HP execs debate reality of hacker expertise; lament most businesses don't understand

HP execs debate reality of hacker expertise; lament most businesses don't understand

Summary: Hewlett-Packard execs argue that the problem with the security culture today is that many businesses are still following a "check box" approach without understanding hackers' resources and capabilities.

SHARE:

SAN FRANCISCO -- Combating cyber attacks on businesses requires a complete change in understanding as well as stronger investment in defense before and after these breaches occur, based on a panel discussion of Hewlett-Packard executives and security experts on Friday.

In explaining HP's perspective on the current state of cyber security, Art Gilliland, senior vice president of enterprise security products for HP's Software group, reflected that most of the media and corporate attention is directed towards specific actors, such as Anonymous.

He described that approach as a "red herring" in terms of how companies need to respond.

"This is a game of risk management," Gilliland asserted. "Companies need to be able to see and understand their exposure potential and prioritize what they respond to."

That's because, according to Gilliland, there's so much money involved in the sale of intellectual property -- whether it's about credit cards or espionage -- there is a marketplace that has grown around cyber crime. He explained that "markets do very specific things," including organizing participants and creating a process.

Thus, Gilliland argued that if companies are going to be more effective in responding, they need to think about how they can disrupt each of the steps in the process of establishing this marketplace.

Gilliland outlined that process is made up of the following five steps: research, infiltration (breaking into a company), discovery (mapping out assets about where data may live), capture (adversary takes control of the asset), exfiltration (stealing of data and/or destruction of data).

"This is a game of risk management," Gilliland asserted. "Companies need to be able to see and understand their exposure potential and prioritize what they respond to."

Based on the conversation on Friday, two of the problems here could be that most companies are both slow to understand this and they are prioritizing security budgets in the wrong way.

"We're competing against the best in the world, and they only have to be right one time," Gilliland remarked.

Scott Lambert, director of HP DVLabs, concurred with Gilliland, remarking that we need to be quicker at identifying when and responding to hackers after they've already broken in.

"Attackers are shifting in the landscape today," Lambert said, adding that most hackers are now going after primary individuals rather organizations.

Gilliland followed up that "it's inevitable" that cyber criminals are going to innovate around the latest antivirus toolkits and solution.

"We're competing against the best in the world, and they only have to be right one time," Gilliland remarked.

He continued that if you believe that's true (which he asserted most security experts do), you have to be really good at catching them on the inside before they've stolen data.

Topics: Security, Hewlett-Packard, IT Priorities, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • HP can't even make good printers anymore, and that's what made its company

    great to begin with - solid, reliable printers - because only toddlers and salad dressing makers use the word "robust" to describe things...

    If HP can't even do its core business right, why should I care about any of its peripheral ventures?

    And having used and supported HP's printers since the days of the LJ 4050, I've been around the block. The greed game of integrating the drum kit into the toner cartridge was bad enough...
    HypnoToad72
    • And, yes,

      HP's integrating the drum kit into the toner cart started long before the 4050 came out... keeping them separate wastes less toner, especially if the drum develops a fault or scratch...
      HypnoToad72
  • HP execs debate reality of hacker expertise; lament most businesses ...

    as long as the monetary incentive is part of the equation, and as long as crime pays, cracking is here to stay. and as for hackers, as long as human beings remain inquisitive, hacking will always be part of human nature to better himself and to help push the frontier of technology and of civilization ...
    kc63092@...
  • HP is in no position to say others do not understand anything at the moment

    Over the past 8 years HP has been in a downward spiral. Let's touch on a few points, shall we?
    1) HP-UX. They killed it. With HP-UX v3 they were supposed to take some nice features of Tru64 and merge it in to build a better offering. Instead, they started pushing folks to Veritas add-on and stagnating their product offering. Really, who didn't see this coming. I did and I went as far as making the statements at a customer advisory meeting directly to them. They could have kept the Tru64 kernel and kept the HP-UX libraries for the win.
    2) Itanium, aka the Itanic. The hopes and dreams of compile time optimization and developers changing their ways was a big mistake. Combine this major error with HP-UX and they pushed their customers to Linux on x86 like crazy. They could have ported softbench to Linux to allow their customers to move more easily...and kept the customers using their product.
    3) CEO rotations. Carly was far from great, but far from the worst since the rotations began. Tragic.
    4) Autonomy, WebOS, Palm, ...etc. Lots of money blown, and customers confused with HP's direction.
    5) On the X86 line setting up "Dynamic Power Saving" mode as the DEFAULT, as opposed to O/S controlled. Many people have been bitten by extremely cruddy response and the approach masks what is happening within the O/S (Linux and Windows), so unless you know what HP decided, then you'll spend some time trying to figure out what is happening. Whomever at HP decided this was a wise default, should be canned.
    6) HP is in the top 10 of the most hated companies in the US. Check out marketwatch.

    I used to love HP's systems, fairly well performing and reliable. Then the leaders in engineering were driven out and replaced with followers. The product line has suffered. We have had IBM, Dell, and HP in our environment. Oddly enough we are considering removing HP from the lineup as we're seeing a steady erosion in quality. This makes me sad. Hopefully their ship can be righted. Fortify does not seem like a bad product, but it will not bail them out as a company. They should try to avoid further alienating customers or potential customers.

    Good luck HP.
    sys_engineer
  • For us a slow day

    Over here it is a slow day, so after reading this article I read this: About Rachel King
    Rachel King is a staff writer for ZDNet based in San Francisco. My question, is Rachel based in SF, or ZDNet based in SF? Maybe both perhaps, yet the sentence implies ZDNet is not Rachel.

    You were warned today is a slow day.
    BubbaJones_