Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day Hardcover – Apr 8 2005
|New from||Used from|
Customers Who Bought This Item Also Bought
To get the free app, enter your e-mail address or mobile phone number.
From Publishers Weekly
Those who are already paranoid about information theft, both personal and professional, should take a muscle relaxant before reading this eye-opening survey of the many holes that exist in our security and intelligence systems. Author Winkler (Corporate Espionage) began his career at the National Security Agency, and his exploits in the private sector, testing security systems by breaking into banks and high-profile companies, have earned him a place in the Information Systems Security Association Hall of Fame. Winkler's background not only lends his book an authoritative voice, but embellishes his nuts-and-bolts material with rich references to intriguing cases in which he's been involved. The book kicks off provocatively, explaining why James Bond and Sydney Bristow from the TV show Alias "suck as spies" and detailing what spies at various levels actually do. He then goes on to explain how spies and/or "their friends" (i.e., hackers, identity thieves, spammers, etc.) can get at an organization. Although the book will interest security professionals more than consumers, there's some choice bits here for readers captivated by cloak-and-dagger endeavors. Winkler's chapter on "How to Be a Spy" shines as a concise tutorial on how genuine spooks operate, and his case studies, which make up the middle of the book, fascinate as examples of how easy it can be to compromise the security systems of high visibility companies-even post 9/11. Overall, this is a thorough, at times absorbing, cautionary tale for any company or person who subscribes to the Boy Scout motto: Be prepared.
Copyright © Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Required reading by counterintelligence warrant officers in training at the U.S. Army Intelligence Center, Spies Among Us is a primer into the basic principles of intelligence operations. Indeed, Ira Winkler notes that spies, terrorists, hackers, and criminals all use the same basic techniques to collect information on their targets.
Mr. Winkler is a former undercover security analyst with the National Security Agency, who now works with governments and major corporations to help them uncover potential security breaches. He states in the introduction to Spies Among Us that there seems to be a fascination with spectacular acts committed by terrorists, foreign intelligence operatives, and computer hacking geniuses. Against such threats, corporations and individuals are tempted to feel powerless. Such acts, though potentially devastating, are quite rare and only affect relatively small numbers of people and businesses. Conversely, natural disasters, accidents, and criminal acts, though not as spectacular, are much more common and affect many more people. In Spies Among Us, Mr. Winkler seeks to empower his readers with simple countermeasures that can mitigate the common threats we all face. He further adds that such prudence also helps protect against attacks from the terrorists, spies, and computer geniuses.
Spies Among Us is divided into three parts. Part I discusses the fundamental concepts of the intelligence process, espionage, and crime. Part II explores the details of some notable penetration tests conducted by Mr. Winkler and his colleagues as well as some real-world cases of high- level crime and espionage. Finally, Part III describes the simple countermeasures that can be used to reduce both individual and corporate vulnerabilities to various threats.
In Part I, Mr. Winkler defines risk, threat, vulnerability, counter-measures, value, and their interrelationship. He further explains how to determine the value of assets and how to evaluate various threats against those assets. Of particular interest to BECCA members, Mr. Winkler thoroughly describes the corporate espionage threats that U.S. corporations face. He lists the major countries that successfully use their state intelligence agencies to target U.S. corporations. Among those countries are two U.S. allies identified by the CIA as conducting espionage against U.S. companies: France and Israel. Furthermore, Mr. Winkler describes how each nation targets U.S. corporations both at home and abroad. He states that the U.S. government is quite different than that of most other industrialized nations in that it generally does not collect intelligence on behalf of its corporations. Contrast this with the statement of Pierre Marion, the former head of the French foreign intelligence agency who has stated, "There is no such thing as an economic ally." Among other countries, the U.S. government is considered "naïve" in its view of international corporate espionage.
