How Corporate Spies Work

Winkler is a former NSA manager specialized in cybercrime. As we all are faced with this sort of bad things that may hurt or damage our hard work, let’s see what he has to say about cybersecurity and why we must first and foremost focus on a bulletproof connection to the Internet.

At the NSA, Winkler learned valuable lessons about cryptoanalysis and database design, among other things. But the spy’s life failed to match his expectations. The NSA, says Winkler, was “more Dilbert than James Bond.”

It was in the private sector that he finally found the intrigue he longed for. While working as a project manager at SAIC, a San Diego-based technology consulting firm, Winkler was asked to conduct a security test for a client company.

The company wanted to know how easy it would be for a competitor to identify its overnight carrier or the type of computer system used in its research library. Winkler took it upon himself to broaden the assignment. “Why go after something so lame?” he says. “The goal was to simulate an attack, and that means computer access.”

Placing what’s known as a “pretext call” to human resources, he introduced himself as an assistant to the company president, who supposedly wanted to host a welcome breakfast for new hires. Could he please have their names, departments, and I.D. and phone numbers? After receiving the information, Winkler called several of the individuals.

Pretending to be a member of the information systems staff, he told them they had missed an important orientation meeting and offered to brief them one by one. Drawing on his NSA training in “intelligence solicitation” techniques, he rattled off a series of questions about traffic-generating strategies, names, and job titles.

Buried amid these tiresome queries, though, he also asked for usernames and passwords, which, to his surprise, they unhesitatingly supplied. He concluded each call with a series of security reminders, imploring each of the employees to never, ever disclose passwords over the telephone.

The two most important keys to success in a social-engineering operation, Winkler says, are an ID badge and an air of confidence. Winkler never lacks the confidence and rarely lacks the badge. (They’re surprisingly easy to obtain, he insists.)

He has also cultivated a set of useful personas, including the stern-faced IT guy, the workaholic assistant, and (his current favorite) the distressed executive. This is the capacity in which Winkler called one corporate help desk recently, identifying himself as a senior manager on the road, plagued by laptop problems.

“I can’t log in,” he complained. “The computer keeps crashing, and I have a meeting in the morning.” The help desk unquestioningly gave him a new password. “I could have gotten them to send me a new computer if I wanted,” he claims. So you can create the most wonderful logos and develop the best-looking websites, but if your security system isn’t top-of-the-line, your work’s been all for nothing!

At the end of a mission, Winkler submits a report. He tries not to focus on the failures of individual employees and no one has ever been fired as a result of one of his operations, he asserts. The point, he says, is to raise the entire organization’s consciousness (also of your affiliates) and spell out areas in which security needs to be tightened.

His report might, for example, call for a clean-desk policy or a stricter procedure for issuing ID badges. Critics of this approach argue that such measures ought to go without saying-or paying. Not giving out passwords over the phone, not letting strangers read your email, not using Post-its as reminders. A company shouldn’t need an expensive consultant to underscore the need for rules of this kind, says Murray of Deloitte & Touche.

The No. 1 security priority for Corporate America, in Murray’s view, is a bulletproof connection to the Internet. “There’s nothing novel about acquiring special knowledge by deceit and fraud,” he says. “It’s been going on since the beginning of recorded history.”

Exactly, says Winkler.