Ira Winkler: Security is Easier—And Crooks Are Dumber—Than You Think

By Edward Cone  |  Posted 09-05-2005

Ira Winkler: Security is Easier—And Crooks Are Dumber—Than You Think

Ira Winkler can play up the cloak and dagger when it suits him. His latest book, Spies Among Us (Wiley, 2005), even includes an author bio that compares him to James Bond.

Winkler knows that his background at the secretive National Security Agency gives him a certain cachet as an information security consultant, and, hey, it doesn't hurt in terms of television appearances or book sales, either.

But in conversation, and in the book itself, Winkler delivers a sober, low-key message about using technology to enhance security. You don't need the kind of stuff Bond got from Q to stop the majority of data thefts and other common problems, he argues. Many simple fixes are built into technology already available at most companies, but a lot of it is never even turned on. "Specific technologies are almost irrelevant," he says.

"Technologies change and evolve. The key is being consistent and using them with a purpose."

Winkler, 42, started out doing cryptanalysis and systems design for the NSA, then moved on to a career as a security consultant for government contractors.

He is a former technology director at the International Computer Security Association, the author of a 1997 book about information security called Corporate Espionage, and coauthor of a 1998 book about the Russian mafia called Through the Eyes of the Enemy. Currently he runs a Severna Park, Md., consultancy called the Internet Security Advisers Group.

Given our understandable focus on terrorism, including cyberterrorism, many people overlook more mundane threats from common criminals and vandals—but the little stuff adds up. As Winkler writes in Spies Among Us, "Although it may be forgivable to be taken by a real-life superspy, would you forgive yourself for leaving yourself vulnerable to the Hamburglar?"

Winkler spoke to Senior Writer Edward Cone about the simple things that can make a difference in safeguarding information from crooks, viruses—and maybe even spies.

CIO Insight: We hear a lot about the human factors in many security breaches, where people talk their way into getting passwords, or otherwise compromise security by nontechnological means. But you say technology still plays a major role in safeguarding information, and a lot can be done with technology most companies already have at hand.

Winkler: The big problem that I keep coming back to is the fact that most people just don't make use of the technology they have available. They could prevent 95 percent of their problems by making a few simple changes in the way they do things with what they have already.

In most companies I see, I would say that is not well understood. I go by the Wizard of Oz analogy. The moral is: You already have what you are looking for; you just don't know it, or you don't know how to use it.

There are studies that show up to 99 percent of security problems are preventable. The key is that most of these problems can be fixed easily. You can solve maybe 95 percent of the problems for 5 percent of the effort.

The nature of the beast is that you will still have problems, but with the basics in place you can start to deal with defense-in-depth measures, like implementing good intrusion detection and internal firewalls. But if you don't have the basics in place, what difference does it make if you acquire the latest bells and whistles?

You sound frustrated.

Maybe it would be better if the answer did lie with sophisticated spy technology, because then maybe people would focus on it. But the fact is we have so much sitting in front of us that we ignore. Tools like access controls, which limit user and remote access to networks, are available but don't get used, even though they can prevent unauthorized people from just randomly coming across data, which happens a great deal, often in cases of abuse by insiders. There are tools available that help stop people from printing data they shouldn't be printing.

There are audit logs on every computer, as well as server and database audit tools, that can examine where and when people are looking at data, and look at trends to notice who might be looking at too much data or the wrong data.

But those logs just don't get looked at or examined in the way they should be. When they are it can be very effective. One recent identity theft case was discovered because statistical programs noted that some people were making many, many more queries to the database than they should have been, given their job function or stated business.

Technology is a good way to look at the typical processes within a company and see variations that might mean trouble. But not every technology meets every need every time. For example, I believe that anytime you have sensitive data, encryption would be a good move. If the data is generally worthless, or publicly known, there is little reason to encrypt it.

Next page: Simple Fix to Big Problem?

Simple Fix to Big


With the stakes so high, those problem-prevention numbers are a little surprising. How is it that the bad guys can be so easily deterred?

Criminals are far from the brilliant people the media tends to make them out to be. They are more likely to be opportunists who really don't have much of a technological understanding in general. They can be one-trick wonders: Find a tool on the Internet and run the tool against thousands of different computers, and statistically, they'll find any number of computers that are vulnerable to a completely preventable problem.

But they can be clever. When I have investigated crimes involving organized crime, I've been somewhat surprised by how much time these highly skilled criminals spent on "hacker" Web sites and [chat rooms]. They portrayed themselves as teen hackers, frequently girls, and sat there trying to play on the egos and insecurities of clueless teenagers to get them to divulge information on the systems they had broken into.

That's why detection of events is more important in some ways than prevention of the event. At least that way you know what you have to deal with, the nature of the threat. If you stop an attack but don't know about it, the attackers will likely keep coming at you until they find a real vulnerability.

When I do a penetration test, I tend to follow the methodologies that a real attacker would. I'm not talking about an imbecile computer hacker.

I'm talking about a real attacker who means to cause you harm or steal something of value. They figure out where the valuable data is and then they target it. When we go in and do those tests, we generally don't try to find only one unique way in. We look for the ways that others might get in to see evidence of their activity. Upwards of 50 percent of the time, I find real evidence of criminal activity.

