February 19, 2020
Buyers Lab, the industry’s leading authority in hardcopy device testing and research, unveiled its complete Security Validation Testing programme. Initially targeted to connected MFPs and printers and eventually expanding to include all “smart workplace” IoT devices, the programme establishes industry-standard benchmarks in the areas of Device Penetration, Policy Compliance, and Firmware Resilience.
Administered by Buyers Lab, long recognised as the independent source for test data for the office equipment industry, the cornerstone of the program is hands-on testing conducted by Buyers Lab in concert with accredited security testing firms.
“End-point security is top of mind for organisations of all sizes, and rightfully so,” said Randy Dazo, Keypoint Intelligence’s President and CEO. “If not properly designed and secured, a company’s output devices can be an unlocked ‘back door’ serving as a conduit between the Internet and the corporate network. Our programme establishes standards that all device manufacturers can strive to achieve, and cuts through the jargon and competing claims for purchasing decision-makers.”
During two years of programme development, Keypoint Intelligence solicited input from leading document imaging OEMs. The result is a three-track test suite that addresses security from various vectors to ensure devices are safeguarded against vulnerabilities—and that they remain so:
Device Penetration: A combination of automated tools and manual exploitation are used to probe for potential vulnerabilities in the device firmware/OS, ports, print protocols, embedded web page, connectivity avenues, and more.
Policy Compliance: Technicians employ the OEMs’ management tools to specify security settings and save those settings as a “policy” template, apply the policy across a fleet to ensure devices are in compliance, monitor those settings on an ongoing basis, automatically remediate devices that fall out of compliance, and more.
Firmware Resilience: Technicians use the OEMs’ tools and protocols to validate that devices are in compliance with the NIST SP 800-193 guidelines for platform resiliency of connected devices. The testing ascertains whether mechanisms are in place to protect the platform against unauthorised changes, and that the device can detect an attack and recover to a secure state automatically.
The pressing need for such a programme is not theoretical, Keypoint Intelligence said. In 2019, for example, security researchers in the Microsoft Threat Intelligence Centre discovered infrastructure of known Russian hackers communicating to several external devices and attempts by the hackers to compromise popular IoT devices—including an office printer—to breach networks. Once they established access, the hackers were able to uncover other unsecure devices and move across the network seeking higher-value data.
Notably, the Keypoint Intelligence – Buyers Lab programme differs from Common Criteria Certification for output devices in that there is not only verification that a device has the prescribed set of features and that they are correctly implemented, but also hands-on testing to determine if vulnerabilities remain. OEMs that submit products for testing and pass one, two, or all three tracks earn the right to license the Security Validation Testing seal to communicate to customers that the platform has passed the testing.
“We are thrilled that HP, Fuji Xerox, and Ricoh supported us in our initial round of testing, and just as thrilled to report that their platforms met the stringent criteria put forward in our Device Penetration test protocol,” said Dazo. “These actions are a testament to those companies’ commitment to product security and desire to raise the bar for the entire industry.”
For more information on the Buyers Lab Security Validation Testing programme and the details about the products that have passed, please visit https://keypointintelligence.com/security.
Categories : World Focus