In the Boardroom With...
Mr. Manny Novoa
Security Strategist
Personal Systems Group
Hewlett-Packard Co. (NYSE: HPQ)

SecuritySolutionsWatch.com: Manny, thank you for joining us today. Please give our audience an overview of your background and your role at HP.

Manny Novoa:  I’ve worked for HP (and Compaq formerly) for 16 years.  For the past 10 years I’ve focused on manageability and security architectures for personal computers.  My current position is security strategist and architect in HP’s Personal Systems Group (PSG) with primary focus on desktop security solutions.  I also work across various teams in PSG, to ensure our products’ security features complement each other.

SecuritySolutionsWatch.com: HP has developed a “layers of security approach” for security protection. Please give us an end-to-end overview of how this approach to security protection actually works.

Manny Novoa: The “layers of security” refers to the fact that there is no silver bullet product to solve all of one’s security issues.  The goal is to put appropriate barriers and security methods in place to create obstacles to attacking a given platform.   Consider, for instance, preventing data on the hard drive from being compromised.  If the system allows booting of an alternate boot device (CD-ROM, USB disk, floppy, etc) then it is quite simple to boot from this alternate media and literally browse the entire file-system (without requiring OS login) or worse yet, to change any of the user passwords (even the administrator password) on the system.

Many solutions exist for protecting hard disk records from being attacked, but the best approach is a methodical layer by layer shutdown of the vulnerabilities.  Start with enabling power-on protection well before the OS -- HP commercial desktops/notebooks, for example, support password, smartcard and embedded security chip credentials for pre-OS authentication.  In this case, the system just doesn’t boot.  But what if the hard drive is removed and placed on another system?  Well, many notebook hard drives ship with a DriveLock feature that would prevent the drive from spinning up, even if moved to another machine.  This combination alone greatly diminishes the value of a stolen computer to a thief/hacker.  Finally, for cases where the thief/hacker has deeper resources, the addition of encryption on the hard drive completes the lock-down of the platform.  If you’re using a platform with HP ProtectTools Embedded security chip, you can further protect the encryption key that’s stored on your hard drive.  Oh yeah, don’t forget to have a secure back-up of your encryption key! 

SecuritySolutionsWatch.com: Phishing and spyware threats are becoming more and more prevalent and sophisticated. Yet, many end-users are still not familiar with how these threats manifest themselves. Please give us an overview "phishing"  and "spyware" attacks and how best to protect against them.

Manny Novoa: There are many classes of spyware and phishing attacks and as previously stated, there is no single tool to eradicate the threat completely.  Here again layers of protection are called for, plus a bit of common sense.  Start by ensuring anti-virus and anti-spyware definitions files are up to date.  You’re only as protected as what’s available to your software in the way of latest “known” attack profiles.  Turn on Windows firewall or invest in a third party firewall that’s unobtrusive but can inform you of traffic leaving your system. 

Next, turn off pop-ups in your web browser and if your email program has a mode to prevent automatic download of pictures or web link redirection…turn that feature on to prevent your identity from being inadvertently disclosed.  This also helps prevent spyware or trojan attaching to executable code/scripts.

Pay attention when clicking on a link in an email that may look legitimate (i.e. from your bank, credit card or a shopping portal you frequent) asking for you to log in and update or otherwise validate information on your account.  In some cases you may notice you are just looking at a picture of an authentic page, but no matter where you click on the email you are redirected to a different URL.  Pay particular attention to what web site you actually end up at because redirection is powerful on the WEB, but it can lead you astray.  For instance, if the resulting address has an extra suffix (e.g. <yourbank>.xxx.com), take precautions and perhaps call to verify authenticity of that site.  Finally, pay attention to warnings built into most internet browsers that warn of certificates for a site being invalid (in the case of SSL sites).  If you’re directed to a non-protected web page, do NOT enter any critical information.

SecuritySolutionsWatch.com: HP has been providing security solutions to Fortune 1000 and government customers, including the Department of Homeland Security (“DHS”), for 60 years. Please give our audience an overview of the solutions HP has provided to DHS.  

Manny Novoa: Based on our mega-merger experience, HP has advised DHS and secretary Ridge on people, processes & technology and how to organize DHS as the largest federal re-organization since WW2. As a result of recent natural disasters, HP has worked both directly and through partners to help supply first responder public safety. 

As DHS continues expanding its mission and begins to work in an interoperable and unified mutual aid fashion with other agencies, HP and its partners are providing solutions across multiples security spaces, including emergency communications, secure networks and GIS.

SecuritySolutionsWatch.com: And, how about a success story with a Fortune 1000 company?

Manny Novoa:  One excellent deployment involves HP ProtectTools Embedded Security (i.e. TPM chip embedded on platform) in the healthcare/HIPPA market.  In this deployment, the TPM is not only used to protect keys for encrypted data passwords/secrets on the system, but also used to authenticate the system in addition to the user.  Upon performing a VPN connection to the network, the TPM is challenged to validate that the platform is authorized (owned by the company in this case) to connect to the network.  The end result is a very strong auditable record of users and systems connecting to the network infrastructure.

SecuritySolutionsWatch.com:  Bioscrypt recently announced that its' VeriSoft Access Manager is available through HP for enterprise management of the HP Credential Manager solution. The proactive solution combines Bioscrypt's VeriSoft Access Manager Server with HP Credential Manager for ProtectTools to deliver functionality including secured single sign-on and Multifactor authentication with a centralized client configuration management.  Please tell us about Credential Manager for ProtectTools and how this deal with Bioscrypt evolved.

Manny Novoa: HP Credential Manager is a key security solution within HP’s ProtectTools security suite for personal computing systems. HP Credential Manager functions as a multi-factor authentication engine for the platform, supporting several strong authentication factors in addition to password:  smartcards, fingerprint readers, various cryptographic USB tokens, etc.  Users log into an “identity” with the required combination of the above authentication factors.  Once authenticated, the user is provided network login and single sign-on (SSO) services via HP Credential Manager.   

With the addition of Bioscrypt’s Verisoft Access Manager Server, users can roam between systems on a network and have all their single sign-on credentials follow seamlessly, while administrators can more easily administer logon and SSO policies.

SecuritySolutionsWatch.com: Thank you for your time today, Manny. Is there any other subject you’d like to talk about?

Manny Novoa: Security is a rather broad topic and assessing each individual or company’s security needs is a complex process.  For further information on HP security solutions, start your search at http://www.hp.com/security.  For those looking at endpoint security, a direct link is available at http://www.hp.com/products/security.   Finally, HP’s Security and Business Home page is available at http://www.hp.com/sbso/security/toolbox.html.