Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former NSA Honcho Calls Corporate IT Security "Appalling"

Posted by samzenpus on from the is-that-better-than-terrible? dept.

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

8 of 174 comments (clear)

  1. No Shit, Sherlock by thatkid_2002 · · Score: 5, Funny

    Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

    1. Re:No Shit, Sherlock by Kazoo+the+Clown · · Score: 5, Informative

      You got that right. Security is hard. Security is expensive. Security does not improve profits (as long as they continue to be lucky). The company that spends money on security while their competitors are not, will lose out. Therefore, who needs it? There's no sense of living dangerously without some really spectacular examples...

    2. Re:No Shit, Sherlock by girlintraining · · Score: 5, Interesting

      Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

      Yeah, and we all know who to blame. (looks ominously upward) The irony here is that corporate IT is even more into surveillance and CYA than the former NSA guy is. I mean, the NSA has rules and shit to follow. Management at a company these days is like to be all "Yo, we do whatever we want. You dun like it? Dere's da fuckin' door." (sorry, Jersey accents are really hard to do on slashdot forum posts)

      As an experiment I once sent an e-mail out from my last employer containing about 5KB of randomly generated gibberish to an e-mail address setup that had never been used before on a server that didn't have an SMTP server prior to the test balloon. Over the next three days, this previously unused and unloved honeypot got dozens of pings from the corporate network from people trying to login to the SSH, poke at the SMTP server, looking for web services. I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.

      Similar has happened at 7 out of 10 employers I've worked for. They don't just monitor all your stuff...they actively go out and fuck with it. And the only reason this isn't a problem is because they're so terrifyingly bad at it.

      --
      #fuckbeta #iamslashdot #dicemustdie
    3. Re:No Shit, Sherlock by InTheSwiss · · Score: 5, Insightful

      Having worked at several blue chips all anybody cares about is the appearance of security (i.e. security theatre) enough to cover them for audits and compliance. There is no real security in place in most places. Like you say security is hard and expensive. They don't want to make life harder than the minimum.

    4. Re:No Shit, Sherlock by The_Other_Kelly · · Score: 5, Insightful

      Actually Man-in-the-Middle transparent proxies, which intercept
      and monitor SSL/TLS traffic, are now standard in most corps.
      You don't get a browser alert since the corporate "fake" CA
      is pre-installed as trusted in your browsers by the corp's IT.

      So, yes, basically ... there *is* no encryption and they look
      at everything.

      Oh! And using Cisco "policy based routing", or WCCP2 or
      other networking mojo, you cannot decide to skip the proxy,
      from your client.

      And ... using Deep Packet Inspection, the protocol will not
      just be matched versus the destination port, so your genius
      attempts to ssh to your external server running on tcp/443,
      will not only be blocked, you will be flagged and tagged.

      Solution? Just use your own equipment with either built
      in 3/4G connections, or just tether across your personal
      phone.

      Caesar and Rome ...

      --
      (R)ule in Hell or (S)erve in Heaven [R]?
  2. Re:I can confirm this by phantomfive · · Score: 5, Insightful

    In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

    Most of them don't. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.

    --
    "First they came for the slanderers and i said nothing."
  3. Couple Ways You Could Fix That by Greyfox · · Score: 5, Funny

    You could just improve security, but that's hard. Alternately, you could just have such a shitty IT infrastructure that nothing ever works! This has many advantages! Lower IT costs, for one, and servers that are broken are in fact VERY secure! Very, VERY secure! So if you're in IT, next time someone bitches at you about some resource being down, just say it's "security hardening"!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Re:I can confirm this by TheSeatOfMyPants · · Score: 5, Insightful

    There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough.....

    That's the corporate world regardless of what department someone is in. It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life. Hard to care what happens to other people/families when some part of you is persistently fatigued from overwork/stress & worried that you could easily wake up tomorrow to find yourself unemployed and fighting for anything that might pay the bills...

    --
    Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)