Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former NSA Honcho Calls Corporate IT Security "Appalling"

Posted by samzenpus on from the is-that-better-than-terrible? dept.

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

26 of 174 comments (clear)

  1. I can confirm this by Anonymous Coward · · Score: 4, Insightful

    In companies great and small, a long history of appalling lack of and apathy for security. Goes back 30 years. Unfortunately I have to say so anonymously.

    1. Re:I can confirm this by phantomfive · · Score: 5, Insightful

      In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

      Most of them don't. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:I can confirm this by hairyfeet · · Score: 4, Insightful

      Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly? they don't care. See how frankly piss poor IT is treated by many corps, "cogs that suck money and don't generate profits" seem to be the way most PHBs treat IT, which is always underfunded, understaffed, and overworked.

      Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen. There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough....fuck that. If its like the way it was when i was working corporate, and I've seen nothing to make me think it isn't, its no wonder the security is poor, most are so overworked they are too busy fighting fires or worrying about whether their job will be sent to India or given to an H1-B to spend any real time worrying about security. and of course if you actually DO make changes that increase security? You'll have a dozen PHBs screaming at you because the ipad they picked up over the weekend doesn't magically work when they walk into the building. i wouldn't take another job in corp IT for all the tea in China, no way.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:I can confirm this by phantomfive · · Score: 4, Insightful

      Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen.

      Become a security consultant and charge four times as much. Then you can make money off their foolishness. The more foolish they are, the more you make. The less foolish they are, the more you help them.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:I can confirm this by symbolset · · Score: 4, Funny

      In my experience revealing what you really know about systems security is a guaranteed way to lose the job interview if you have any clue at all. The only way to help an organization get real operations security is to worm your way in under false pretenses and then gradually migrate them to a secure position. An MCSE cert helps here, as it drives away suspicion that you might actually know what you're doing.

      --
      Help stamp out iliturcy.
    5. Re:I can confirm this by wisty · · Score: 4, Insightful

      It's not about "real security" (which is too nebulous). They do make an effort, and spend lots of money ... on a big firewall to protect the whole org.

      It's about protecting specific assets. For example, you can take the whole NSA offline, which is a fantastic moat. But if one single insider can get root access to basically anything he wants, it's not protecting core assets.

      Most businesses are even worse - high risk assets can be sitting on a shared drive where everyone in the company can access them.

    6. Re:I can confirm this by TheSeatOfMyPants · · Score: 5, Insightful

      There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough.....

      That's the corporate world regardless of what department someone is in. It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life. Hard to care what happens to other people/families when some part of you is persistently fatigued from overwork/stress & worried that you could easily wake up tomorrow to find yourself unemployed and fighting for anything that might pay the bills...

      --
      Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
    7. Re:I can confirm this by aaronb1138 · · Score: 4, Interesting

      Don't forget the part where the MBAs aren't even afraid of security issues coming back to bite them. If the issues snowball hard enough, they just go on a huge spending spree for 6 months, bankrupt and phoenix the company. Ignoring security and legal liability in general has become status quo because being responsible has a negative cost to benefit ratio especially compared to the government backed reincorporation procedure.

    8. Re:I can confirm this by JaredOfEuropa · · Score: 4, Interesting

      In my experience it is rare to find a company that does IT well in general. Many aspects of IT are hard (including security), and hard to run well as an assembly line, i.e. managing by job compartimentalization, dashboards and processes (management "by the numbers"). I'm not sure why that is, but I often see two areas where IT does very, very poorly compared to other technical or engineering functions.
      1) Poor middle management. Many of them are either IT people with poor management skills, or good general managers with no IT skills.
      2) Failing talent management. Failure to attract top people, no coaching, poor training, lack of talent recognition (I don't just mean good pay, I mean knowing who your best people are and allocating that talent accordingly), and lack of a decent technical career ladder.

      The biggest challenge in IT is not technology, and it hasn't been that in ages. It's management, or rather: figuring out how to do IT well, how to organize it.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    9. Re:I can confirm this by Tom · · Score: 4, Interesting

      In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

      They are actually pretty easy to find.

      If they have more than about 500 employees, check if they have an official IT security position. Might be some guy doing other stuff in addition, but he's got to be the official IT security guy.

      If they have more than about 1000 employees, check if they have an IT security department with at least one full-time employee.

      If they have more than 2000 employees, check if they have a CSO or CISO.

      If they have, you just need to verify that it's not an alibi position to satisfy some compliance rules. If they don't have, you already know they got no clue.

      Business can always be estimated by checking if they commit to a regular expense on a topic. Occasional security checks mean nothing, they're usually done when someone needs to cover their asses. A permanent financial commitment is the only thing that means something in a business context.

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. No Shit, Sherlock by thatkid_2002 · · Score: 5, Funny

    Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

    1. Re:No Shit, Sherlock by Kazoo+the+Clown · · Score: 5, Informative

      You got that right. Security is hard. Security is expensive. Security does not improve profits (as long as they continue to be lucky). The company that spends money on security while their competitors are not, will lose out. Therefore, who needs it? There's no sense of living dangerously without some really spectacular examples...