In addition to foreign intelligence threats, Part II of Spies Among Us explains how corporate information leaks can be caused or exploited by insiders (employees), petty crime, suppliers, customers, and competitors. In regards to employees, the author draws an amazing parallel between the profile of an extremely hard- working employee and that of a spy. They both show interest in what their coworkers are doing, they volunteer For extra work, they work late, and they rarely take vacations. Attackers Target vulnerabilities of corporations and individuals. Mr. Winkler defines Vulnerabilities in four categories: operational, physical, personnel, and technical. Under operational vulnerabilities, he addresses security awareness and makes a notable statement, that "there is no common sense without common knowledge," emphasizing the importance of security awareness training for everyone.
In Part II, not only does the author describe various successful attacks Against major corporations, he also describes the vulnerabilities which facilitated or allowed these attacks.
In Part III, Mr. Winkler explains simple countermeasures to address these vulnerabilities and similar vulnerabilities of individuals. He defines these countermeasures in the same categories that he used for vulnerabilities. However, he makes the interesting observation that the categories do not necessarily correlate. For instance, he states that poor security awareness is an operational vulnerability. However, an effective countermeasure for poor awareness is a technical countermeasure such as token-based authentication which thwarts social engineering attacks designed to obtain passwords from users. In the final chapter, Mr. Winkler provides practical suggestions for implementing and testing countermeasures and incident response procedures. He includes sound advice on how to garner support from management and compliance from employees. He states that an effective security awareness program could result in "thousands of people detecting security problems, not just the two people in a typical security department."
As a military intelligence professional, I found Spies Among Us to be a fascinating and enlightening read. As only someone who has great understanding can, Mr. Winkler greatly simplifies the intelligence process and provides interesting insights into recent events. He also writes from the vantage point of an insider. The security countermeasures he recommends are practical and feasible for both organizations and individuals to implement. As someone who sees the need for professional reading but who does not normally enjoy such activity, I found this book to be refreshingly enjoyable to read. I highly recommend Spies Among Us to anyone working in the security or intelligence field. I also highly recommend it to anyone else who has ever felt vulnerable or who just wants to peer into the hidden world of espionage and crime that is always among us.
"Spies Among Us reads like a Robert Ludlum novel, [and] it’s riveting because it’s all true. If you’ve got a social security number, you need to read this book whether you’re a CEO or a grandmother. Winkler reveals the top threats to our personal and national security, with lots of straight-forward advice on how to protect yourself."
–Soledad O'Brien, CNN
Inside This Book(Learn More)
Most Helpful Customer Reviews on Amazon.com (beta)
The book is divided into three parts--Part I is on "Espionage Concepts," which describes the intelligence process, forms of information, risk equations, how security's components are confidentiality, integrity, and availability, how to measure asset values, and so on. Part II is "Case Studies" and is the most interesting and original portion of the book. Part III is "Stopping the Spies," about specific vulnerabilities and countermeasures.
As in the previous book, Winkler's advice is sound and the case studies are interesting. Unfortunately, much of the book duplicates the prior book and other books in the field, which is part of why it took me three months to get through this book--I got hung up in Part III, which was mostly old hat.
What I found most disappointing about the book beyond its lack of novelty were two features: first, that there were frequent errors and omissions which seemed a display of either lack of research or carelessness; second, that Winkler takes many opportunities to tell the reader that he's involved in important things, but without showing the evidence for it.
Examples of the first include not only simple things like typos that should have been caught by the editor (p. xv "phased" for "fazed", p. xvi "over" for "cover"), but factual errors. On p. 55 he writes of the 1996 blackout of "nine states of the Pacific Northwest." There aren't nine Pacific Northwest states, and there were two Western U.S. 1996 blackouts caused by power lines sagging to trees, an Idaho/Wyoming line on July 2 affecting 14 Western states and a California line on August 10 affecting states from Oregon to Mexico and Texas.
On p. 78 he gives estimates of the number of people with various hacking skills which appear to have been pulled from a hat; I suspect his estimate of 100,000 people capable of developing hacking tools from knowledge of vulnerabilities is a substantial underestimate.
