Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.

The facts associated with the hacker mindset:

1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
2. Information is a commodity and tradeable.
3. What man can conceive – man can and will hack
4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
6. While this statement was writing, attack vectors were exploited all over the world.
7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
9. Information has a shelf life and is subject to being exploited for hacker benefit.
10. Intellectual property and sensitive data is a means for me to support my lifestyle.

Postulates of a Hacker:

1. Understanding how things work is an advantage over ignorance.
2. Curiosity and ego are more powerful motivators than money.
3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
4. Not all people are rational, therefore choices are not predictable.
5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
7. There are no borders on the Internet
8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.

The Hacker’s conclusions:

1. If you turn it on and connect it, they will come – and try and take it.
2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
4. Capture the flag is the best paradigm for understanding security.
5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
7. If someone wants to breach your security seriously or badly enough – they will.
8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
11. Advancing and emerging hacker technology always defeats information security policies.
12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
13. There is no accountability for poor security – only excuses.
14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
15. Confidentiality is a function of time and energy.
16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.