’ll do a privilege escalation typically, or attempt to.

Penny Conway:

Mm-hmm (affirmative).

Bill Virtue:

But if the user is a, just a standard user and doesn’t have administrative credentials, there’s not a lot that the hacker can do.

Penny Conway:

Right. Do you, do you guys see a lot? ‘Cause I know like when we say that statistic, that 60, you know, 60% of employees are taking their devices out of the office and that might… We were talking earlier; a lot of you guys work from home. I know some companies give maybe more administrative rights to those remote workers that don’t have that IT at their ready. What’s kind of a play there to make sure that you give enough access, so they’re not locked out of everything, but not so much access-

Bill Virtue:

Yeah. We don’t, we have local admin rights. But I, I do. (laughter).

Mitch Tanaki:

Yeah.

Steve Nardone:

They, they, you know, so this gets into the-

Penny Conway:

Well, the job title.

Steve Nardone:

This gets into the whole business process-

Bill Virtue:

Yeah.

Steve Nardone:

… versus security process perspective, right? And it really depends upon the company, and it depends upon the knowledge and the awareness of the employees. And whether or not they do grant admin rights or not. There are technologies out there that you can add that will help do privilege escalation as Bill just alluded to. And so, you can run a machine at a local user level but have software that will allow you to be able to escalate a onetime privilege to install an executable, right? An application or something along those lines. But thinking about that from an overall mechanics perspective, again it’s people, process, and technology.

Is really imperative to building a good risk management strategy. And one thing that you want to do as well with this, and I’m assuming HP has a capability to be able to prevent USB port from being accessible to boot, right? Because that’s one of the attacks. You know, there are cool technology out there and one of them is called Bash Bunny, you can put it in the USB port and actually boot right off of that and take control of a system. So, I’m assuming there’s protection built in for that as well?

Sarah Bates:

Yes.

Steve Nardone:

But, yeah, the, the important part is trying to minimize the amount of things that an employee has to actually think about on a regular basis.

Penny Conway:

Right.

Steve Nardone:

So that they can focus on doing their job. But they still have to have good security capabilities, you know, like a thought process. But the beauty of having some of the built-in technology is now they know that they can relax a little bit on that part of it. But your question Penny about, you know, if, if somebody just opens up something without really validating whether or not it is malicious or not. As soon as it’s in users face, it, whatever is code is in there that may be malicious code, it’s just gonna execute. So at that particular point in time, that’s why it’s important to have additional technology that can maybe protect against an advanced attack as well as some level of monitoring to be able to determine, or we get to the detect and react piece, right? Are you able to detect when something bad is happening on an end point?

Penny Conway:

That’s a lot about PC’s and kind of what’s happening. We live and breathe on our, on our PC. But print is kind of one of those risky little areas. And I don’t know how familiar every, everyone is with the PewDiePie attacks that happened last year. I’d say a raise of hand but how about a quick, yes, yes, yes, yes. I mean, that was a (laughter)-

Steve Nardone:

Yes.

Mitch Tanaki:

Yes.

Bill Virtue:

Yes.

Penny Conway:

But that was a, a really big one. That was thankfully, I think not malicious. But we hear a lot of hackers now that are like, “Oh I didn’t do that to be malicious. I did that to educate you about how easy it is to hack into your system.” But it was, you know, over, I think, well over 100,000 printers that were hacked with a message saying it was all about PewDiePie, some YouTuber wanting the most amount of subscribers. And saying, you know, “Subscribe to PewDiePie. And also, your printer is unsecured so you might want to actually do something about that.” Print seems to be just that blind spot for a lot of companies. They don’t see a printer the same as a PC. But the truth is, Sarah, they really are the same machines. And so, I think this is one thing that like is a great point of conversation, is how do we get companies to start looking at printing or in printers and that hardware being just as open to a potential threat as a PC is?

Sarah Bates:

Yeah. Penny, I think that’s a, a great point. And I think a lot of times print has always been seen as, it’s there, if it works don’t touch it. It spits out my paper data, it photocopies something for me. But really, you know, nowadays as printers are becoming smarter and smarter, and document management is becoming a bigger part of organizations strategies, these printers that they’re buying and their putting right into their network usually with, you know, a physical connection have an operating system, they have a, you know, a screen, they have memory, they have a hard drive. So essentially, they’re PC’s, big PC’s on your network that are spitting out documents. And you’re sending data through them. And you’re not usually thinking about how that is an access. And I think, I mean, I definitely see companies changing and, and thinking about the print now. But, you know, HP’s been talking about this for years. And, you know, the common saying is like, “Have you thought about your print security?” And people are like, “Print security?” (laughs).

