Words to the Wise
Nov 13, 2009 Opinion
Recently Dave from the DailyDave security mailing list said something very insightful that I wanted to re-post here:
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. “What is it exactly that you’re going to tell us?”We always answer this the same way: “Things that will surprise you.”
Most developers have read a lot about security these days – they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own cryptographics, and all sorts of other security truisms.What they can’t possibly understand is how a hacker’s mind works, and
what they’re likely to find. Even security specialists who have only
worked defence often have never really seen a hacker go.Largely I think this is because there’s a difference between someone
playing cards with chips and someone with their house and life on the
line. People say penetration testing is a model of an attacker. But how
do you model obsession?- -dave
I totally agree. We can use the same tools, adopt the same techniques, but the mind of an intruder may be so completely alien to any defender that the yawning gulf of difference in mindsets that separates us prevents comprehension and hinders our efforts to combat them.
November 14th, 2009 at 19:14
Dave makes some good points, although it’s unclear just how such insights can be employed to enhance clients’ security measures. I think there is a degree of sociopathy involved with some hackers (regardless of criminality) that is completely contrary to the worldview of those engaged in defensive strategies. After all, the freedom that the hacker exploits on-line is also the user-friendly freedom coveted by many victims of hacking.
November 14th, 2009 at 23:45
[...] Words To the Wise – CyberSec.eu [...]