Sunday, April 27, 2008

SAC Thought #2: Threat Thinking

Continuing in the SAC concept I started in the last post, here is a Wired commentary post by security guru Bruce Schneier.

Commentary: Inside the Twisted Mind of the Security Professional - Wired

I'm relieved to find I am not alone and others share this same thinking behavior.

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

...

Really, we can't help it.

This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems.

I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset.

I also find myself thinking this way frequently as I assess responses, projects, and positions at home and work.

It's not a state of paranoia, but one of understanding and risk assessment.  Were I younger I might think it was something about self-preservation.  Were I older I might think it was simple curiosity, spun in an odd form.

However, in my current life-stage, I think it is a beautiful dance between the two.

I got into a "discussion" at work a few months ago on a certain project I am involved in with a higher-level project director.

We were reviewing the project elements for our group's assignment and (in my opinion) spending too much time on the asking the wrong questions and accepting the easy answers so we could move on with the activity.

I posed the point that we needed to spend more time considering failures and more clearly define the conditions they could occur under, as well as what our responses needed to be.  I was met with a light wave-off of these concerns with the justification that that just doesn't happen so I don't need to worry about it.

Contingency planning and pre-exploration of alternative responses is a skill that I excel in and (in my opinion) makes me quite successful at what I currently do.

I dare think that not only can things go wrong, they can go horribly wrong. And am willing to work my way back to recovery (and prevention) from that point.

It get me strange looks when I bring up topics of whole-drive laptop encryption as the rule, rather than the exception.

Or how buyer's names can be found on the temporary tags issued to new-car owners.  Good starting point for identity theft or stalking.

Or anyone who calls up, unsolicited to the house, requesting we participate in a brief "survey" of our thoughts regarding some innocent subject. (No thank you.)  Or that I either use my cell phone or a hard-wired home phone if I am calling up one a company with whom we do business with or to place an order for goods over the phone (in case anyone with a scanner is listening in). Or why I still haven't set up a wireless network at home (I'm sure I could do it securely, but I haven't the time and patience at this moment to do all the configurations needed to my satisfaction) when a wired network connection is just easier and faster to secure at the moment for me for our basic home-networking needs.

Maybe it is simpler yet grander than this, at the same time.

Maybe some folks are just wired to think out of the box, far outside of the social norms of box-thinking.  Some are able to use this for personal gain or great harm. Others are able to use it as a form of leadership to bring new tools and perspectives to the group to (slowly) chart a new course of action or direction.

It is exciting and thrilling journey of thought, but often lonely.

--Claus

No comments: