Evolving Schneier’s Security Mindset


  • “Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.”
    - Bruce Schneier

    For me, acquiring a “security” mindset wasn’t tough.  I was lucky enough to work with some great penetration testers.  The whole “social engineering” thing was easy to “get”, too.  By my second engagement, I acquired a love for figuring out how to manipulate the denigrated bureaucracy.

    The problem with the security mindset is that, in risk analysis, it carries over as a bias.  When I’m out training organizations, there’s usually a really smart guy with ages of cybercop experience who will devolve the conversation about Vulnerability (Threat Capability vs. our Controls) into how he would use his knowledge of the systems and their weaknesses to possibly steal millions and millions of dollars/identities/trade secrets/whatever in a particularly clever way.  It happens every session.  It’s not a bad thing – but it has to be qualified within the context of the applicable threat community.  Are we really worried about an uber-brilliant admin with 20 years at the company and intimate knowledge of the systems architecture as a threat community?  Maybe we are, and if so this is a great and relevant discussion.

    But if we’re not able to throw the resources at a problem needed to address someone whose skills and resources are in the top 1/10 of 1% of the threat community out there, what we’ve done is had a rabbit trail conversation that *if* an attacker had near perfect knowledge of the system and it’s defenses, it would be possible to evade prevention, detection, and most likely response until it was too late.  Great, but there’s a bias there that we’re carrying into the discussion because of the security mindset.

    Thing is that once the security mindset matures with experience we *know* that it is possible for any system, regardless of physical location or vendors that supply software, to be compromised.  The question the risk analyst must answer however, is really “What is *probable*?”.   And we should really belabor the point that “What is probable?” is not just a “Can it be done?” question. Yes, Level of Effort or Skills & Resources are relevant pieces of prior information, but what is similarly (if not more) important is the concept of frequency of events – or “*Is* it being done or more likely to be done in the future, and at what rate?”

    EXAMPLE OF THE DIFFERENCE

    There should probably be a Godwin-esque law about 9/11 examples and security by now, but you’ll forgive the indulgence.  Post 9/11, we had all sorts of questions about the risk of attackers and national infrastructure.  And the reason isn’t because we couldn’t imagine all sorts of creative attacks against nuclear power plants, metropolitan water supplies or large visibility entertainment venues.  Our uncertainty was due to a perceived possibility in an increase in frequency.  They did something spectacular once, (when) will they do it again?

    This should be the mindset of the risk analyst.  Understand that it can be done, and how it may be accomplished, to be sure.  But it’s imperative that we frame that knowledge within the context of frequency and impact considerations.

    For me, the good news is that mindests don’t seem to be fixed.  Training analysts in FAIR has shown me that these mindsets can be learned and unlearned.  In fact, I’m starting to think that a sign of IQ/EQ/Whatever might be said to be the speed with which one may adopt other mindsets.

    Relevant References:

    http://www.bloginfosec.com/2008/04/10/the-misleading-nature-of-schneiers-security-mindset/

    http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html

    Posted on

  • 12 comments

    1. Walter Apr 28

      The trick is that this is often exactly how systems are exploited internally. The recent bypassing of internal controls in a number of banks regarding mortgage protections, and in a major French bank were all done with exactly that kind of insight into system operations and internal controls.

      It is a failure to take such internal risks seriously enough that has brought about massive problems in the banking industry.

    2. Alex Apr 28

      @Walter:

      Sure. I never meant to suggest that the Security Mindset is not beneficial in studying vulnerability for applicable threat communities (as I said, it’s most definitely useful prior information). *As long as that’s the threat community you’re concerned with.* But that information (how an technically proficient and privileged insider might attack and benefit) also needs to be taken within context of frequency.

      For example, we could study not only the creative ways that threat community could hurt us, but also how frequently we can expect a privileged technical insider to go bad. Apparently, out of tens of thousands of traders out there – we’ve had about 11 of those showstopper type incidents in the past 15 years (Source: Protiviti Flash Point: Société Générale Aftermath – A Call to Action). And in our risk analysis, we would optimally use both this “security mindset information” (in developing our vulnerability and impact estimates/measurements) and frequency information to present useful information for sr. mgmt decision making.

      Point is, the information we provide in terms of frequency, impact, and the level of control needed to move the current state to match risk tolerance is the next evolution of the mindset. We have to move beyond “it’s possible” or there will continue to be significant credibility issues for our profession.

    3. dutcher Apr 28

      Nicely done, sir.

    4. Walter Apr 29

      Frequency is of interest, but so is impact. The action of one of those insiders may have single handedly destroyed the lion’s share of one banks capital assets and its reputation.

      In addressing risk, impact needs to have just as much weight in the equation as frequency – if not more so, and it is infinitely more reliably measurable.

    5. Alex Apr 29

      @Walter:

      We’re in agreement on impact. I didn’t cover impact in the blog post, and as you bring up – it’s as important.

      One of the reasons I didn’t bring it up directly is because my mind now works in a FAIR way – where there are two “branches” to the risk tree – frequency and impact. We could say that ‘Security’ focuses on one part of the frequency branch. I focused solely on that branch in this post.

      Thank you for bringing up impact. I feel I’ve been rather dull now :)

    6. roodee Apr 30

      Good post. I’d add that the security mindset is most useful in identifying “what is possible” or simply, vulnerabilities. After this identification the security mindset can sometimes be a hindrance to the quantification of probability. A different approach, and on that Alex has mentioned quite a bit, is required to move from what is possible to what is probable. I think we’ve perhaps misused the security mindset for the probability and now some are paying a price for the lack of clarity and realism it provides.

    7. Falafulu Fisi May 1

      Risk is dynamic so it has to be treated as such. Most risk analysis of today still use the static model (ie, time-independent). Dynamical risk analysis looks at the whole of dynamics of a system, which is a function of time , ie, “R(t)” , “R” is the risk as a function of time. Dynamic risk analysis is applicable to computer software network security intrusion detection. It applies to the financial markets and all sorts of disciplines.

    8. Alex May 1

      Hi Falafulu!

      I completely agree – see all that we’ve posted on this blog about the importance of time-framing, and the addition of frequency to analysis (aka dynamic risk models).

    9. Peter May 13

      Or (in one sentence) look at what are the most important issues – and be constructive.

    10. best mattress 2014 Sep 12

      Great beat ! I would like to apprentice while you amend your web site, how can i subscribe for a blog website?
      The account helped me a acceptable deal. I had been tiny bit acquainted of this your broadcast
      offered bright clear idea

    1. The Security Mindset: Question Everything - The Equalizer Report
    2. AI Risk and the Security Mindset | Machine Intelligence Research Institute

    Leave a reply