Penny Conway:

What does that mean?

Sarah Bates:

What? Like antivirus on my printer? Like, and, and so it’s definitely something that a lot of more and more people are thinking about. And, I mean, there are statistics out there that talk about how, you know, often, you know, hackers are able to use a printer as an access to the network. Or how someone, again, talking about end user, someone prints, prints something and that document that they print contains some kind of malicious code that’s now gonna, you know, make that printer, that access to the network that people are traditionally thinking about their PC’s being in a… So, it, it’s something that we’re seeing people think a lot more about, and it’s something that HP has definitely been talking to customers about it for, for years.

Penny Conway:

And Rob, where do you, where do printers stand when you’re working with costumers?

Rob Di Gerolamo:

Yeah. They’re huge. I mean, and it goes to that concept of people not thinking of a printer as necessarily a computer, right? It’s like how do I manage it? I don’t manage it like I manage all my computers. So, it’s, it’s this concept that’s kinda hard to grasp. People are coming around to it. But it’s, “What do I do when it comes to making sure the right protections in place?” Maybe going, thinking beyond the printer, maybe thinking about your network, right? How do I understand if my printers are on the same segment as my user PC’s and then say, “Oh, look, I made a pivot.” That’s something for, easy people to jump from a printer to, “Now my user network.” So, understanding that you have the right proper network segmentation in place. And that’s a huge thing with IoT in general right? Printers really are, fit into that IoT bucket and the Internet of Things. So, it’s, it’s managing them right, correctly, right? From setting them up, configuring them, but then also understanding, “Did I make it easy for an attacker or a malicious actor to, to come in, take control of my printer and then just, you know, run around my network?” So having that right segmentation stood up and understanding how to, to do understanding why I need to do that and how is, is crucial as well.

Steve Nardone:

To Rob’s point about easy, right? The mindset of a hacker, they’re looking for the biggest return on investment with the least amount of effort, generally is the initial starting point. So, printers are highly sophisticated systems, sophisticated computers, they have IP addresses. And if there are weaknesses there, they’re gonna find them, and that’s what they’re going to exploit. And they’re gonna look for that first, right? Knowing that printers are a potential risk area. So, thinking about print security, and protecting those very powerful computers on your network is something that needs to be done. And, and frankly a lot of, a lot of companies out there don’t think about it.

Penny Conway:

Kind of a curiosity, and this might be a good discussion topic. C- curiosity question, ’cause we talk about the how hackers, very often say, “Oh I was just trying to teach you a lesson. I was trying to create.” (laughs) Like we’re trying to create awareness by talking about what you need to do, they’re creating awareness by actually doing attacks, and things like that. What kind of, when you’re working with companies or something that companies should think about. We know data is, is obviously a currency. We alluded to that the last time we talked. But what do you think the, the goal is? Do you, do you think there’s hackers out there that are just hacking to see how easy it is to get into something? How hard it is? Like it’s a hobby? Or do you think all of them are coming in looking for that data that a company has to spread out into the universe, or use maliciously? And this is truly an opinion piece. Don’t worry about it. (laughs).

Rob Di Gerolamo:

I think there’s a swagger element, right? Some of it is like, “Yeah. I got into these systems from this company. X, Y, Z.” Some of it is, a world facing job interview, right? Like, “Look what I was able to do as a security researcher. Maybe you should hire me.” Some of it is malicious intent, right? We were talking about how records are expensive, right? Data is, is, is the new currency. So there’s that element too. So I think it, it’s a spectrum thing. But, but overall if you’re going after a specific company your, you… I shy away from doing that. (laughter) I would not encourage anybody to do that, right? I think you’re basically putting a, a target on your head for lots of different things, lots of different issues to come up.

Mitch Tanaki:

Yeah. And I, I just think a lot of, you know, hacker has a negative connotation.

Steve Nardone:

Yep.

Mitch Tanaki:

Most of the people that do it don’t, are, aren’t in it for malicious reasons. A lot of them love puzzles.

Penny Conway:

Right.

Bill Virtue:

That’s right.

Mitch Tanaki:

Because it is, it’s a big puzzle trying to you know, find a hole to get into. For the serious ones who do it for you know, profit and crime. It, it’s literally a job for them.

Penny Conway:

Right.

Mitch Tanaki:

You know, nine to five.

Steve Nardone:

They’re part of a group, right?

Mitch Tanaki:

Part of a group.

Steve Nardone:

Yeah.

Mitch Tanaki:

They have rotations. And, you know, they’re, they’re review cycle might be a little different than ours but (laughter), you know, they, they have goals. They have MBO’s to meet. One of the, I was working, previous past life, we were responding, we were responding to an incident. And we were working closely with the FBI. They got into a chat room and they showed us the, you know, chat script, like we couldn’t take it. They printed it out when they showed it to us. It was a Russian chatroom. They translated it part of me thinks that like, “Hey, look, look at, look what we got.” (laughter) So that swagger element. But it, I mean, it was like, it was pretty cool that they did that. And then they shared it with us. And then we were looking at their chat script, it’s very close, closely matched like our chat scripts when we would go in and do penetration testing. You know? We would divide and conquer, go back and forth-

Penny Conway:

Mm-hmm (affirmative).

Mitch Tanaki:

… and, you know, similar methodology. So the folks who do do it, you know use their power for evil. Well, it’s a job. Just like-

Penny Conway:

Right. Like our job.

Mitch Tanaki:

… our job.

Penny Conway:

Yeah. It’s kind of like the, the good guys and the bad guys when you get in (laughs), into that.

Mitch Tanaki:

Yeah.

Bill Virtue:

And to Steve’s point earlier a lot of these serious hackers are, they’re nation state.

Penny Conway:

Right.

Bill Virtue:

They’re funded.

Steve Nardone:

Yeah.

Bill Virtue:

You know, very well-funded so.

Mitch Tanaki:

Better funded than our customers.

Penny Conway:

(laughs).

Steve Nardone:

That’s right. Better, better funded than, than all the cybersecurity professionals that are trying to prevent them from getting in. And, you know, the one thing to keep in mind as well is, even the most organized and sophisticated attackers that are out there still start with the easy stuff, right? They’re, they’re going to run script kitties, they’re going to be looking for flaws that are standard flaws. Systems that aren’t patched.

They start there because again that’s either the lowest hanging fruit or the path of least resistance, either one, how you want to look at it. And they start there. And then if they’re really targeting somebody, they still start there, but then they get more sophisticate as time goes by to figure out how they can actually get in, right? And, and, if any, any sophisticated attacker wants in? They, they will figure a way to get in.

Bill Virtue:

Sure.

Steve Nardone:

There’s nothing any corporation is ever gonna be able to do to prevent an attacker from getting in, you know, and to include coercing an employee to-

Penny Conway:

Right.

Bill Virtue:

Sure.

Steve Nardone:

… give them sensitive information.

Penny Conway:

Right. I was gonna tell an anecdotal story. When I was six, I was probably 16 years old. And my high school boyfriend, I won’t name the, I won’t name the company. But it was a popular package delivery company. And he, I hope he’s listening (laughs), one day he finds this and listens. But he, they didn’t pick up a package from him when he, like he was a big E-bayer ’cause that was, that was big. And they didn’t pick up a package from him. So he called them and, I don’t know what he was looking for from them in terms of an apology. But he ended up going into their system and automating like a request ticket, like to happen every .2 seconds. And he flooded their, their system of requests. And they had to like, it completely stalled them in the state of Massachusetts.

But they like, and then they ended up like, of course, he’s 16 years old, he only has so much sophistication when it comes to (laughter) actually like hiding his IP address and anything like that so. They actually found him, found where he was located, found him, got ahold of him. Like his parents (laughs), because he’s 16 years old. And it was kind of, they couldn’t figure out how to stop it. They couldn’t figure out how to stop the requests with the, the code that he had, had built. And they said, “We promise that we won’t press any charges if you just stop. If you just stop it so we can resume normal activity.” But he shut down a very large package distribution facility in the state of Massachusetts for about a day (laughs). And he was 16, so you think of like things that are, like, you know, the swagger to-

Mitch Tanaki:

Right.

Penny Conway:

… have that, that, that like bragging rights. Like I’m sure he didn’t sign anything saying he can’t brag about it. But, but that, that’s kinda the stuff that’s out there where it might not be malicious but it’s gonna shut you down, shut your business down for a whole day because someone is annoyed that you didn’t pick up their package.

Steve Nardone:

That’s called a denial of service attack in the cyber world. And that’s, that’s pretty, that’s pretty cool.

