Former NSA Honcho Calls Corporate IT Security "Appalling"

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

Re:No Shit, Sherlock

[girlintraining]

Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

Yeah, and we all know who to blame. (looks ominously upward) The irony here is that corporate IT is even more into surveillance and CYA than the former NSA guy is. I mean, the NSA has rules and shit to follow. Management at a company these days is like to be all "Yo, we do whatever we want. You dun like it? Dere's da fuckin' door." (sorry, Jersey accents are really hard to do on slashdot forum posts)

As an experiment I once sent an e-mail out from my last employer containing about 5KB of randomly generated gibberish to an e-mail address setup that had never been used before on a server that didn't have an SMTP server prior to the test balloon. Over the next three days, this previously unused and unloved honeypot got dozens of pings from the corporate network from people trying to login to the SSH, poke at the SMTP server, looking for web services. I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.

Similar has happened at 7 out of 10 employers I've worked for. They don't just monitor all your stuff...they actively go out and fuck with it. And the only reason this isn't a problem is because they're so terrifyingly bad at it.