A quirk of a good security person
04/20/15 Category: Thoughts
I was pondering one day what makes a good security person attribute and then it hit me.
It all started with the one question that keeps me up at night: Am I secure?
Our culture is based upon a guilty until proven innocent mindset. That's clearly not healthy when it comes to security and as mentioned before, this is a false sense of security that all the numbers clearly expose.
We have to start with assuming we are not secure and work backwards from there. It almost seems unhealthy and then I made a quirky connection. Perhaps hypochondriacs have the right mindset for security? They always assume something is wrong, something isn't right, something appears off and even the lack of any evidence is evidence of something bigger festering underneath. Those are the ideal approaches to security. Even better, they seek the counsel of outside experts to confirm (perhaps deny) their suspicions.
It kind of makes me think about penetration testing to prove one is secure, but that's flawed too… (another article)
Every now and then I go on rants and start ripping through data and checking everything:
- What devices are on the network?
- What has changed?
- What connections are happening not just from the outside in, but more importantly from the inside out?
- Are all the firewall access policies correct?
- Do we need more layers somewhere?
- Can I confirm all traffic?
- Can I confirm all wireless access?
- Can I confirm all remote access?
- Have anyone's credentials been breached?
- Could they?
- Where did they come from?
- Can I confirm/correlate location and credentials?
- What programs are running and talking to the network?
Granted that is a VERY short list of things (symptoms…) I consider. However, the idea is to assume all is not well and then attempt to prove it is.
If you're in security, keep current of all the ailments that are out there and assume things are not well and then prove perhaps, just perhaps it is. Go ahead, be the best hypochondriac you can. In security, you better learn to embrace the paranoia.