When I'm investigating criminal activity that we know has occurred, we find about a dozen other cases in that same place that people didn't previously know about.

Your concern about information security goes beyond data theft to include viruses, malicious hackers and even extortionists, and your book's subtitle mentions spies and terrorists among the everyday threats out there. Are companies focused on the right dangers to information security?

The reality is that viruses are still killing us on a regular basis. And again, people just don't go ahead and use the features to automatically update their virus signatures. They have access-control types of things, personal firewalls and antivirus tools that sit there but don't get updated properly—and that's if they are turned on.

I actually have run across extortionists and it is a growing problem. An extortionist will send out a denial-of-service attack, then contact the company to say if they don't pay, then they will experience more massive attacks at critical times. Other attacks involve the perpetrator hacking into a victim system, stealing data or gaining root access.

They then threaten to expose the stolen data, like customer credit cards, ruining the reputation of the company. If they have root access, they may threaten to destroy the system.

The problem is especially critical for small businesses that deal with online transactions, because larger companies are harder to take down and losses by small companies are harder to absorb.

But it's not all dramatic stuff. I believe in death by a thousand cuts. Everyone is concerned with cyberterrorism, but small things are killing us. Even ChoicePoint was not a spectacularly big thing; it was a little thing that added up and became a public embarrassment because it happened at the wrong time politically. And even there, technology might have more quickly detected that event by scanning to determine how data was being used.

I'd like to see ISPs be held responsible for detecting bot activity and cutting it off the network until the computers involved get fixed. That would protect their interests and those of the user, too.

If you see a personal computer flooding the network, you knock it off the network until it is no longer a problem. It's like someone coming into your home and shooting people with your gun out your window—you should just lock your front door.

I would also love to see my antivirus software go one step further, so that it somehow knows that spyware is coming in from one site on the Internet.

My system would then automatically report it to a central authority that knocks it offline. We should be able to do that now; it's more a matter of political will than technology. The lack of willingness to do so may enable homeland security attacks and other crimes to occur by leaving the network vulnerable.

Obviously the simple fixes you prescribe are more than a technology issue. The technology seems to be the easy part; it's the management that has to change.

Next page: How Advanced Can Security Get?

How Advanced Can Security


Security involves awareness. That is probably the most critical aspect. The majority of people know how to safely operate a motor vehicle, but nobody is teaching the majority of people how to safely operate a computer. We need corporations to have good security awareness programs in place. We tell people to keep their distance from the car in front of them, we still remind them to wear seat belts. So why not keep telling people to browse safe sites and don't open e-mail from strangers?

It's also a policy issue and a management process issue. If you establish a secure baseline for security processes across your organization, if you have secure configurations from the start and your ISPs block traffic that should not be there in the first place, most of the problems go away.

But often management is not working with security people to understand what's available to them. I advise people, "Let's figure out where you should be first, the ideal circumstance, what kind of process and technology you need in an ideal world. Then step back and see where you are, and come up with a plan to get you where you should be in a given period of time."

Generally, this is an inexpensive process with big rewards.

There is a ramp-up cost in training and implementation and an acquisition cost of subscribing to something like a vulnerability scanning service. When the process is in place, however, even routine maintenance becomes a way to make sure the security technology is implemented and updated. Once you get over that hump, once the management process is there, then it just goes down to how the administrators configure and maintain the systems they are responsible for. You will be able to get a big effect from low-tech protections that can be mass-produced and mass-distributed.

The human aspect remains very relevant, but at the same time there are technological measures that can counter operational, physical and personnel vulnerabilities. Technology is often a fail-safe. For example, if someone social-engineers away a password, token-based authentication makes the problem almost nonexistent, because getting the token for that moment in time allows just a one-time break-in. They would have to get the token again and again to go any further. It's a technical process to stop bad human password-security practices and enforce security awareness. Things like biometrics also work very well.

Beyond your emphasis on the low-hanging fruit, technology keeps evolving. Are we moving to an age of sci-fi security systems?

Because of my background and, for want of a better word, my notoriety, I get contacted by venture capitalists and people with new technologies on a regular basis. It's comforting to see some of what is coming down the line. I see biometrics being used more frequently. I think we'll start seeing more of that in the use of checks and credit cards, and people will start doing it as a habit. Banks will enforce the use of biometrics to cut down on credit card fraud. Smart cards will also be a very good thing. For the Internet, we are going to need some authentication structure where ISPs or other bodies act as authentication authorities between Internet sites.

That will get us exponentially beyond where we are now.

However, we're still in an arms race with the bad guys. If there's money to be made, the bad guys will find some way around it. We're starting to see a specialized niche of virus writers doing things for profit, writing things like bots, which allow computers to be controlled remotely, and spyware. Previously, they were just used as distribution points for denial-of-service attacks and spam. Now we are seeing people use bots to steal information.

So you need to keep moving. If we implement an authentication system that delivers an exponential cut in the amount of fraud—whenever you implement a really good technology, it puts the bad guys three steps behind. And you don't stop. Hopefully, they'll start stealing credit cards from other countries.