Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/13/2006
08:15 AM
50%
50%

HP's School of Hard Knocks

Hewlett-Packard's recent media leak scandal cost several execs their jobs. What can enterprises, and IT departments, learn from the mess?

Corporate security has the responsibility of protecting a firm's assets, both intellectual and physical. This often includes the responsibility of managing investigations into information leaked to competitors or the media. The scandal at Hewlett-Packard last week, in which top executives mismanaged such an investigation and ended up losing their jobs, offers some lessons that should be taken to heart and never forgotten.

  • Lesson One: PR is important.

    Corporations are public entities. Any aspect of any investigation is, therefore, of interest to the media covering the company. This means that, regardless of the legality of an action, corporations should think about its disclosure -- intentional or otherwise. In its investigation, HP used "pretexting," which is pretending to be someone else in order to get access to critical information. HP's methods might be technically legal, but they became a PR disaster and eventually resulted in board-level changes. With better disclosure processes, the whole thing might have been avoided.

  • Lesson Two: Maintain tight management.

    HP's "pretexting" was done by an agent, possibly without the direct knowledge of the security or legal staff until after the event. The action was clearly a management oversight, because even if it was legal, it was inconsistent with HP policy and wouldn’t otherwise have been allowed. But, because management was hands off the process (and because the agency used was not part of HP), a disaster resulted. Companies aren’t the government, and the use of agencies -- particularly in this case -- doesn’t provide the protection that it once did. As with most issues like this, the problem will flow uphill and eventually land on the desk of an executive who doesn't think it's so funny.

  • Lesson Three: Communicate.

    The HP scandal reached catastrophic levels when a board member didn't admit to the mistake he had made. This can happen at all levels of a company when the full details of a decision are not clear. If the board member had known that his actions would cost him his job, he not only would not have covered them up, but he would have thought twice about leaking the information in the first place.

    How many security departments make it a point to communicate the repercussions of violating corporate security policy? Investigations like HP's seldom become public, so companies should use this example to demonstrate that even the most powerful employee can't make a mistake and then try to cover it up. When they realize this one leak resulted, directly or indirectly, in the replacement of one CEO and two board chairmen, some employees may give more thought to their future actions.

  • Lesson Four: Experience counts.

    We often forget how important experience is in the security industry. HP gives us one great example of what can happen when the people who are running an investigation have no inkling of what they are doing. Companies are not the CIA, you simply can’t go around abusing privacy rules to find out information that likely could have been obtained in safer ways. Experience plays a major role in protecting companies against "investigators" who have good skills but lack the experience to use them. HP did successfully find the source of its media leak, but it could have avoided a nasty scandal if investigators had been more careful and/or brought in the proper authorities to assist with the investigation.

  • Lesson Five: Fear of looking stupid can get you fired.

    This is a lesson that applies to the technology industry in general. We use a lot of code words, and we often don’t know what those words mean. In the HP instance, there is evidence that the term "pretexting" was used to describe the leak investigation process, but there is little evidence to indicate that top executives had any idea what pretexting was.

    Given HP’s history, you would think that the phrase "We are going to fraudulently represent ourselves as a board member (or reporter) to get access to personal information" would be enough to give any HP executive an immediate and near-fatal heart attack. HP has never exhibited behavior like this in the past, so you have to believe there was a disconnect somewhere.

    I believe the disconnect was that the executives didn’t know what pretexting was and assumed someone else did, but that critical someone didn’t exist. If you don’t know what something means, you’d better damn well ask. The HP case proves if you try to look smart, you may get shot by your ignorance.

    This is potentially a huge problem in technology-focused firms, where jargon is used freely but the security staff may not understand the jargon. And the sword cuts both ways, because line managers may not understand words like "pretexting" that are specific to security.

    In the end, it is better to look ignorant and ask the question than it is to look incredibly stupid -- not to mention unemployed -- after the fact.

    — Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Hewlett-Packard Co. (NYSE: HPQ)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/10/2020
    Researcher Finds New Office Macro Attacks for MacOS
    Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8720
    PUBLISHED: 2020-08-13
    Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
    CVE-2020-12300
    PUBLISHED: 2020-08-13
    Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
    CVE-2020-12301
    PUBLISHED: 2020-08-13
    Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
    CVE-2020-7307
    PUBLISHED: 2020-08-13
    Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
    CVE-2020-8679
    PUBLISHED: 2020-08-13
    Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.