Interview with Donald L. Pipkin, Information Security Architect for the Internet Security Division of Hewlett-Packard
Who is Donald L. Pipkin?
I am an Information Security Architect at Hewlett-Packard. I’ve been with HP eighteen years; most of that time I have spent in the area of information security. I help customers before a security incident by evaluating their security and, after there has been a security breach. I help them in recovering their systems. I design security into solutions which salesmen are presenting to customers. Today I spend most of my time increasing security awareness and explaining security in business terms. I am the author of “Halting the Hacker: A Practical Guide to Computer Security” and “Information Security: Protecting the Global Enterprise.” “Halting the Hacker” provides technical details on how systems are attacked and what to do to protect yourself from those attacks with an emphasis on HP-UX and Linux systems. “Information Security” provides a broad view of information security beyond the data center. It addresses the business issues of information security and how to build security into all aspects of an organization.
How did you gain interest in computer security?
In the early years of HP-UX, most of our customers had little or no experience with Unix systems and had many questions about proper administration and security. So, I spent a lot of time helping customers enhance their disaster recovery plans and security and administrative policies to include their new HP-UX systems, as well as assisting them in evaluating the security implementations.
I have worked with most of the divisions and organizations within HP that are involved with providing security features on HP-UX, and have provided pre-sales and post-sales support and consulting. I have worked with customers in the development of their security policies, assisted them in the evaluation of the implementation of their security procedures, and provided guidance in post-incident forensics.
How did you become a computer book author and how long did it take you to write “Halting the Hacker: A Practical Guide to Computer Security, 2/e”? What was it like?
I started writing the first edition of “Halting the Hacker” in the early nineties when the criminal hacking was a new phenomenon. At that time, it was difficult for a small-to medium-sized company to get any information from the information security industry about the threat from hacking and the processes required to secure the systems. There were some security books, but most of them were cookbooks listing specific steps to secure a system without any detail on why the steps were necessary. My goal with this book is to give administrators an understanding of what hackers do and how they think, so that they can understand why they need to take specific security steps. This new edition updates the tools and processes and goes into detail on securing HP-UX and Linux. I thought it was time to remind people that security requires more understanding than just a checklist.
What operating systems and security tools do you use?
I try to use the right tool for the job. Sometimes that tool is an out-of-the-box tool, other times it is a group of tools scripted together. I’ll use “hacker tools” if they perform the function I need and I’ll write it myself if I need to. I use the operating system which best supports the tools I need to use and makes my job easiest. I have a long history with Unix, so I prefer it, when I have a choice.
What are the most important things an administrator has to do in order to keep his network secure?
Always keep the basic security principles in mind.
- Least Privileges – Provide only the minimum permissions and privileges, for the minimum amount of time necessary, to allow proper operation of the required processes.
- Compartmentalization – Isolate users, processes, and data to minimize the probability of accidental corruption and provide containment of malicious attacks.
- Separation of Duties – Segment process so that no one individual has the ability to initiate and authorize a transaction, so that it takes collusion to commit fraud.
- Defense in Depth – Multiple layers of security provide overlapping defenses which will compliment each other so that no single vulnerability can compromise the entire security architecture.
What do you think about the full disclosure of vulnerabilities?
I see the issues about disclosing vulnerabilities focused around the appropriate timing of the disclosure and the level of details in the disclosure.
The disclosure should not be so soon that the affected vendors do not have an adequate opportunity to issue a patch or a work-around. However, it does have to be soon enough that the public can implement the fix before it becomes widely exploited. This, of course, requires that the fix has been identified.
I do not see a reason to release specific details about the exploit to the public. Vendors, researchers and those who deal with verifying and repairing vulnerabilities will receive the specifics of the vulnerability. It is sufficient for the general public notification to include what systems are affected, a description of the vulnerability and the specifics of the patch or work-around needed to repair the problem.
Security analysts say that downloadable exploits pose severe danger since script kiddies can use them without any knowledge. Should exploit archives be banned?
Point-and-click hacking tools attack well-known vulnerabilities. Generally these vulnerabilities have been known about for a long time; well over 6 months, often over a year. The real problem is that vulnerable systems are not patched when the patches are made available. There are nearly daily releases of security patches which are time-consuming to install (requiring downtime of the systems) and, for businesses with thousands of systems, updating all of them is a daunting task. The patching process has to become easier and more streamlined.
As for hacking tools themselves, it is very difficult to define what is a hacker tool, since many tools are equally valuable to a system administrator. For example, network sniffing is a common hacker activity, yet the network administrator will also sniff networks to locate problems. Laws have to focus on the actions of the hacker and not on the tools.
In your opinion, will biometric devices like a mouse that authenticates the user by their fingerprint and remember its passwords and log-in codes, manage to reduce the security risks posed by improperly trained employees?
Biometrics have a tremendous potential to reduce misuse. However, there is still a significant concern about how the will affect privacy. There are questions about how the biometric data, which is collected, will be used. Will it only be used for authentication, or will it be sold? There are questions about the security surrounding the storage of the biometric data. Hackers steal credit-card data, should I expect that biometric information will be handled any more securely? And then there is the question of when will an organization which has biometric information about you be required to divulge this information and to whom: New laws in the US have raised concerns about information which had previously been considered confidential, and is no longer as well protected as it had been previously.
These concerns and the apprehension, which they cause, will slow down the widespread acceptance of biometrics. Along with the difference in requirements of privacy laws around the world, this will make a global deployment complicated.
What are your future plans? Any exciting new projects?
There are always exciting opportunities working at Hewlett-Packard. Security is a very exciting field, especially with the current level of awareness of security in the general public. I am currently working with my publisher on a number of book ideas to determine which is most needed first.