Main Nav

EDUCAUSE Security Conference: Secrets of Superspies

Secrets of Superspies
Ira Winkler, Author of Spies Among Us and
President, Internet Security Advisors Group
2007 EDUCAUSE Security Professionals Conference
Wednesday, April 11, 2007
Denver, CO
Ira Winkler gave a lively and entertaining account of his work sorting out a variety of un-secure situations and offered specific recommendations based on his experiences.
Bad & Good Spies
Winkler said the 2nd worst spy in the world is ‘James Bond’ who is portrayed as someone who kills people, infiltrates enemy organizations and facilities, is feared by his enemies, and blows things up – but on the other hand he kills people, blows things up, is always known by his enemies and he always gets caught at some point which makes for longer and more interesting movies but isn’t the way good spies operate. 
The worst spy in the world is ‘Sydney Bristow’ from ‘Alias’. She does a good job at infiltrating but the bad guys are always prepared and one step ahead of her in protecting their information. Winkler said ‘Alias’ actually demonstrates good security programs – those put in place by the bad guys to thwart her efforts to obtain their secrets with ‘defense in depth’. She can be following leads to find the safe behind the picture but they are one step ahead of her with a booby-trapped safe.
Good spies aren’t noticeable, they find people or systems with information they want and they find ways to have that information given to them without incident. The bottom line message is that these may be good movies but in real life we want to create security with defense in depth that would make bad movies.
What do real spies do? They
  • Determine requirements – what they want to know
  • Determine who has it and how to collect it
  • Analyze information (this is the hard part)
  • Re-evaluate their needs (Do they need more information? Are there new requirements?)
In this ongoing loop, collection appears to be the apparent focus but the most critical piece is determining the requirements because you ‘need to know what you need to know’.
Science versus Art
Hackers like to portray themselves as artists as they need to be ‘special’
Spies are scientists with a methodical and repeatable process. They must have elements of ability, training, and practice. They can have only two of these but one must be training. If they don’t have training they can be dangerous.
Visualization skills are the key ability in this work. Good security people have ability, work in a process, and practice. The folks on the ‘good side’ don’t use their ability and process for criminal activity.
Operatives with 3 years of experience can rapidly recognize vulnerabilities and exploit them. Also real spies know how to protect themselves. 
Winkler noted that security and counterintelligence are totally separate activities. He shared an interesting story about spies gathering sensitive data via local Chinese restaurants.
You need to have common knowledge, exercise common sense, but awareness training is the most important aspect of a good security program.
  • Know the tricks of the trade and what to expect
  • Be right 100% of the time though your adversary only needs to be right once to win at this game
  • It’s not about protecting the computers; it’s about protecting the information on the computers.
Spies focus on information
  • Technology is only important because it provides access to information
  • Different classes of computers get different levels of protection
  • There can be tremendous threat but risk can be relatively small
Risk Management
Winkler suggested using a risk management equation where the threat*vulnerability is considered against the security countermeasures that mitigate risks. 
Threat is who or what is ‘out to get you.’ Vulnerability is the weakness that the threat can exploit. Value is the information or services you need to protect. Countermeasures are what you do to protect your value. Knowing these helps you determine where to spend effort and resources.   He indicated that the biggest risks are not malicious people, but rather people who do stupid things.
Security is about implementing countermeasures to mitigate risks and he offered two key points:
  • Don’t do security – manage it instead.
  • Don’t focus on the threat – focus on the mitigations
Winkler provided two case studies. The first was about testing the security of a nuclear facility which focused on the importance of process. If a spy knows the process and can take advantage of that knowledge and where the vulnerabilities in it may be, you are breach-able. In case the vulnerabilities that he exploited were all preventable. While people are fascinated by threats, it only takes bad intent to accomplish what he demonstrated in his breach of this sensitive facility. He said this is true for any attack.
Winkler also said that we must stop treating the bad guys as celebrities. Be they the Cloverdale teens who infiltrated the .mil domain or others. They are not dragons, they are snakes and good security people are not knights, they are exterminators. He did understand that the dragon/knight scenario is better for budgets. 
Moving into a discussion of budget issues, Winkler was clear that IT budgets and security/protection budgets are not the same and we must optimize risk. Potential loss should drive the budget. On measures of cost, there is a point where vulnerabilities plotted against countermeasures can give us a risk optimization. Risk should be a key consideration in determining the budget.
Things to Remember
In his closing statements, Winkler stressed
  • importance of awareness training
  • countermeasures should not be determined by budget or vendor hype
  • focus on information and services not on computers/technology
  • create defense in depth
  • focus on countermeasures that mitigate risk
…and indicated that realistic security is achievable.

The presentation slides for Secrets of Superspies are available online at A podcast is in production.
Books by Ira Winkler include
Spies Among Us and Zen and the Art of Information Security