Students

Modern day James Bond shares tips for thwarting corporate spies

Most crooks aren't all that smart and spies are no exception, according to former National Security Agency analyst Ira Winkler. Getting confidential financial and technical information right from the source is simpler than you'd think. Most hackers and spies don't have special aptitude for intelligence theft. What they do have is (a) some sort of training and (b) the willingness to perform as trained over and over again -- what Winkler calls "the repeatable process required for expertise." Understanding this basic formula is key to protecting computer security systems, the expert told his audience during a recent security symposium at Arizona State University.

2005-09-28

Security is easier and crooks are dumber than you think, according to Ira Winkler, the former National Security Agency analyst, now president of Internet Securities Advisor Group and author of several books, most recently "Spies Among Us: How To Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day" (Wiley). Winkler is called "the modern-day James Bond," partly because he took just half a day to steal nuclear energy secrets from a government contractor that had hired him to test its security system. And he didn't do it by just lucking into a sleepy front-gate guard. Winkler was able to walk into the facility, and with a lot of confidence and a little deception, get a photo I.D. badge, riffle files and take documents, get buzzed past security doors into IT, log onto secured computers and copy top-secret information. "The public thinks spies kill people, blow things up, infiltrate the enemy's ranks and chase the enemies," Winkler says with a laugh. What spies really do is determine requirements (what needs to be discovered), collect and analyze information and re-evaluate needs. "Collection seems like the focus, but deciding on requirements and what should be analyzed is crucial," Winkler explains. One rule of the super-spy — "get insiders to provide information to you; infiltrate the enemy only if that doesn't work" — is the bulwark of much of today's identity theft. And getting confidential financial and technical information right from the source is simpler than you think. Most hackers and spies don't have special aptitude for intelligence theft. What they do have is (a) some sort of training and (b) the willingness to do as trained over and over again — what Winkler calls "the repeatable process required for expertise." If you understand this basic formula, you can excel at either breaking into or protecting computer security systems, he adds. Borrow other tricks of the spy's trade to make your system less vulnerable. For instance, the best spy realizes he or she must be right 100 percent of the time, while an adversary must only be right once, Winkler says. Another valuable lesson: different information deserves different levels of protection. For instance, as a NSA analyst, Winkler hauled around lots of secret documents. A colleague told him to FedEx the materials to his next destination instead of carrying them with him. In contrast, top-secret information was not to be shipped. A company's information security needs can be evaluated in similar fashion. What should be protected versus what must be protected? "Technology is only important in that it provides access," Winkler explains. "Spies focus on information." Risk management is another concept that the super-spies have nailed. Analyze the risk of a particular project or facility by comparing its threat vulnerability to its value. Threats, like hackers, are only threats if you have a vulnerability, he explains. Value is defined as the worth of the information. "Countermeasures can mitigate threat or mitigate vulnerability — this is the bulk of spy work," Winkler continues. "Background checks mitigate a threat. Password security mitigates vulnerability. Security is implementation of a program to mitigate vulnerability." Most American companies worry too much about hackers, he told a ballroom of IT professionals attending the third annual Security Symposium in Tempe, Ariz. Sponsored by the Center for Advancing Business Through Information Technology at Arizona State University, the recent event drew more than 200 people. Winkler's advice: "Don't worry about (hackers). Focus on 'where am I most likely to be attacked? Where am I vulnerable?' Spies acknowledge The Threat as a given. It's irrelevant." That's not to say hackers aren't doing you deadly harm right now, though. When Winkler is hired to do a random penetration test for a client, "more than 50 percent of the time, I find criminal activity going on," he notes. Threats are only irrelevant when you've protected your vulnerabilities — and most firms are woefully vulnerable. So what's the answer? "Countermeasures," he says. "Countermeasures on your most vulnerable areas." Winkler — who says the real James Bond wasn't a very good spy — says countermeasures can include counterintelligence, staying informed on the latest viruses and worms and above all, being in complete control of your company's system access. Winkler once posed as a temporary worker for a large employer known for having tight security. The firm hired him to test all levels of security. In a day and a half, he'd breached firewalls, cracked passwords and physically arrived at the company's most restricted area. While cruising around the customer's computer system, he noticed a super-user was logged on from India; Winkler had unwittingly stumbled upon a foreign spy calmly collecting data from the clueless firm. But before you spend a lot of money on expensive software and high-cost consultants, use your common sense to do a gap analysis of your firm's overall information security. Does the publicly accessible company Web site list the names and titles of project managers, along with project descriptions? How about the in-house newsletter? Winkler found a generic password in one company's newsletter; the author included it in a project synopsis, encouraging other employees to check out the cyber version. What about your employee passwords? Too many companies still use the "first initial, last name" model. What about walk-through security? Are confidential documents left out on employee desks, or in unlocked filing cabinets? Are boxes of data-rich floppy disks or CDs shoved under desks or on top of PCs? Once you've eliminated these sorts of security gaps, dedicate actual countermeasure resources to protect the most important vulnerabilities, Winkler says. "More countermeasures equal lower vulnerability. Figure out loss you're willing to live with — potential loss should drive your security budget."

KnowIT