    2. Re:No Shit, Sherlock by girlintraining · · Score: 5, Interesting

      Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

      Yeah, and we all know who to blame. (looks ominously upward) The irony here is that corporate IT is even more into surveillance and CYA than the former NSA guy is. I mean, the NSA has rules and shit to follow. Management at a company these days is like to be all "Yo, we do whatever we want. You dun like it? Dere's da fuckin' door." (sorry, Jersey accents are really hard to do on slashdot forum posts)

      As an experiment I once sent an e-mail out from my last employer containing about 5KB of randomly generated gibberish to an e-mail address setup that had never been used before on a server that didn't have an SMTP server prior to the test balloon. Over the next three days, this previously unused and unloved honeypot got dozens of pings from the corporate network from people trying to login to the SSH, poke at the SMTP server, looking for web services. I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.

      Similar has happened at 7 out of 10 employers I've worked for. They don't just monitor all your stuff...they actively go out and fuck with it. And the only reason this isn't a problem is because they're so terrifyingly bad at it.

      --
      #fuckbeta #iamslashdot #dicemustdie
    3. Re:No Shit, Sherlock by InTheSwiss · · Score: 5, Insightful

      Having worked at several blue chips all anybody cares about is the appearance of security (i.e. security theatre) enough to cover them for audits and compliance. There is no real security in place in most places. Like you say security is hard and expensive. They don't want to make life harder than the minimum.

    4. Re:No Shit, Sherlock by The_Other_Kelly · · Score: 5, Insightful

      Actually Man-in-the-Middle transparent proxies, which intercept
      and monitor SSL/TLS traffic, are now standard in most corps.
      You don't get a browser alert since the corporate "fake" CA
      is pre-installed as trusted in your browsers by the corp's IT.

      So, yes, basically ... there *is* no encryption and they look
      at everything.

      Oh! And using Cisco "policy based routing", or WCCP2 or
      other networking mojo, you cannot decide to skip the proxy,
      from your client.

      And ... using Deep Packet Inspection, the protocol will not
      just be matched versus the destination port, so your genius
      attempts to ssh to your external server running on tcp/443,
      will not only be blocked, you will be flagged and tagged.

      Solution? Just use your own equipment with either built
      in 3/4G connections, or just tether across your personal
      phone.

      Caesar and Rome ...

      --
      (R)ule in Hell or (S)erve in Heaven [R]?
  3. Couple Ways You Could Fix That by Greyfox · · Score: 5, Funny

    You could just improve security, but that's hard. Alternately, you could just have such a shitty IT infrastructure that nothing ever works! This has many advantages! Lower IT costs, for one, and servers that are broken are in fact VERY secure! Very, VERY secure! So if you're in IT, next time someone bitches at you about some resource being down, just say it's "security hardening"!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Most offices have normal plate-glass windows, too! by Tony+Isaac · · Score: 3, Interesting

    All it takes to break in is a hammer and 10 seconds.

    Sure, they could put in bullet-proof glass and high-security doors. But those measures are prohibitively expensive for most businesses, and still aren't foolproof.

    The same is true with computer security. There are basic precautions businesses should take, like putting all their equipment behind firewalls, for example. That's the equivalent of locking the front door. But security costs money, and makes life more difficult for those with legitimate access. These considerations must be balanced.

  5. No, really? by seebs · · Score: 4, Funny

    Banks are still using "secret questions" and claiming that's a kind of two-factor authentication. Someone I know was once told by Citi something to the effect of "well, click on the links in the email, and if it gets you to a site with our logo, then it was from us."

    And honestly, social engineering is still a huge and very easy target.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
    1. Re:No, really? by MrNemesis · · Score: 4, Informative

      You've been modded funny, but it's more +1 Insightful, -2 Depressing.

      I've had several calls from my bank that basically go like this:
      GB: "Hello, I'm calling from Generic Bank regarding your account, in order to verify your identity as the account holder can I ask you to confirm your name, date of birth and account number please?"
      MN: "Sure"
      GB: "..."
      MN: "Well are you going to tell me?"
      GB: "Sorry sir, you need to tell me that information"
      MN: "And how do I know you're not a scammer?"
      GB: "Because I'm calling from Generic Bank"
      MN: "I'm not going to give any information to an unsolicited caller asking me for my bank details. Are you going to tell me what this call is about?"
      GB: "I'm afraid I can only do that with the verified account holder"
      MN: "And who is that?"
      GB: "I'm afraid I can't tell you until you tell me, but I can assure you I am calling from Generic Bank"
      MN: "And I can assure you I didn't take a shit in your cornflakes but that doesn't necessarily make it true, does it?"
      *click*

      Yes, these calls really were from the bank because every time this happens I walk into a branch and ask a) why I was called and b) why they still haven't fixed this utterly moronic behaviour. Don't even get me started on the almost complete and utter lack of two-factor auth for online banking as well as the utterly ridiculous password requirements. About 5 years back my bank said I could have a current account with an RSA key... the catch was it had to have at least £50,000 in it. I think it's only within the last year or so they've brought in two-factor auth for us mere peons, and yet you're apparently still able to reset your account with "security questions". When I tried to set answers that were purposefully incorrect (e.g. for "memorable place" you might choose to give "Marvin's turgid bowling average") I was told I wasn't allowed to do that so I cancelled the whole process. Asinine.

