A friend of mine noticed that garbage bin collection day was like a port scan that revealed which houses on a suburban street are unoccupied during the day. He reasoned as follows:
- Bins are collected from the curbside once a week, usually in the morning.
- People that are at home during the day almost always bring their bin in from the curb once they are aware that their rubbish has been collected.
- If you drive down the same suburban street once a week for a couple of weeks at about 3pm on rubbish day and make a note of which houses always have an empty bin sitting by the curb, you’ll have a pretty good list of which houses are empty for most of the day on rubbish day.
Ordinary people don’t notice things like this. Ordinary people don’t think about security often, if at all. On the other hand, people that are good at thinking about security notice this sort of thing all the time. Once the security mindset switch has been flicked in your mind, it probably cannot be “unflicked”.
There is no straightforward way to get the security mindset. Learning facts and learning to think in a particular way are two very different things. Given time, anyone can learn a rote set of facts through memorization. Thinking securely isn’t about recalling a set of security related facts, it is about viewing the world in a particular way. But how do you do that? How do you teach anyone to think in a particular way? Heck, how do you teach people to think systematically about anything?
I’m not sure I have any concrete answer, but one suggestion I can make is that you subscribe to Bruce Schneier’s monthly Cryptogram newsletter and expose yourself regularly to its contents. (Sign up at http://www.schneier.com/crypto-gram.html)
Schneier’s newsletter provides interesting information about what is going on in the world of security. He discusses and pulls apart issues, and gives the audience questions to consider that might not have straightforward answers (or any answers). So how does this help you get a security mindset? By raising and getting you to think about security issues, he gets you to think systematically about security. Gradually, through constant exposure to these sorts of questions and topics, your own world view will shift. At least that is one of the things that I noticed worked for me.
Once you start really thinking about the issues that Schneier raises, you’ll probably start thinking about the same sort of things when it applies to your own network environment. Asking yourself similar sorts of critical questions – is the solution you’ve deployed effective, or is it just really good at looking effective? When you have a security mindset you won’t think of security as merely checking a set of items off on a list, which of course has its place, but will start thinking systematically and critically about the process of security.
You also won’t think of things like rubbish bin collection day the same again.