September 05, 2006, 3:59 PM — David Geer recently spoke with Ira Winkler, author of Spies Among Us. Winkler is also the President of Internet Security Advisor's Group and a former employee of National Security Agency. Following is an edited transcript of that conversation.
You may also listen to the original interview here, or visit our Podcast Center for more audio interviews.
David Geer: What single theme defines you with respect to how you approach security issues?
Ira Winkler: I look at security much more as a process issue. A lot of people tend to say it. I've kind of lived it ... where it doesn't matter to me what sort of process controls or what sort of technical controls are in place. It's the use of the technical controls or the operational controls that actually make a difference with regard to security. You could add the best technology in the world, but the best technology in the world, not used properly, becomes completely worthless and works against you because it gives you a false sense of security. I [also] don't look at computers for the sake of computers. Computers are generally useless. What's valuable about computers is that the information or services they provide. I don't even approach security as trying to make computers secure. I look at security as a way of protecting information as a whole. Another thing that kind of makes me unique is the way I look at things in general. I try to look at the very basics of security, [and] how can [the basics] either be compromised or how can they be better secured?
Geer: You've done security work for the government and you've done it for public corporations. What kind of issues actually appear in both the corporate and government worlds -- things that people might actually be surprised or shocked [to learn]?
Winkler: It all still comes down to the basics. There's a lack of basics inside the government, like there's a lack of basics outside the government.
Unsecured web servers, for example, have been a major pain that's caused a lot of information leakage and a lot of embarrassment. Ways you set up and give out information. Private companies don't have good policies in place in much the same way that we've seen leaks in the Federal Government, because again, the processes and the policies in place are not really that great.
It's the little thing[s] that allow the most sophisticated attacks to be big. So when we see loss of information about individuals in the government, we see it in the private sector as well. And when it happens in the private sector, that information then involves many, many more people than the leak in the government. So that's one issue. But I've also seen cases in the private sector where, for example - you know, I've seen foreign intelligence agencies target companies and corporations. In one case, we found a Chinese intelligence operation operating across the street from a Fortune 50 company's research and development headquarters. We've seen other cases where I stole nuclear reactor secrets under contract to perform an espionage simulation, [and] we found evidence that people from India stole the information a long time before we did. There are a lot of other cases where there is national intelligence assets being put against US corporations. And that's a critical factor. Frankly, we're talking about terrorists - I don't want to overblow this concern -- but terrorists and private individuals are making a lot of money by attacking small enterprises, stealing money from them, hijacking their websites, committing fraud against them, and things to that effect.
Geer: It sounds like you're saying it's not so much the security threats, but whether or not people are instituting the security practices properly.
Winkler: From a risk perspective, there will always be the threat out there. It doesn't matter whether it's a foreign intelligence agency, a script kiddie, a petty criminal or whatever. There's always going to be somebody after your data. However, the only way they can exploit your data is if you leave yourself vulnerable, you provide them with vulnerabilities and the vulnerabilities can be used against you.
