Ira Winkler: Security is EasierAnd Crooks Are DumberThan You Think
Ira Winkler can play up the cloak and dagger when it suits him. His latest book, Spies Among Us (Wiley, 2005), even includes an author bio that compares him to James Bond.
Winkler knows that his background at the secretive National Security Agency gives him a certain cachet as an information security consultant, and, hey, it doesn't hurt in terms of television appearances or book sales, either.
But in conversation, and in the book itself, Winkler delivers a sober, low-key message about using technology to enhance security. You don't need the kind of stuff Bond got from Q to stop the majority of data thefts and other common problems, he argues. Many simple fixes are built into technology already available at most companies, but a lot of it is never even turned on. "Specific technologies are almost irrelevant," he says.
"Technologies change and evolve. The key is being consistent and using them with a purpose."
Winkler, 42, started out doing cryptanalysis and systems design for the NSA, then moved on to a career as a security consultant for government contractors.
He is a former technology director at the International Computer Security Association, the author of a 1997 book about information security called Corporate Espionage, and coauthor of a 1998 book about the Russian mafia called Through the Eyes of the Enemy. Currently he runs a Severna Park, Md., consultancy called the Internet Security Advisers Group.
Given our understandable focus on terrorism, including cyberterrorism, many people overlook more mundane threats from common criminals and vandalsbut the little stuff adds up. As Winkler writes in Spies Among Us, "Although it may be forgivable to be taken by a real-life superspy, would you forgive yourself for leaving yourself vulnerable to the Hamburglar?"
Winkler spoke to Senior Writer Edward Cone about the simple things that can make a difference in safeguarding information from crooks, virusesand maybe even spies.
CIO Insight: We hear a lot about the human factors in many security breaches, where people talk their way into getting passwords, or otherwise compromise security by nontechnological means. But you say technology still plays a major role in safeguarding information, and a lot can be done with technology most companies already have at hand.
Winkler: The big problem that I keep coming back to is the fact that most people just don't make use of the technology they have available. They could prevent 95 percent of their problems by making a few simple changes in the way they do things with what they have already.
In most companies I see, I would say that is not well understood. I go by the Wizard of Oz analogy. The moral is: You already have what you are looking for; you just don't know it, or you don't know how to use it.
There are studies that show up to 99 percent of security problems are preventable. The key is that most of these problems can be fixed easily. You can solve maybe 95 percent of the problems for 5 percent of the effort.
The nature of the beast is that you will still have problems, but with the basics in place you can start to deal with defense-in-depth measures, like implementing good intrusion detection and internal firewalls. But if you don't have the basics in place, what difference does it make if you acquire the latest bells and whistles?
You sound frustrated.
Maybe it would be better if the answer did lie with sophisticated spy technology, because then maybe people would focus on it. But the fact is we have so much sitting in front of us that we ignore. Tools like access controls, which limit user and remote access to networks, are available but don't get used, even though they can prevent unauthorized people from just randomly coming across data, which happens a great deal, often in cases of abuse by insiders. There are tools available that help stop people from printing data they shouldn't be printing.
There are audit logs on every computer, as well as server and database audit tools, that can examine where and when people are looking at data, and look at trends to notice who might be looking at too much data or the wrong data.
But those logs just don't get looked at or examined in the way they should be. When they are it can be very effective. One recent identity theft case was discovered because statistical programs noted that some people were making many, many more queries to the database than they should have been, given their job function or stated business.
Technology is a good way to look at the typical processes within a company and see variations that might mean trouble. But not every technology meets every need every time. For example, I believe that anytime you have sensitive data, encryption would be a good move. If the data is generally worthless, or publicly known, there is little reason to encrypt it.