One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 459639 |
| Date de publication | 2018-01-24 14:00:00 (vue: 2018-01-24 14:00:00) |
| Titre | Mental Models & Security: Thinking Like a Hacker |
| Texte |
In the world of information security, people are often told to “think like a hacker,” which inevitably reminds me of Sylvester Stallone muttering his line in Demolition Man -- “Send a maniac to catch a maniac”.
While such words of wisdom work great for movies, they tend not to be very helpful for those trying to understand it.
If you think of a hacker with a very narrow definition (e.g. someone that only breaks web applications), it leads to a counterproductive way of thinking and conducting business.
A little knowledge is a dangerous thing, not least because isolated facts don’t stand on their own very well. As legendary investor Charlie Munger once said:
“Well, the first rule is that you can't really know anything if you just remember isolated facts and try and bang 'em back. If the facts don't hang together on a latticework of theory, you don't have them in a usable form.
You've got to have models in your head. And you've got to array your experience both vicarious and direct on this latticework of models. You may have noticed students who just try to remember and pound back what is remembered. Well, they fail in school and in life. You've got to hang experience on a latticework of models in your head.
What are the models? Well, the first rule is that you've got to have multiple models because if you just have one or two that you're using, the nature of human psychology is such that you'll torture reality so that it fits your models, or at least you'll think it does. …”
For security pros, it’s worth bearing this in mind. Multiple mental models from different disciplines are needed to make good and informed decisions.
When we look at the thought process of a (competent) security professional, it encompasses many mental models. These don’t relate exclusively to hacking or wider technology, but instead cover principles that have broader applications.
Let’s look at some general mental models and their security applications:
1. Inversion
Difficult problems are best solved when they are worked backwards. Researchers are great at inverting systems and technologies to illustrate what the system architect would have rather avoided. In other words, it’s not just enough to think about all the things that can be done to secure a system, but to think about all the things that would leave a system insecure.
From a defensive point of view, it means not just thinking about how to achieve success, but also how failure would be managed.
2. Confirmation Bias
What someone wishes, they also believe. We see confirmation bias deeply-rooted in applications, systems, and even entire businesses.
It means that two people with opposing views on a topic can see the same evidence and come away feeling validated by it. It’s why two auditors can assess the same system and arrive at vastly different conclusions as to its adequacy.
However, confirmation bias is extremely dangerous from a defenders’ perspective, and clouds judgement. This is something hackers take advantage of all the time.
People often fall for phishing emails because they believe they are too clever to fall for one, or too insignificant to be targeted. It’s only until it’s too late that reality sets in.
3. Circle of Competence
Most people have a thing they’re really, truly good at. But if you test them in something outside of this area, you’ll find they’re not particularly well-rounded. Worse, they may be ignorant of their own ignorance -- you probably know this as the Dunning-Kruge |
| Envoyé | Oui |
| Condensat | 'em “among “idea “if “send “think “well ‘law ‘table ‘think about access achieve action adequacy advanced advantage advice after against all already also although angle answer any anything applications applications: applied approaching architect are area areas aren’t array arrive arrives as: ask assess associated assumptions attack attackers auditors avenues avoid avoided away back backwards bang based bayesian bearing because before being believe belt best bias both boundaries breaking breaks broader build building business businesses but can can't cannot car carry catch certainty challenging charlie circle clever clouds combination come comfort companies company competence competent competing complex compromise computer conclusion conclusions conducting confident confirmation conjunction consequences consider considering considers consists cost could counterproductive countless cover crafted cross crossing curiosity dangerous date decisions deeply defenders’ defensive definition definitive demolition department deterministic develop different differs difficult direct discipline disciplines distinguished does dominated don't don’t done downstream drive dunning easy effect effective effects einstein einstein’s email emails encompasses encourage engineer enough entire especially evaluate even every evidence examine example exclusively executing exercises exist experience experience: experiment experiments expertise extremely facts fail failure fall familiar far faster favourite feeling fewest filled finance find first fits forces form frameworks from fundamentally future gaining gaps general generally give given good got great hacker hacker’ hackers hacking hang happen has have head help helpful here his hit how however human hypotheses i’ve identify ignorance ignorant illustrate impact implications importance important impossible incrementally individuals inevitably infected information informed insecure insignificant instead inversion inverting investor isn’t isolated it’s its judgement just keeping knock know knowing knowledge known kruger late latticework lead leads least leave legendary let’s levels life like line listed little logically long look looked lot low lower machine made majority make man managed managers maniac maniac” many may means mental method methods mind mistakes modelling models monolithic more most movies multiple munger must muttering narrow nature necessarily need needed new newbie newer non not noticed number occam’s odds often once one one’s ones only opposing order organisations other others out outcomes outside own paranoia parking parsimony particularly patch patches people perfectly perform perspective phishing pitfalls please point poor popularised possible pound predict principle principles prior probabilistic probabilities probably problem problems process productive professional professionals pros psychology purports purpose push question quote rather razor reach real reality realize really relate relevant remember remembered reminds remotely researcher researchers risk road rooted rounded rule safely said said: same scada school science second secure securing security security: see selected sets seven share should simple simpler simplicity single skill skillset small social solved solving some someone something spear specific speculation stallone stand steps students subconsciously success such summarised sylvester system systems take targeted targets tasks taught team teams technique techniques technologies technologists technology tend term test tested them then theory there’s these they’re thing things think thinking those though thought thoughts time together told too tool tools top’ topic torture traffic tried truly try trying two understand undoubtedly unlikely until updates updating upgrade usable usb use used using usually validated vastly very vicarious view views vital way web well what what’s when where which who why |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.