Interview with Donald L. Pipkin, Information Security Architect for the Internet Security Division of Hewlett-Packard
by Mirko Zorz - Friday, 31 January 2003.
Always keep the basic security principles in mind.
  • Least Privileges - Provide only the minimum permissions and privileges, for the minimum amount of time necessary, to allow proper operation of the required processes.
  • Compartmentalization - Isolate users, processes, and data to minimize the probability of accidental corruption and provide containment of malicious attacks.
  • Separation of Duties - Segment process so that no one individual has the ability to initiate and authorize a transaction, so that it takes collusion to commit fraud.
  • Defense in Depth - Multiple layers of security provide overlapping defenses which will compliment each other so that no single vulnerability can compromise the entire security architecture.
What do you think about the full disclosure of vulnerabilities?

I see the issues about disclosing vulnerabilities focused around the appropriate timing of the disclosure and the level of details in the disclosure.

The disclosure should not be so soon that the affected vendors do not have an adequate opportunity to issue a patch or a work-around. However, it does have to be soon enough that the public can implement the fix before it becomes widely exploited. This, of course, requires that the fix has been identified.

I do not see a reason to release specific details about the exploit to the public. Vendors, researchers and those who deal with verifying and repairing vulnerabilities will receive the specifics of the vulnerability. It is sufficient for the general public notification to include what systems are affected, a description of the vulnerability and the specifics of the patch or work-around needed to repair the problem.

Security analysts say that downloadable exploits pose severe danger since script kiddies can use them without any knowledge. Should exploit archives be banned?

Point-and-click hacking tools attack well-known vulnerabilities. Generally these vulnerabilities have been known about for a long time; well over 6 months, often over a year. The real problem is that vulnerable systems are not patched when the patches are made available. There are nearly daily releases of security patches which are time-consuming to install (requiring downtime of the systems) and, for businesses with thousands of systems, updating all of them is a daunting task. The patching process has to become easier and more streamlined.

As for hacking tools themselves, it is very difficult to define what is a hacker tool, since many tools are equally valuable to a system administrator. For example, network sniffing is a common hacker activity, yet the network administrator will also sniff networks to locate problems. Laws have to focus on the actions of the hacker and not on the tools.

In your opinion, will biometric devices like a mouse that authenticates the user by their fingerprint and remember its passwords and log-in codes, manage to reduce the security risks posed by improperly trained employees?

Biometrics have a tremendous potential to reduce misuse. However, there is still a significant concern about how the will affect privacy. There are questions about how the biometric data, which is collected, will be used. Will it only be used for authentication, or will it be sold? There are questions about the security surrounding the storage of the biometric data. Hackers steal credit-card data, should I expect that biometric information will be handled any more securely? And then there is the question of when will an organization which has biometric information about you be required to divulge this information and to whom: New laws in the US have raised concerns about information which had previously been considered confidential, and is no longer as well protected as it had been previously.

These concerns and the apprehension, which they cause, will slow down the widespread acceptance of biometrics. Along with the difference in requirements of privacy laws around the world, this will make a global deployment complicated.

What are your future plans? Any exciting new projects?


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th