My mum is a normal person with a security mindset. She was very natural with that kind of thinking and taught me a lot when I was young about security. That should be what people called social intelligence. I finally realized that was what I taught the others until I formally learned about Security Concepts.
When I was a little boy, my mum told me to be careful when going out alone. She asked me not to walk straight in the direction of our apartment once leaving the elevator if someone is behind you. I took it all the way, at all times. I would imagine myself in all kinds of troubles and how to get out.
That is why I was neurotic sometimes, but that is what we need in Cybersecurity. To others, it may be paranoid. It is the right thing to do for a genuine security professional when working hard on your projects or systems you are responsible for.
Last time I mentioned, the most important thing that makes a great Infosec expert is — A Security Mindset.
Therefore, I would focus on HOW this time. I learned that this mindset is not something you are born with but can be taught from my own experience.
This may not be much, but I hope by emphasizing the significance of the right mindset, more people would concede a high-security standard is not only the obligation of technical personnel but everyone in that organization/ system.
Describing a security mindset generally is impossible to be practical at the same time. To handle that, I would like to put your mind into 3 roles I have experiences with:
If you are like me, you wear all these 3 hats. But you cannot be thinking like them all at once. Hence, I would like to state the distinctions among all and the focus of each role.
Among the three, the security engineer’s mindset should be the most adopted one. Let’s talk about this one first.
With all the vulnerabilities out there, it is not that obvious for someone to find. It takes a totally different way of thinking. This kind of thinking is not natural for most people. It’s also not natural for IT or Engineers. Good engineering practices are to build things that work perfectly.
Security Engineering practices, on the other hand, are to find things that make it fail. Security Engineers are different from IT engineers, at least the good ones, trying to find what can go wrong instead of making it work. All big tech company’s Bug Bounty Program relies on this particular mindset.
I found it explained my mind from a blog post a long time ago (2008) by security guru Bruce Schneier:
The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.
Another way to think like a Security Engineer is to think like a Hacker. To explain this, I need to ask if anyone watched the famous film “Catch me if you can.”
In the movie, Carl Hanratty, performed by Tom Hanks, is the role model of how to think like a hacker and finally caught Frank Abagnale Jr (cast — Leonardo DiCaprio). If you want to protect thieves from the Jewelry store, you need to think about how someone can get in the store without notice.
You don’t need to be a hacker to think like one. Infosec professionals don’t need to exploit the vulnerabilities they find, but if they don’t see the world that way, they will never find any security problems.
Security Engineer finds out what can go wrong.
Every 39 seconds, there is a hacker attack on a computer with Internet access, according to A Clark School study at the University of Maryland. On the other side, the cat is chasing the mouse with the best effort. Patch and Update, as a result, is an essential part of security management.
Security Consultant is required to think with a growth mindset. ISO 27001, the international standard of Information Security Management System (ISMS), indicated Quality Assurance (QA) in production environments always talks about the Plan-Do-Check-Act process (PDCA).
Continual improvement is a pivotal aspect of the ISMS in attaining and maintaining the suitability, competence, and effectiveness of the information security related to the organizations’ objectives. There is a whole clause about Continual Improvement (10.2) in 27001.
New applications, new technologies, new users… It should be understood that Security landscapes are always advance. Like The Transformers, although Optimus Prime is always there to fight the new enemies, he always has new weapons or a new look.
What you just did flawlessly will be outdated one day. A periodic update and review should be put into consideration at all times. Therefore, an open, creative, and flexible mindset are unnegotiable.
Security Consultant review and maintain.
3# Think like a hacker is NOT enough.
Thinking like a hacker helps you to build a better barrier. But security is not only about offense and defense. Security design, if you are aware, is another element of the full picture.
In reality, everything has its limit, no matter it is money, time, hardware, software… A security architect, therefore, is the person responsible for considering the boundaries. The clearest distinction between being a great security architect from a security engineer is the boundaries.
If you continually try to increase the security level of the system, it will not work. Why? It is because no one wants to go in and out to work in the maximum-security prison every day. That is why choosing between usability and protection in security design is a crucial process.
When thinking about boundaries, the first thing to bear in mind is the scope of protection. What is the target of protection? What is the goal we want to achieve by doing this control? The boundaries should be around the assets, not other places.
The second boundary is the baseline. Before making the first move, think about what cannot be removed or something non-negotiable. For example, Anti-malware should be up-to-date on any active systems in the environment; The “any-any” firewall rules of “deny/block” should be put at last.
The last boundary is resource limitations. With the first and second boundary considered, the architect should now have a clear purpose and what should be done first in mind. Therefore, prioritization now is possible. Keep asking yourself, “What’s the catch?” when something is being accepted or discarded. There is no free lunch, including security thinking.
Security Architect make early decisions based on boundaries.
Thank you for reading. While all of them are important, you should consider what situation you are in to think like what you are supposed to be at the right moment. And remember, be calm.
Attack and Defense:
Review and Maintain the security landscapes:
Make decisions based on boundaries:
Happy reading and security thinking.