Last night I was reading through some posts on some other sites I’ve missed in the past couple weeks (darn real job), and stumbled upon this one by Richard Bejtlich. Basically, someone with particularly poor spelling asked if he could pay Richard to tutor him and just brain dump his entire career of security knowledge, since this particular reader “cannot afford nor have the time to take a full collage course on the topic of network security“. And I didn’t even know there were collage courses in security! Is that like cutting up printouts of packet dumps and pasting them into pretty pictures of routers? Do I sign up at the art school next to the comp sci lab?

But I digress. And suspect that individual is saving up for a spell checker before college.

In his response Richard reminds us that there are no short cuts, and lists some books to help build foundational knowledge. While good advice, I think there’s also something far more important every security professional, physical or IT, should foster within themselves. It’s the “security mindset”.

The name and tag line of this blog are a pathetically humorous attempt to put some words around this nebulous concept. The security mindset isn’t something you can get from reading a book or taking a course, but if you want to be good, really good at security it’s something you absolutely need to develop. The mindset is why my old friends from physical security days never get hacked at home, no matter how bad their technical skills. They just get security.

I suspect if you poll a lot of my fellow bloggers and security professionals all of them can point to people who “just get it” no matter how little formal training they have. They can also, probably more easily, point out plenty of people with “security” in their title that don’t really grok security. I’ve met people at all levels- from security operations, to analysts, to CISOs, that never really get it. Without a security mindset you’ll never be good at security, no matter how many books you read or courses you take. You might be decent at maintaining firewalls, setting user permissions, or running vulnerability scans, but you won’t be the person your organization turns to to solve the tough problems. You’ll be tactical, good at some menial tasks, but never really understand what’s going on around you and never be able to get ahead of the threats.

When people ask me what certification and educational background to look for in hiring someone new for security, I always make a pitch to try and get them to value a good security mindset over a resume. Problem is, I’ve never been good at describing how to identify this nebulous attitude.

Considering the name and tag line of this site, you’d think it’s something I’d have down by now.

Rather than subject you to another one of my mega-posts (like the DRM thing) I’ll just mention part of it today. Mostly because I’m making this up as I go.

The foundation of the security mindset is built on paranoia and cynicism. You always assume something will happen, and you don’t believe in anything. Yeah, it makes you real fun at parties, but eventually you get enough cool stories that people won’t care about your lack of personality. Then again, there’s probably a reason cops, firefighters, paramedics, and cryptographers tend to hang out just with other cops, firefighters, paramedics, and cryptographers (not at the same parties).

For the rest of this series we’ll build on this foundation and talk about some more specific ways of thinking like a security geek.

So how do you build the mindset?

You immerse yourself in security, and I don’t mean the job. Don’t read books on cryptography, go read some quality spy novels and security tales with ultra-paranoid protagonists that consistently improvise creative solutions to hopeless problems. The Bourne Identity is a great start, maybe followed by a few Jack Reacher novels and capped off by early Clancy (a bit of a freak job, and nothing past Clear and Present Danger is worth your time). I also like Cryptonomicon and Rainbows End. As for movies, watch Sneakers and Enemy of the State. Everything else is crap. Remember, these are fantasy; you’ll need to suspend some disbelief and let yourself roll with it. Some of the best social engineering to ever hit the silver screen is in Sneakers, despite possibly the worst representation of cryptography in history.

Then start to build some awareness. When you walk into a store, figure out how you’d rob the place blind (and, uh, don’t do it). When you go to a concert try to spot a free way in (it’s easier than you think). Pick apart airport security and figure out which parts work and which don’t. Maybe even take a good martial arts class- not some streetfighting garbage, but a real martial art with history and lessons on strategy, tactics, and reading your opponent.

Become paranoid. Trust no one. Think like a bad guy.

That’s probably a good start. There’s more to come.

Posted on November 29