Print
Close Window
From: www.itworld.com
Interview: Ira Winkler, author of Spies Among Us
September 5, 2006 —
David Geer recently spoke with Ira Winkler, author of Spies Among Us. Winkler is also the President of Internet Security Advisor's Group and a former employee of National Security Agency. Following is an edited transcript of that conversation.
You may also listen to the original interview here, or visit our Podcast Center for more audio interviews.
David Geer: What single theme defines you with respect to how you approach security issues?
Ira Winkler: I look at security much more as a process issue. A lot of people tend to say it. I've kind of lived it ... where it doesn't matter to me what sort of process controls or what sort of technical controls are in place. It's the use of the technical controls or the operational controls that actually make a difference with regard to security. You could add the best technology in the world, but the best technology in the world, not used properly, becomes completely worthless and works against you because it gives you a false sense of security. I [also] don't look at computers for the sake of computers. Computers are generally useless. What's valuable about computers is that the information or services they provide. I don't even approach security as trying to make computers secure. I look at security as a way of protecting information as a whole. Another thing that kind of makes me unique is the way I look at things in general. I try to look at the very basics of security, [and] how can [the basics] either be compromised or how can they be better secured?
Geer: You've done security work for the government and you've done it for public corporations. What kind of issues actually appear in both the corporate and government worlds -- things that people might actually be surprised or shocked [to learn]?
Winkler: It all still comes down to the basics. There's a lack of basics inside the government, like there's a lack of basics outside the government.
Unsecured web servers, for example, have been a major pain that's caused a lot of information leakage and a lot of embarrassment. Ways you set up and give out information. Private companies don't have good policies in place in much the same way that we've seen leaks in the Federal Government, because again, the processes and the policies in place are not really that great.
It's the little thing[s] that allow the most sophisticated attacks to be big. So when we see loss of information about individuals in the government, we see it in the private sector as well. And when it happens in the private sector, that information then involves many, many more people than the leak in the government. So that's one issue. But I've also seen cases in the private sector where, for example - you know, I've seen foreign intelligence agencies target companies and corporations. In one case, we found a Chinese intelligence operation operating across the street from a Fortune 50 company's research and development headquarters. We've seen other cases where I stole nuclear reactor secrets under contract to perform an espionage simulation, [and] we found evidence that people from India stole the information a long time before we did. There are a lot of other cases where there is national intelligence assets being put against US corporations. And that's a critical factor. Frankly, we're talking about terrorists - I don't want to overblow this concern -- but terrorists and private individuals are making a lot of money by attacking small enterprises, stealing money from them, hijacking their websites, committing fraud against them, and things to that effect.
Geer: It sounds like you're saying it's not so much the security threats, but whether or not people are instituting the security practices properly.
Winkler: From a risk perspective, there will always be the threat out there. It doesn't matter whether it's a foreign intelligence agency, a script kiddie, a petty criminal or whatever. There's always going to be somebody after your data. However, the only way they can exploit your data is if you leave yourself vulnerable, you provide them with vulnerabilities and the vulnerabilities can be used against you.
Now the fact is, they're all going to use the same basic vulnerability. There are only two fundamental ways to hack a computer -- By taking advantage of a flaw in the underlying operating system, application software, whatever type of built-in software there is, or by taking advantage in the way an otherwise secure computer is configured.
For example, we know about the vulnerabilities built into the Windows system, just like there's vulnerabilities built into the Mac system, these buffer overflows, things like that. It's just a fact of life. All software has bugs. Some bugs create elevated privileges or information leakage. Those are security vulnerabilities. And the basic way to protect against that, is to make sure that you implement all like service packs, hot fixes on whatever operating system or application software you have to run. That's the first basic way to hack a computer, by taking advantage of problems built into the software.
The other thing that people ignore is that most successful attacks don't occur because of these buffer overflows -- they occur because a user or administrator otherwise configures the system insecurely. For example, improper file sharing, sharing too many files, not setting up passwords in the right way, giving away a password, not having any password, for example, or easily guessable passwords. When I break into Fortune 50 companies, you'd be surprised at the number of systems I get into because I see the password of administrator on the administrator account. These are very simple vulnerabilities. There was one study put out by CERT a few years ago that says 70% of all successful computer attacks don't occur because of vulnerabilities in the software. They occur because of the way the user administrator configured the system that allowed for that attack.
Geer: How are you fighting to make corporate America more secure?
Winkler: There are a couple ways I'm doing it. I'm trying to get what I would call grassroots support by getting the word out. I could go in and help a company, one company at a time, but for me it's much more rewarding to try to help thousands of people at a time by either writing or speaking or whatever the case may be. So I like to approach it from that way. Also, when I do go into companies, and this is probably the critical factor, when I look at people, I don't go ahead and tell people [that their] computers are vulnerable. I show them the business case for what their computers being vulnerable actually means. For example, there was one case where one company called me in because they had four different companies come in and do a penetration test and all four companies said, "we have full control of your entire network." The security manager told the CEO who said "big deal". It was a little bit more than that, but he basically said, big deal. The security manager called me and three days later he walked into the CEO's office, and said, "here's our mergers and acquisitions data, here's our executive salary compensation, here's the new technologies coming out in three years, here's this, here's that and by the way, they have full control of the entire network." The next week, they bumped up the company security budget by $11 million. That's the way of doing it, by going ahead and proving the business value of the computer vulnerabilities that are out there in ways that can be easily addressed.
Geer: Thank you, Ira, for your time here. If you want to learn more about Ira's work you can visit his website at www.isag.com, or read his book, Spies Among Us.
ITworld.com