Ira Winkler

The security maven talks about how information security differs from computer security, why 'awareness' isn't enough, and when grandma's computer has to be shut down.

This version of the story originally appeared in Computerworld's print edition.

Ira Winkler began his career at the National Security Agency, where he combined computer systems analysis and intelligence analysis. He is founder and president of Internet Security Advisors Group. When Hewlett-Packard Co. acquired ISAG in 2001, Winkler served as chief security strategist for HP Consulting. He is the author of several books, including Spies Among Us and Zen and the Art of Information Security.

What's the most important information security lesson you learned while at the National Security Agency? It's all about protecting information, not computers. Information can be in any form. It can be conned out of someone or retrieved from the trash. The CIO has to remember that the title is "chief information officer," not "chief computer officer." So they have to work with the physical security people, for example, to make sure that the guards are going through the building not just looking for fires.

Look at ChoicePoint [which in 2005 revealed that it was tricked into disclosing private information on 163,000 consumers]. A computer didn't get hacked, but does it matter? They had to pay big fines [$15 million], and they should have, because they didn't look at information security as information security, they looked at it as computer security.

So the CIO has to promote information security of all types? Awareness programs can be good, but awareness without enforcement is completely useless. What's the penalty for browsing pornography? You get fired. You need something like that for other kinds of security violations — for example, leaving your password taped to your monitor. There should be spot-checking — someone walking through periodically looking for passwords. First, line managers should be responsible for reviewing the workplace, and security staffs should do monthly walk-throughs.

The federal government is increasingly in the information security awareness business. Yes, the Department of Homeland Security is relying on awareness efforts. [DHS head] Michael Chertoff says [to security professionals], "Hey guys, work with us, because it's the right thing to do."

Government has been asking people to voluntarily cooperate and has gotten no results whatsoever. The Internet service providers and backbone providers are still poorly maintaining the critical infrastructure. We keep saying "pretty please," but they have no incentive to help. So Congress should pass enforcement laws, and DHS should be mandating things.

What kinds of things might be mandated? Bad guys attack systems remotely over the Internet. When you see grandma sending 50,000 e-mail messages, you know that's bad traffic. Why don't ISPs stop obviously bad traffic? Get grandma off until she fixes her computer.

Similarly, ISPs could scan users, and if they are not using the latest [antivirus and operating system] updates, get them off the Internet. "Awareness" means no one is held responsible.

Is that fair? Grandma is no bad guy. If you leave your home PC vulnerable these days, you are not necessarily harming yourself, but you are enabling fraud because somebody is going to take over your computer and use it to attack others or aid in piracy of music and movies and things like that.

But don't some people object to ISP filtering on censorship/privacy/free-market principles? Arguments that say service providers have no right to stop someone from sending 20 million ping messages are absurd. I am all for freedom of whatever until it starts impinging on the freedom of others as well as creating a financial drain on others.

The mandates I propose are looking to stop the exploitation of other people's systems, which in turn cause damages to millions of others. The monitoring is targeting what is generally considered criminal activity and is done without human intervention.

At the corporate level, is a combination of awareness and enforcement working pretty well? Some big companies, like Citibank and JPMorgan Chase, are doing reasonably well. But companies like T.J. Maxx [which last year reported that millions of credit card numbers had been stolen from its systems] are not doing so well.

For example, many merchants are asking for exemptions and extensions for compliance with the [Payment Card Industry Data Security Standard]. They want to hold off with PCI compliance so that they don't have to spend the money. They say it's too difficult, but the reality is that they don't want to put the required resources to it. T.J. Maxx had an extension.

But security is like the 80/20 rule, only it's 99/1. You can solve 99% of your problems with 1% of the effort. If you take care of the basics — enable Windows Update Services, buy antivirus software, get host-based intrusion detection and so on — you make it significantly harder for the bad guys to attack you. They go for the low-hanging fruit, and they keep moving on to more vulnerable targets.

In your talk at the RSA security conference in April, you explained how very basic security lapses made it easy for you to break into a power company's control systems. Yes, we were able to access the power grid. It was embarrassingly simple. Some negative comments that my presentation received included that Hacking 101 should not be part of an RSA presentation, meaning it is too simple for the audience. The problem is that Hacking 101 was all that was required to attack the power grid, and that people who have that type of response are the biggest threat to security. They know it all, but they know nothing.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon