Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:15 AM

HP's School of Hard Knocks

Hewlett-Packard's recent media leak scandal cost several execs their jobs. What can enterprises, and IT departments, learn from the mess?

Corporate security has the responsibility of protecting a firm's assets, both intellectual and physical. This often includes the responsibility of managing investigations into information leaked to competitors or the media. The scandal at Hewlett-Packard last week, in which top executives mismanaged such an investigation and ended up losing their jobs, offers some lessons that should be taken to heart and never forgotten.

  • Lesson One: PR is important.

    Corporations are public entities. Any aspect of any investigation is, therefore, of interest to the media covering the company. This means that, regardless of the legality of an action, corporations should think about its disclosure -- intentional or otherwise. In its investigation, HP used "pretexting," which is pretending to be someone else in order to get access to critical information. HP's methods might be technically legal, but they became a PR disaster and eventually resulted in board-level changes. With better disclosure processes, the whole thing might have been avoided.

  • Lesson Two: Maintain tight management.

    HP's "pretexting" was done by an agent, possibly without the direct knowledge of the security or legal staff until after the event. The action was clearly a management oversight, because even if it was legal, it was inconsistent with HP policy and wouldn’t otherwise have been allowed. But, because management was hands off the process (and because the agency used was not part of HP), a disaster resulted. Companies aren’t the government, and the use of agencies -- particularly in this case -- doesn’t provide the protection that it once did. As with most issues like this, the problem will flow uphill and eventually land on the desk of an executive who doesn't think it's so funny.

  • Lesson Three: Communicate.

    The HP scandal reached catastrophic levels when a board member didn't admit to the mistake he had made. This can happen at all levels of a company when the full details of a decision are not clear. If the board member had known that his actions would cost him his job, he not only would not have covered them up, but he would have thought twice about leaking the information in the first place.

    How many security departments make it a point to communicate the repercussions of violating corporate security policy? Investigations like HP's seldom become public, so companies should use this example to demonstrate that even the most powerful employee can't make a mistake and then try to cover it up. When they realize this one leak resulted, directly or indirectly, in the replacement of one CEO and two board chairmen, some employees may give more thought to their future actions.

  • Lesson Four: Experience counts.

    We often forget how important experience is in the security industry. HP gives us one great example of what can happen when the people who are running an investigation have no inkling of what they are doing. Companies are not the CIA, you simply can’t go around abusing privacy rules to find out information that likely could have been obtained in safer ways. Experience plays a major role in protecting companies against "investigators" who have good skills but lack the experience to use them. HP did successfully find the source of its media leak, but it could have avoided a nasty scandal if investigators had been more careful and/or brought in the proper authorities to assist with the investigation.

  • Lesson Five: Fear of looking stupid can get you fired.

    This is a lesson that applies to the technology industry in general. We use a lot of code words, and we often don’t know what those words mean. In the HP instance, there is evidence that the term "pretexting" was used to describe the leak investigation process, but there is little evidence to indicate that top executives had any idea what pretexting was.

    Given HP’s history, you would think that the phrase "We are going to fraudulently represent ourselves as a board member (or reporter) to get access to personal information" would be enough to give any HP executive an immediate and near-fatal heart attack. HP has never exhibited behavior like this in the past, so you have to believe there was a disconnect somewhere.

    I believe the disconnect was that the executives didn’t know what pretexting was and assumed someone else did, but that critical someone didn’t exist. If you don’t know what something means, you’d better damn well ask. The HP case proves if you try to look smart, you may get shot by your ignorance.

    This is potentially a huge problem in technology-focused firms, where jargon is used freely but the security staff may not understand the jargon. And the sword cuts both ways, because line managers may not understand words like "pretexting" that are specific to security.

    In the end, it is better to look ignorant and ask the question than it is to look incredibly stupid -- not to mention unemployed -- after the fact.

    — Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Hewlett-Packard Co. (NYSE: HPQ)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-17
    Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
    PUBLISHED: 2021-05-17
    An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
    PUBLISHED: 2021-05-17
    Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
    PUBLISHED: 2021-05-17
    Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
    PUBLISHED: 2021-05-17
    Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.