      I haven't given the name of my bank, because they all seem equally shitty in this regard.

      --
      Moderation Total: -1 Troll, +3 Goat
  6. Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` by thesupraman · · Score: 4, Insightful

    It seems we are taking the position of a man who was part of an active and systematic attack on the security of network infrastructure through planned back dooring, lowering of quality of encryption systems, and intentional hacking?

    Really? its the corps fault they are not secure, considering what the NSA has been up to?

    Perhaps they should have spent 10% of the effort on informing corps of the holes they found instead of just squirreling them away i the grab bag of dirty tricks.

    If suddenly matters so much, then please, make public the details of ALL known security holes, and inform all victims of the backdooring done to their systems..

    No? Thought not..

  7. Give me a break. by Anonymous Coward · · Score: 3, Informative

    He's keynoting at a major security vendor conference. Having done so myself, the goal and focus is ALWAYS to spread FUD to sell software and services. This industry survives off of fear mongering. That's not to say there aren't problems, but when you're paid tens/hundreds of thousands of dollars to keynote on behalf of a vendor, you generally have an unwritten agreement to paint the most dramatic picture possible.

  8. My experience is slightly different. by khasim · · Score: 4, Insightful

    In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

    In my experience it is more about the managers and CxO's viewing it as a status issue. They are so important that they cannot be hampered by the demands of the lowly IT people. And the same goes for their people.

    Security is IT's problem and if something goes wrong then it is the IT people who will be fired. Starting with the ones who were the loudest about there being a problem in the first place.

    After all, other companies don't have those problems. So it must be because the IT people are incompetent.

  9. With Windows Backdoored, What's the Point? by Jimbookis · · Score: 4, Interesting

    Given the creator of Windows and US government can, sufficiently compelled, walk into any Windows system that is internet connected at any time they desire what's the frickin' point? Everything else is security theatrics. Do what the old security honcho of MS has done and drop out.

  10. There's no real cost for coporate security failure by Required+Snark · · Score: 3, Interesting
    In practice, businesses have no meaningful liability for any software failures. And by liability, I mean facing serious consequence, like destroying the business.

    Four letters say it all: EULA. You can sell software that bricks a piece of hardware, and the worst you'll have to do is refund the purchase price. Most of the time, all you have to do is issue a credit, so the customer/sucker gives you more money.

    Someone breaks into a server farm and steals credit card info and passwords that are stored in a non-encrypted format? Just send out a warning. It's not like you can get sued or anything.

    Big defense contractors are leaking classified information like a sieve. It's so bad that the US President had to whine to the Chinese President about cyber spying industrial espionage. Has any defense contractor lost a contract or been fined for these screw ups? Of course not.

    Heck, there were images this week from an exposition of Chinese built unmanned aircraft in Beijing, and they had a Predator drone! Not just a look alike, it had the same mounting for the optical sensor pod on the bulging nose, chines, V-tail, etc. It would be completely unsurprised if they stole the plans. Apparently they have the plans for all our major weapons systems. It save then vast effort in R&D, and they can build counter measures that they know will work. If there were any fines or actions against any corporations it was not reported anywhere.

    So given that there's no down side to committing corporate software fraud, why is anyone surprised that security is a complete joke.

    --
    Why is Snark Required?
  11. Security is possible, but you must focus. by dweller_below · · Score: 3, Informative

    I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

    The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

    Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

    But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

    Critical Control 1: Unity of Vision

    Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

    • A. How does your organization create a sense of community?
    • B. What are your Institution's Goals?
    • C. How are those goals propagated throughout the organization?
    • D. How do your security actions promote your institutional goals?
    • E. How do your security actions provide assurance to your institution?
    • F. How does your institution reward long term loyalty?

    Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

    Critical Control 3: Enable a Better Future

    This control assumes that our actions affect the future. Do your actions enable a more secure future?

    • A. How do you increase the cost of attack?
    • B. Do you report attack to the remote ISP/attacker?
    • C. How do you coordinate with law enforcement?
    • D. How do you decrease the cost of defense for yourself and others?
    • E. How do you reduce the motivation for local attack?
    • F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
    • G. Do you facilitate others disclosing vulnerabilities to you?
    • H. Do you help your peers improve their security?

    The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

  12. pot calling kettle by Anonymous Coward · · Score: 4, Insightful

    Is this the same company that employed Edward Snowden as a sysadmin, allowed him to elevate his authority and then download documents that he was not supposed to... So Prescott Winter was CTO and was finally responsible for internal IT security. Talk about a pot calling a kettle.....