[BreachExchange] Security Experts & Hackers: We're Not So Different

Destry Winant destry at riskbasedsecurity.com
Sat Jul 8 00:05:34 EDT 2017


http://www.darkreading.com/partner-perspectives/evidentio/security-experts-and-hackers-were-not-so-different/a/d-id/1329253

Using the similarities among hackers and security programmers can be
an advantage.

Many of us who work in cloud security are driven by a common goal:
catch bad guys. We're not Harry Bosch putting the screws to some perp
in the interrogation room, or laying on a rooftop to pick off an enemy
at far range. But we know the damage that can be done by a malicious
hacker, and we want to stop it. What's more, we have the ability to
stop it ... or at least, we think we do, and this is why we deal in
the science and art of technology security.

Interestingly, the mindset of a hacker and a security expert is in
many ways quite similar. So is our training. In fact, the daily
experience, tactically speaking, is almost indistinguishable. Our
world is code, projects, delivery, iteration, many failures, and
ultimately (hopefully) the big win. We don't intend to inflict harm as
hackers do, but we are all intrigued with the pursuit of complex tasks
that require analytical thinking and creative approaches. As perverted
as it may seem, I'm sure hackers become overjoyed upon learning
they've entered a network or accessed data not meant for them. Yet, in
a similar way, the best security professionals experience the same
feeling upon delivering a solution that will identify hundreds of
misconfigurations across an entire enterprise.

I don't mean to suggest we are kindred spirits in a collegial way.
While there are parts of our brains wired in similar fashion, we are
most decidedly pitted against one another towards very divergent
goals. But having this same type of mindset helps security programmers
be more effective at understanding and identifying how to create
effective security and compliance solutions to thwart even the best
hackers. The feeling of success at having done so is what fuels so
much of this work, and it's how the best security products are built.

Security developers and hackers both have a mission. They have
training, knowlede, and are dedicated to their pursuits. Consider this
when building your security team, and when identifying how to secure
your cloud environment. The algebraist Carl Gustav Jacobi advised:
"Invert, always invert." In other words, think backwards to figure out
a solution. Programmers, irrespective of their proclivity for good or
ill, approach their goals in the same way; that mindset will be a huge
advantage for the good guys on your team who are pursuing hackers.

No one can truly appreciate security if they aren't participating in
it. If you create an environment where security is part of the general
mindset, it reminds your experts that you think security, in all its
forms, is important. It also creates an alert atmosphere, which is
precisely what is needed to reverse-engineer the devious thinking of
hackers. There is no morality tale here; those with a good yardstick
for right and wrong can see the twistedness of a ransomware attack.
They may also appreciate the creativity in how it was engineered. But
admiration is followed by a take-down mentality. There is victory in
knowing that you didn’t let the bad guy get away with it. You’ve put
your abilities to the task and have become the hero in the story.

Detectives and investigators hopefully don’t have experience doing the
things they seek to prosecute. HR might have a thing or two to say
about the homicide division hiring murderers just because they can put
themselves in the suspect’s shoes. But technology is different;
perhaps the right analogy is something like Hogwarts. Students are
given a foundation in wizardry, the same foundation, but they might
choose to use that knowledge for evil rather than good. That damn
Lucius Malfoy and his beautiful, flowing locks of white hair.

Hackers get smarter and bolder every day. Correspondingly, so must the
people trying to prevent security breaches. Environments that prize
tinkering and problem solving will be able to build teams that prevent
the pursuits of hackers. In using similar thinking to that used by
hackers, you will help create a team that understands how to protect
your assets, can identify the right security automation and compliance
platforms to use, and will make your organization stronger in its
pursuit against the dark hats.


More information about the BreachExchange mailing list