On p. 81 he claims that, contrary to other countries, the U.S. government intelligence agencies don't pass information back to U.S. companies. While this is official policy, counterexamples may be found (e.g., the book Friends in High Places discusses information flow in both directions between the CIA and the Bechtel corporation in the Middle East).
On p. 143, Winker writes that "There has supposedly been only one day zero attack, which is an attack that exploits a vulnerability that was not previously reported and known." No reference (though I suspect he's referring to a successful 2003 attack on Microsoft IIS against the U.S. Air Force prior to the March 13, 2003 release of MS03-007), and surely false, if by "reported" he means reported to the general public, e.g., via a published security advisory.
Omissions include his discussion on p. 93 of Israeli intelligence actions against U.S. corporations, where he says "an Israeli telecommunications [company, sic] acquired a U.S. domestic carrier" and "now has control and access to the phone lines of many companies," but doesn't name the company. Why not? Isn't this something of importance for U.S. companies to be aware of? (Perhaps he is referring to Verint, formerly Converse Infosys.)
Similarly, on p. 94 he writes that "There are also the recent charges of a Pentagon official who passed classfieid documents to Israel through a political lobbying group," but omits any details, even though these charges against Lawrence Franklin, who worked under Douglas Feith at the Pentagon, were well known (and Franklin has since confessed).
On p. 95 he writes of a German intelligence project, Project Rahab, that "one of [its] major reported successes includes infiltration of the SWIFT system, which is one of the world's major financial networks." Again, no references--in this case, the allegation probably comes from Timothy Haight's article "High Tech Spies" in the July 5, 1993 issue of Time magazine (p. 24), regarding the BND (German intelligence) use of a virus written by Chaos Computer Club member Bernd Fix. According to Fix (search the web for Rahab, SWIFT, and Bernd Fix and you'll find his commentary on this), there have been a lot of wild claims made, and he can't vouch for any of them. Any of these omissions could have been elaborated on and made the book much more interesting.
Winkler's self-aggrandizing can be found at a number of points throughout the book, such as on p. 84 where he writes that a small literary agency can represent people "some of whom (such as myself) have access to sensitive information." My favorite example is on p. 121 under the heading "personal aggrandizement," where Winkler writes that "An individual's desire to impress others has caused some of the biggest security problems in history." In the very next paragraph, he writes, "As I mention in the Introduction, one of my female friends was a CIA operative who posed in Playboy magazine."
Still, the book is worthwhile for a solid collection of vulnerabilities and countermeasures if you don't already have one, and the case studies are enjoyable (some of which are from Winkler's direct experience, others of which are reports of cases which have been reported on elsewhere, such as Alexey Ivanov in chapter 10 and Abraham Abdallah in chapter 11). One weakness of chapter 13 ("Taking Action", about setting up a security program and implementing countermeasures) is that it gives short shrift (p. 304) to measurement of effectiveness and the security life cycle.
Ira learnt his trade working for the US National Security Agency. His spooky background provides a somewhat disturbing undercurrent throughout the book but this is neither a James Bond training manual nor a shock horror exposé of the murky world of spies. It is in fact a very broad exposition highlighting the urgent need for all organizations to implement suitable information security controls.
Chapter five "How the spies really get you" should be compulsory reading for all managers. In less than fifty pages, Ira explains how virtually anyone in or associated with the average organization may represent a vulnerability, some more than others. I challenge any experienced manager to read this chapter without thinking about probable weaknesses in their own organization, perhaps even in their own departments.
If chapter five piques your interest, I guarantee you will enjoy the rest of the book. The previous four chapters set the scene, explaining that information security is far more than simply a matter of implementing system/network access controls. The next six chapters (part II of the book) present compelling case studies built (we are told) around genuine real-world situations. Ira is known for describing attack methods quite explicitly, meaning that having read the case studies, you will be in a similar position to those who actually committed these attacks. Each case concludes with a description of the vulnerabilities exploited.
The final two chapters (part III) attempt to redress the balance by explaining how to address the risks presented in the rest of the book and so `stop the spies'. Given the broad nature of the threats and vulnerabilities described in parts I and II, it would be unrealistic to expect to get a complete set of answers in just two short chapters ... but that would miss the whole point of the book. Part III gives an overview of the main elements of most information security programs. In one, two or occasionally three paragraphs, Ira explains what the average Information Security Manager actually means by concepts such as single sign on and defense in depth.
This book should provide a wake-up call to complacent managers who feel their organizations are somehow immune to industrial espionage, social engineers and even terrorist infiltration.
Part 1 - Espionage Concepts: How To Be A Spy; Why You Can Never Be Secure; Death By 1000 Cuts; Spies And Their Friends; How The Spies Really Get You
Part 2 - Case Studies: Spy vs. Spy; Nuclear Meltdown; Fill'er Up!; The Entrepreneur; The Criminal Face Of The Internet Age; Crimes Against Individuals
Part 3 - Stopping The Spies: Taking Control; Taking Action; Index
Winkler is someone who does "attacks" for a living. He routinely is hired by companies to do threat assessment on their systems and locations, and unfortunately he is often successful with far too little effort. These assessments could be just a simulated attack to gain access to secured locations and systems that could then be compromised, clear up to security of nuclear facility information and terrorist attacks on fueling facilities at airports. It's that last one that is scary, in that it was done in a post-9/11 environment, and went off without a hitch. We're just not in the "security mindset" in most cases.
But rather than just go on about how easy it is to hack and crack systems, he also offers plenty of advice on how best to build a security program that is effective (both from a cost and result perspective). Each of the case studies ends with a summary that shows how something like this could happen, as well as what vulnerabilities were found and exploited. That piece by itself would be worth the cost of the book. But the final two chapters are where you'll benefit most. Winkler covers a multitude of counter-measures (personnel, physical, operational, technical) that can be implemented in order to have a more secure environment. The final chapter then explains how to implement a comprehensive program based on the value of your information and the amount of risk present. Rather than just saying "do this, this, and this", you get a customized approach based on your own unique situation. Really good stuff...
As he states early on in the book, there's no way to be 100% safe and secure. But you can do far more than "hope for the best". This is the book that can help you understand just how dangerous things can be and how at risk you are...
So, the book is fun! The book starts from "espionage concepts" and continues on to case studies (the most fun part!) and countermeasures parts.
"Spies among us" also highlight some commonly overlooked truths in the security arena, such as that users' errors are more damaging, in aggregate, than all the malevolence of all the spies in the world. Acts of God, not "hackers", run a close second. Also, the section on countermeasures really stresses the point that many a sophisticated attack was ruined by the simplest countermeasures, applied deliberately and consistently.
Among other things, I loved the insider profiling bit, where the profile of the hardest working employee matches that of a "typical industrial spy." I also liked his country by country espionage coverage, such as how are Russian spies different from Chinese spies :-)
Overall, while the book clearly aims at a non-technical audience, even seasoned security professionals will benefit (or at least will have fun reading it), if not from the information, but from reliving Ira's experiences ("Can your organization be penetrated THIS way?"). Everybody related to security (and many who are not) should get the book!
Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and two blogs.
Mr. Winkler is speaking from experience and his background denotes a lot of it. I was very impressed with his style of writing and the material he covers. If anyone wants a career in Computer Security or Information Assurance, this book is a definite MUST READ and MUST HAVE in your library.
Look for similar items by category
- Books > Business & Investing > Management & Leadership > Leadership
- Books > Computers & Technology > Internet & Social Media > Hacking
- Books > Computers & Technology > Networking & Cloud Computing
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Politics & Social Sciences > Current Events > Terrorism
- Books > Politics & Social Sciences > Politics > Terrorism
- Books > Professional & Technical > Business Management > Management & Leadership > Leadership