Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former NSA Honcho Calls Corporate IT Security "Appalling"

Posted by samzenpus on from the is-that-better-than-terrible? dept.

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

11 of 174 comments (clear)

  1. I can confirm this by Anonymous Coward · · Score: 4, Insightful

    In companies great and small, a long history of appalling lack of and apathy for security. Goes back 30 years. Unfortunately I have to say so anonymously.

    1. Re:I can confirm this by phantomfive · · Score: 5, Insightful

      In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

      Most of them don't. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:I can confirm this by hairyfeet · · Score: 4, Insightful

      Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly? they don't care. See how frankly piss poor IT is treated by many corps, "cogs that suck money and don't generate profits" seem to be the way most PHBs treat IT, which is always underfunded, understaffed, and overworked.

      Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen. There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough....fuck that. If its like the way it was when i was working corporate, and I've seen nothing to make me think it isn't, its no wonder the security is poor, most are so overworked they are too busy fighting fires or worrying about whether their job will be sent to India or given to an H1-B to spend any real time worrying about security. and of course if you actually DO make changes that increase security? You'll have a dozen PHBs screaming at you because the ipad they picked up over the weekend doesn't magically work when they walk into the building. i wouldn't take another job in corp IT for all the tea in China, no way.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:I can confirm this by phantomfive · · Score: 4, Insightful

      Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen.

      Become a security consultant and charge four times as much. Then you can make money off their foolishness. The more foolish they are, the more you make. The less foolish they are, the more you help them.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:I can confirm this by wisty · · Score: 4, Insightful

      It's not about "real security" (which is too nebulous). They do make an effort, and spend lots of money ... on a big firewall to protect the whole org.

      It's about protecting specific assets. For example, you can take the whole NSA offline, which is a fantastic moat. But if one single insider can get root access to basically anything he wants, it's not protecting core assets.

      Most businesses are even worse - high risk assets can be sitting on a shared drive where everyone in the company can access them.

    5. Re:I can confirm this by TheSeatOfMyPants · · Score: 5, Insightful

      There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough.....

      That's the corporate world regardless of what department someone is in. It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life. Hard to care what happens to other people/families when some part of you is persistently fatigued from overwork/stress & worried that you could easily wake up tomorrow to find yourself unemployed and fighting for anything that might pay the bills...

      --
      Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
  2. Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` by thesupraman · · Score: 4, Insightful

    It seems we are taking the position of a man who was part of an active and systematic attack on the security of network infrastructure through planned back dooring, lowering of quality of encryption systems, and intentional hacking?

    Really? its the corps fault they are not secure, considering what the NSA has been up to?

    Perhaps they should have spent 10% of the effort on informing corps of the holes they found instead of just squirreling them away i the grab bag of dirty tricks.

    If suddenly matters so much, then please, make public the details of ALL known security holes, and inform all victims of the backdooring done to their systems..

    No? Thought not..

  3. My experience is slightly different. by khasim · · Score: 4, Insightful

    In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

    In my experience it is more about the managers and CxO's viewing it as a status issue. They are so important that they cannot be hampered by the demands of the lowly IT people. And the same goes for their people.

    Security is IT's problem and if something goes wrong then it is the IT people who will be fired. Starting with the ones who were the loudest about there being a problem in the first place.

    After all, other companies don't have those problems. So it must be because the IT people are incompetent.

  4. Re:No Shit, Sherlock by InTheSwiss · · Score: 5, Insightful

    Having worked at several blue chips all anybody cares about is the appearance of security (i.e. security theatre) enough to cover them for audits and compliance. There is no real security in place in most places. Like you say security is hard and expensive. They don't want to make life harder than the minimum.

  5. pot calling kettle by Anonymous Coward · · Score: 4, Insightful

    Is this the same company that employed Edward Snowden as a sysadmin, allowed him to elevate his authority and then download documents that he was not supposed to... So Prescott Winter was CTO and was finally responsible for internal IT security. Talk about a pot calling a kettle.....

  6. Re:No Shit, Sherlock by The_Other_Kelly · · Score: 5, Insightful

    Actually Man-in-the-Middle transparent proxies, which intercept
    and monitor SSL/TLS traffic, are now standard in most corps.
    You don't get a browser alert since the corporate "fake" CA
    is pre-installed as trusted in your browsers by the corp's IT.

    So, yes, basically ... there *is* no encryption and they look
    at everything.

    Oh! And using Cisco "policy based routing", or WCCP2 or
    other networking mojo, you cannot decide to skip the proxy,
    from your client.

    And ... using Deep Packet Inspection, the protocol will not
    just be matched versus the destination port, so your genius
    attempts to ssh to your external server running on tcp/443,
    will not only be blocked, you will be flagged and tagged.

    Solution? Just use your own equipment with either built
    in 3/4G connections, or just tether across your personal
    phone.

    Caesar and Rome ...

    --
    (R)ule in Hell or (S)erve in Heaven [R]?