Security Mindset

Bruce Schneier‘s remarks about the security mindset, the thinking you need to design effective security countermeasures, to think like an attacker, are interesting.

He’s certainly correct that such a mindset exists and it’s extremely difficult to teach, though I’m not completely convinced it’s something you’re born with. As with many things in life, determination, patience and practice are key factors.

In fact it’s always essential to get an independent evaluation of any complex design, such as cryptographic algorithm. Often the originator is too close to see the flaws. And there always are flaws.

And you do have to think differently. I once hired the late great Donald Davies, the inventor of packet switching, to review a cryptographic algorithm. “How long will it take?” I asked. “It’ll take three weeks” he replied. “Just give it to me in any computer language. I can read them all. And I’ll put it in my head. Three weeks should be enough thinking time. After that we’ll get diminishing returns.” Wow.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The mindset of "think like a thief to catch a thief" has been around a long time. I suspect though that the world of cyberterrorism, hacktivism and cyberplayfullness requires an additional element of personality trait. Since many cyberwarriors have more than one personality due to the nature of gaming, hacking, etc, I would also expect the cyberpolice to also have personality elements consistent with the people being chased. Bruce will be in Budapest at the CISO conference in June so I will ask him what type of personality trait he has :-) I was also delighted by your story of Donald Davies. I was introduced to him many years ago by Henry Beker when he was a frequent guest as an after dinner speaker at the Zergo Training Club. Wonderful stories and wonderful man. He gave a lovely insight into the issues related to the Enigma machine at the Science Museum during the Zergo 10th Anniversary celebration. I think he was involved in the early development of the Sky Satellite encryption mechanisms but that may be my memory playing up :-)