Sunday, March 12, 2006

Jedi Training for Security Professionals

Security is double-edged sword. During the 6th century BC, Sun Tzu said the following in "The Art of War":

So it is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

I have always said that security professionals have to be right 100% of the time. They have to seal every hole and give attention to every possible threat. However, attackers need to be right only once. In the words of Sun Tzu, security professionals can't afford to "win one and lose one". Security isn't a checkbox on a compliance worksheet; it is a journey of good versus evil...black vs. white.

Therefore a security professional must know their enemy as well as they know themselves. That is a tall order for most people, but it is possible. If you want to stop hackers, you must think like a hacker, you must problem solve like a hacker, you must have the mindset like a hacker...you must be a hacker.

I joke with my friends and call security training - Jedi Training. But it really isn't a joke; you must learn to bring out that hacker mindset...the hacker force if you will.

So how do you do it? And where do you start?

Tough questions and there is no one answer. Some people have an inclination toward the hacker mindset from the very beginning. When I was little, I always wanted to take stuff apart and I had to know how things worked. I wanted to understand the world around me to the deepest level. Well that desire has now moved into the new age - the digital age.

The general public sees computers as tools, but they really do make the world around us. The money you keep in the bank is stored as a database value, nothing more. Your credit limit and rating is again a database value controlled by computers. All the information about you is stored and accessed via computers. You are who the computer says you are.

This stored information about you is the "truth" of your life. But that "truth" is controlled by computers....and those computers are controlled by people. Some good, some bad.

So how do you learn about security?? Well, it requires a whole heap of reading and playing. If you don't like computers or you don't really like to read, then you have hit a wall right out of the gate.

Here is a collection of apps and websites that can help you in your quest for Jedi power.

Jedi Training Applications

WebGoat
Hacame Bank v2.20
Hacame Books

Jedi Training Websites

Hackthissite.org
Blind-Dice.com
MindLock Security
Starfleet Academy (currently not working)

Jedi Training Books

The Art of Deception
The Art of Intrusion
Stealing the Network - The Series
Hacking Exposed - The Series
Rootkits - Subverting the Windows Kernel
Exploiting Software - How to Break Code
Google Hacking for Penetration Testers
Reversing - Secrets of Reverse Engineering
Security Warrior
Hacking - The Art of Exploitation
Silence on the Wire
The Shellcoder's Handbook
The Art of Computer Virus Research and Defense
OS X for Hackers at Heart
19 Deadly Sins of Software Security
Malware - Fighting Malicious Code
WarDriving Drive, Detect, Defend - A Guide to Wireless Security
Know Your Enemy - Learning about Security Threats
Windows Forensics and Incident Recovery
plus many many more.

Go. Read. Learn. Hack. Protect.

No comments:

Post a Comment