Penny Conway:

So Mitch, I wanna go back real quick to what you were saying about the FBI printing out chat scripts. Because that’s actually one, you know, when we talked about visual hacking up front. It’s not just what’s happening over that shoulder surfer, that shoulder surfing. But my own personal experience is how many times I’ve needed to print something on a printer and have like phone a friend so they can go pick it up or they hit the print button. But, kind of the printing sensitive documentation. I know that that’s very near and dear to HP’s, kind of print philosophy. So, Sarah talk, talk to us about kind of the risks there around what’s going on with printing sensitive information?

Sarah Bates:

Yeah absolutely. So, we talk about, HP talks about printing and securing their print from kind of a whole end to end approach, just like you would do with anything. So, we talk about securing the device, securing the data itself. And then also securing the document. So, I thought it was so funny when you said the FBI like printed out this Russian chat script. And that’s, you know, they have every right to print it out and to look at it at a physical being, as a lot of people like, you know, physical paper instead of just on the screen. But I thought to myself, well if they’re printing that out, you know, to a big copier device on one side of the building, and they’ve got to walk across, what happens if they get distracted?

They start talking to their neighbor at the cube they’re walking by? And then someone else accidentally grabs that? And, you know, hopefully everyone in the FBI building is not gonna do anything malicious with that information but who knows if it’s, and in any office setting or any public setting. If you’re printing, you know, you want to make sure you’re not just leaving your data, out for anybody to grab or see. So one of the solutions that HP has is, you know, around authentication at the device before a document’s actually come out. So you click print, but until you’re actually there to touch the device and say, “I am Mitch. And I really want to see this Russian chat script.” It doesn’t actually come out.

Penny Conway:

And, a lot of times I, like I worked for companies where I have to put in a code to print but that’s really just to capture the, the call center. But I think more and more companies are looking at, and we were talking about the federal government earlier, and of course the FBI. I think that’s like a no brainer for customers like that, that know, you know, I’m constantly printing sensitive information so I need key cards, I need pin cards. But it’s even truer, I think for, you know, the vast majority of companies just with sensitive data. Someone in finance printing something, or you have HR printing something and that information could get into an employee’s hands that maybe they’re gonna do something icky with it. So I know that like the cloud piece of what HP’s been doing is kind of really helping that security, where it’s less of that like physical thing, I need to be on the device. And you guys are really leveraging the cloud to print now, right?

Sarah Bates:

Yeah. And it could be both a public cloud or someone’s internal cloud. And I like to think of like healthcare as an example. Like you’re someone in medical billing and you need to print someones personal information, and you click print and you mean to click the printer, you know, two desks over, but you accidentally choose the one that’s on the other side of the hospital. And so now you’ve printed out someones personal medical information and you’ve got to run, you know, you think, “Oh my God. I have to run across the hospital to grab this before someone else does.” And it accidentally gets out in the world and that’s a huge HIPPA violation. So, one of the solutions that we have is you just print to this, I just click print into this general print like queue.

And then you can walk up to any device around the organization and you can authenticate by a key card or a pin card, or your active directory credentials. And then you can see a list of all the documents you’ve printed. And then you select the document and print it. So the idea is that you don’t run into any of that risk where you’re violating HIPPA or any other, you know, specific compliance rules that you’re gonna put your organization at risk for, you know, fines of that nature or just in general of, of risk of any proprietary or personal data getting out in the world.

Penny Conway:

No that’s a, a great point. And I think that’s been kinda the neat thing about talking to you Sarah is that we look at everything that’s happening externally and coming in as a threat externally. And it’s great to kinda get that full view of what’s happening internally, how people are printing, what they’re printing. What the chances are of that information getting into the wrong hands and then same on the PC side like if 60% of your employees are remote or not even remote but taking that device on a plane, on business trips the potential of having sensitive information out there in the world. So certainly, things for companies to really start thinking about more of those internal threats and how employees can potentially be a weak spot but how there also is promise, guys, right?

‘Cause if we can create some awareness, some process, and just some understanding of what some of these threats are, then I think companies have a better chance of mitigating against them. So, for more information on the world’s most secure PC’s and printers feel free to visit Connection.com/brand/HP. There’s a ton of information about their security value proposition. And of course, we have a great team here at Connection to help us both, of course on the security side, but specifically for HP security. So, Sarah, thank you so much for joining me.

Sarah Bates:

Thanks for having me.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2019 CONNECTION, INC. ALL RIGHTS RESERVED.