Recently, I participated in SC Magazine's eSymposium on Corporate Espionage. Ira Winkler, President of Secure Mentem and the Internet Security Advisors Group (ISAG) gave the opening address. Much of his excellent remarks gave me flashbacks as I've known Ira now for nearly 15 years. He and I first met when I was involved in cyber security efforts with Diplomatic Security at the US Department of State. Ira, who has been dubbed a 'modern day James Bond', is a pioneer in computer security efforts having led numerous infamous penetration and vulnerability tests for governments and countless Fortune 500 companies. As a mentor, I always appreciated Ira's no bulls**t and outspoken approach to security. He calls it like he sees it and oftentimes his recommendations are practical, simple countermeasures that are often overlooked. He shared several examples of his work in two groundbreaking books that he authored in 1997 and 2005, Corporate Espionage and Spies Among Us. In addition to penetrating global networks, Ira is a master at social engineering or put simply, hacking humans. The topic of corporate and industrial espionage is increasingly one of growing concern particularly with companies that I have worked with who operate globally and have large outposts in emerging markets and volatile regions. For companies and governments who are managing risks from cyber security and geopolitical shifts to responding to crises, competitive intelligence has become paramount. Having conducted my own vulnerability and penetration tests over the years as well as led a variety of social engineering exercises it is clear that as we have become a more interconnected, digital society, our vulnerabilities have compounded. And long ago, the espionage tradecraft left the purview of the public sector and nation states and went private where the largest reserves of power and resources are consolidated. Beyond the headlines of the major hacks and security breaches, the spying tradecraft is quietly at work extracting intelligence and going largely undetected. Few are really paying attention to this and implementing countermeasures to protect against it. And its costing them, dearly.
I reconnected with Ira after his remarks at the SC eSymposium to get his take on the state of Corporate Espionage today and to get his sense of how the craft has evolved since he first began working in this space and thoughts of recommendations for what companies and large organizations can do about it.
Cari Guittard: How has corporate espionage changed since you first began working in this space over a decade ago? What are the trends you're seeing now and how has this changed over the years?
Ira Winkler: I see a lot of attention being paid to spear phishing and APT, which people equate specifically to China. While spear phishing as a primary attack vector is new, China actively comprising information is not, nor is espionage mostly from China. They just are bad in that they are caught so frequently.
Cari Guittard: In your opening remarks to the SC eSymposium last week you began talking about China and the media's collective obsession with Chinese hacking and espionage attempts, an obsession that you found misplaced in a broader discussion of corporate espionage trends. For most companies operating globally, should they care about China and are there any lessons to be learned from their approach to hacking and espionage?
Ira Winkler: China is a dragon. Dragons are mythical creatures, who the population fears at the mention of. However, while they are paralyzed with fear at the thought of the dragon, they ignore the snakes and rats that are constantly causing them small amounts of harm. I am not saying that the Chinese threat is mythical per se, but that the threats that are causing people damage are employees, both well meaning and malicious, who cause damage intentionally or accidentally. If China was the only threat you had to worry about, consider yourself lucky, as the damage they cause is not immediate nor costly, unless they use the information to directly compete with you or use against you. In short, companies really need to focus their attention on preventing damage caused by small but plentiful incidents that aggregate to cause a devastating loss.
Cari Guittard: You noted the pervasiveness of what you call a 'security stagnation' culture whereby many large organizations take the viewpoint that their threats are largely external and all of their security countermeasures, if they have any in place, are largely focused on outside, existential threats. Can you elaborate on this concept and advise where an organization should redirect their focus and resources to better protect their information assets?
Ira Winkler: An insider knows exactly where and how to hurt you. There have been many cases where a disgruntled employee created crippling losses after leaving the organization. Companies need to focus their attention on basic computer security and operations. While everyone wants to hear about "Advanced" persistent threat, the reality is that most attacks are not technologically advanced. Bad passwords, poor permission settings, failure to deactivate accounts of departing employees, easily guessable or written passwords, failing to monitor data stores, etc. have been exploited exponentially more frequently than seemingly sophisticated attacks. Even the nature of the "Advanced" threat is rarely that it is technologically advanced, but that it is advanced in its organization and persistence.
Cari Guittard: What are some simple countermeasures you would advise to help organizations and individuals protect themselves against espionage and human hacking attempts?
Ira Winkler: Enabling automatic updates of software, installing anti-malware and anti-virus software and enabling automatic updates, being mindful of suspicious e-mails and websites, creating strong passwords that are not shared or written down, setting account permissions properly. I really wish there was some magical advanced countermeasure I could recommend to stop attacks, but the reality is that information security is very much like the 80/20 Rule, where you can solve 80 percent of your problems with 20 percent of the effort. The reality is that studies of incidents show that the 80/20 Rule is much more like the 99/1 Rule, where you can stop 99 percent of attacks with 1percent of the effort.
Cari Guittard: Your new company, Secure Mentem, focuses on creating, nurturing and measuring an effective foundation for a security awareness culture within an organization. Security Awareness should be something every organization invests in and pays attention to but few do it well if at all. Why is this and why so much controversy in this space?
Ira Winkler: I equate the supposed controversy about security awareness to the Westboro Baptist Church and hatred of our troops. The media loves to give attention to any media whore who takes an outlier position, no matter how rare or illogical it may be. The reality is that a small group of people on a slow news day can garner a lot of attention, and then the outraged public keeps a non-issue alive by expressing their outrage instead of letting the controversy go into oblivion where it belongs. There is no real "controversy" about the importance of security awareness. The articles criticizing awareness are written by outliers who know little about the science of security awareness. When you actually see the responses to the articles these people write, you see almost unanimous condemnation of the articles.
If you actually read the criticism of security awareness, and substitute "computer security" with "automobile safety" you would find that they essentially argue that despite immense spending on driver safety, there are still accidents, so let's abandon driver safety and rely on cars that drive themselves. The arguments are absurd, or specious at best. The only thing these people are correct about it that there are many security awareness programs that are bad.
This is where Secure Mentem fits in. We offer turnkey comprehensive customized security awareness programs, where we manage the creation and specification of security awareness programs. Most important, we base our methodology on extensive and groundbreaking research into the critical success factors of security awareness programs. The resulting awareness programs are much more effective and cost effective than an organization can do on their own.