Former NSA Honcho Calls Corporate IT Security "Appalling"

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

Re:No Shit, Sherlock

[Kazoo+the+Clown]

You got that right. Security is hard. Security is expensive. Security does not improve profits (as long as they continue to be lucky). The company that spends money on security while their competitors are not, will lose out. Therefore, who needs it? There's no sense of living dangerously without some really spectacular examples...

Re:No, really?

[MrNemesis]

You've been modded funny, but it's more +1 Insightful, -2 Depressing.

I've had several calls from my bank that basically go like this:
GB: "Hello, I'm calling from Generic Bank regarding your account, in order to verify your identity as the account holder can I ask you to confirm your name, date of birth and account number please?"
MN: "Sure"
GB: "..."
MN: "Well are you going to tell me?"
GB: "Sorry sir, you need to tell me that information"
MN: "And how do I know you're not a scammer?"
GB: "Because I'm calling from Generic Bank"
MN: "I'm not going to give any information to an unsolicited caller asking me for my bank details. Are you going to tell me what this call is about?"
GB: "I'm afraid I can only do that with the verified account holder"
MN: "And who is that?"
GB: "I'm afraid I can't tell you until you tell me, but I can assure you I am calling from Generic Bank"
MN: "And I can assure you I didn't take a shit in your cornflakes but that doesn't necessarily make it true, does it?"
*click*

Yes, these calls really were from the bank because every time this happens I walk into a branch and ask a) why I was called and b) why they still haven't fixed this utterly moronic behaviour. Don't even get me started on the almost complete and utter lack of two-factor auth for online banking as well as the utterly ridiculous password requirements. About 5 years back my bank said I could have a current account with an RSA key... the catch was it had to have at least £50,000 in it. I think it's only within the last year or so they've brought in two-factor auth for us mere peons, and yet you're apparently still able to reset your account with "security questions". When I tried to set answers that were purposefully incorrect (e.g. for "memorable place" you might choose to give "Marvin's turgid bowling average") I was told I wasn't allowed to do that so I cancelled the whole process. Asinine.

I haven't given the name of my bank, because they all seem equally shitty in this regard.