As the dust jacket of his new book reminds us, Ira Winkler has "stolen billions from corporations, lifted nuclear reactor designs in hours and hacked into multinational networks." But Winkler is no criminal. His career has taken him from the U.S. National Security Agency, where he worked as an undercover security investigator, into commerce, where he has advised companies and agencies all over the world on security matters and exposed huge gaps in their security defenses. He is a frequent conference speaker and an acknowledged expert on the subject of information security. And he is definitely a member of the white-hat community.
His new book Spies Among Us is intended to provide a comprehensive and balanced picture of all the dangers we face in protecting our information against simple accidents or full-blown terrorist attacks.
And while it includes some of the more extreme threats we might encounter, his underlying message is that most security protection is easy and based largely on good practice and common sense.
Most of the exploits he describes rely little on technical wizardry and play more on the gullibility, laziness or sheer incompetence of a workforce. The book, which has already garnered five-star reviews on Amazon.com, is packed with case studies explaining how easy it was for him to get the loot or the information he sought.
This format immediately invites comparison with another big-selling book on social engineering, Kevin Mitnick's The Art of Intrusion, but Winkler bridles at the idea that anyone could compare him and reformed felon Mitnick.
"Mitnick has proven to be an effective criminal. He demonstrates how to apply 'social engineering' to criminal goals. He does not know how to apply this to improving a security program," he said.
"When I perform my espionage simulations, I use the tactics that professional adversaries would use, seeing which countermeasures were applied and how effectively they could have been applied. In Mitnick's book, he gives case studies and then provides countermeasures.
"While they are obvious, many of them don't acknowledge the reality of security. Basically, they address malicious threats, which he limits to hackers and low-level criminals, while enabling malignant threats which happen more frequently," he says.
Winkler's aim is to cut through the mix of glamor and panic engendered by books such as Mitnick's and to restore a sense of proportion. Spies may be among us and after our data, but they bear little resemblance to James Bond. "The NSA and CIA are much more the land of Dilbert than the land of Bond," he says.
Nevertheless, he insists real spies exist, working for state intelligence services, charged with gathering information that might be useful to their economies.
If that sounds like a flight of fancy, Winkler provides chapter and verse on the world's leading secret services.
Let's start with France: "Perhaps no U.S. ally has been more flagrant in its intelligence gathering than France," he says. "French firms regularly approach the DGSE (France's foreign intelligence agency) and request intelligence support. Each company must justify its request with specific financial criteria. If the DGSE considers the request valid, it uses its resources to get the information."
So if you are competing against French companies for business, expect them to use the power of their intelligence community to gain useful information.
The Russians, although now ostensibly allies of the West, have switched their focus from military to industrial espionage, he says. "They have well-established networks of moles and operatives throughout the world. Each agency strives to have at least one mole in every important American company."
He provides plenty of other evidence against China, Germany, Japan, Israel and even India, saying that – to some extent – they all try to steal secrets from U.S. firms to benefit their own economies.
By contrast, he claims the CIA does not use its intelligence for the benefit of American firms. "British intelligence is pretty much the same," he says, adding that, far from taking any moral satisfaction from this, the U.K. should be using the same tricks to help its economy.
But a spy, says Winkler, can be anyone with a motive to damage or steal your information, even a disgruntled employee or a purveyor of spyware.
Long years of experience have taught him that security can be achieved by getting the basics right. Information security is generally poorly executed, he believes, because organizations fail to recognize where the real threats lie.
"It's what I call 'death by a thousand cuts.' Everybody ignores the little things. Simple things like regular back-ups and updating antivirus software, or updating the operating system. These will prevent both the malicious threats and the malignant threats."
Spies Among Us deals in some detail with the many ways in which people can disclose information unwittingly. These might seem obvious to security professionals, but are hard to communicate to the rest of the organization.
This is why Winkler has pitched the book not at the specialist (although there is much of specialist interest in it), but at the general, computer-using public.
"I didn't want to preach to the choir. There are already a lot of books out there to help professionals," he says. "But my primary purpose in doing the book was to aim at the people security professionals need to convince to do the right things."
But the main problem still lies with the IT security profession and its obsession with flashy technology. "Too many security managers and practitioners are looking for the bells and whistles, but they ignore the basic little things," he says. "Ninety-nine percent of your problems could be solved with 1 percent of the effort. The little things add up to the big losses, and the little things, when patched, can prevent the big losses."
People need to look at what they have, taking the hit up front by implementing good policies and procedures across the organization. It takes time and effort, but once you get all your systems hardened, and a standard configuring document is implemented around the organization, it is much easier to maintain your systems, as well as to secure them.
"It is simple; it is inexpensive. Basically, it's free to review your processes and then look at what can be done."
This is a long standing message from Winkler. There is no point, he says, in getting obsessed with al-Qaida or organized crime – it can become a distraction from getting the foundations of security right. So what is the answer?
He still sees a marked lack of basic knowledge among people in IT security. "We need organizations and people to harden their systems appropriately so these morons aren't as successful as they are. Hackers have limited skill, but they are immensely successful because the average computer user or administrator really demonstrates very little security aptitude whatsoever."
But few get any training on hardening systems: "How many administrators know about implementing permissions like 'groups?' People are given very little training to do that."
Hardening systems can be just a matter of deciding which services are really necessary and disabling those that are not. But Winkler says few professionals have the knowledge or desire to do it.
"Now there is some information on how to harden systems – a lot of it from the U.S. government, such as the NIST website and the Center for Internet Security – but you need to know they exist and that you need to do something."
His charges are underlined by figures from the Computer Emergency Response Team at Carnegie Mellon University, which show that 97 percent of attacks target preventable vulnerabilities, and 70 percent exploit configuration errors.
In other words, it is within our scope to achieve "good enough" security at very little cost. It just needs proper processes and a proper awareness of all the possible ways for information to leach out of an organization.
Do that, and you might just force the spies to move to an easier target.