About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, August 3, 2010

On the Security Psychology and Ethics

Good security people, whether physical or cyber, share a common mindset that makes us distinct from most people.  Living in society, most people follow the rules of what's considered acceptable behavior and they expect everyone else to do so as well.  As a result, much of the time people don't even think about other ways even being possible.  It's that blind spot that creates vulnerabilities for criminals to exploit.  Good security people are able to look at the rules and assumptions people have about what other people do and say "That's how they're expecting people to act.  What if I do this instead?".  This allows us to find these vulnerabilities, hopefully before criminals do, and encourage people to close them.  Bruce Schneier wrote an excellent article on the subject.

At the California Cyber Challenge camp this year, I was watching a discussion between security people which erupted in an interesting way.  One side was arguing in favor of leniency towards criminal hackers, arguing that as long as their crime is motivated by curiosity rather than profit or malice, they can still be turned back to be a productive member of society.  The other side was arguing that it's still a crime and they should be punished for their infractions.  This is, of course, an old argument that crops up not just in the computer security field, but in the criminal justice system at large.  Watching it play out, I realized that there's not just one security mindset, but at least two.

On one side we have the penetration testers, vulnerability researchers, cryptanalysts, and other "offensive security" types.  They're good at seeing the vulnerabilities in systems and figuring out how to exploit them, so that other people can fix the vulnerabilities.  The people arguing for leniency for "non-malicious" cyber criminals were from this category.

On the other side we have the system administrators, security researchers, intrusion detectors, incident response people, and other "defensive security" types.  They're good at detecting and blocking attackers and implementing and enforcing security policy.  Forensics people have some of both talents, able to detect and analyze attacks, but also cracking passwords and reverse engineering malware.  However, in terms of mindset and ethics, they seem to be more closely aligned with the "defensive" types.  The people arguing against the category of "non-malicious" cyber criminals were from this category.

My interests and talents lie on the "defensive" side of the spectrum.  Although I can understand how the offensive people may have dabbled in criminal behavior in their youth, fundamentally security positions are powerful.  We hold the keys to the integrity of the network.  We stand between the criminals and secret data. We need to have very strong ethics and personal integrity, because organized crime is getting involved and may try to corrupt us.  In my opinion, once someone starts justifying and using the darker aspects of security, it makes them vulnerable to corruption.

But that's just my opinion, and I'm interested to know what others think.

No comments:

Post a Comment