Trust Nothing if You Want Real Security
As I looked over the schedule for Check Point’s CPX 360 conference, one keynote session jumped out at me, not because of the topic but because of the name of the presenter: Freaky Clown, in all caps. “You’ll want to go to that one,” someone from Check Point told me. “Hacker keynotes are always interesting.”
Freaky Clown came out on the stage. From my vantage point at the back of the auditorium at the press desk, I only saw him in shadows and blocked views (thanks to the people standing in front of me), but his British accent rang clear when he said what drives him as a hacker: “Trust issues.”
As in, you can’t trust anything when it comes to cybersecurity.
A Hacker’s Mind
Overall, hackers have a bad reputation. I, and all of my fellow security writers, have discussed the damage hackers can do when they are in your system, and they are often referred to as bad guys. But ethical hackers—the white hats—are necessary, too; these are the guys who will test your network for vulnerabilities and other problems. The best white hat hackers often start off as bad guys; they know how to get into your system to commit crime, and they’ll know how to get into your system to show you where your faults lie.
The hacker’s mind isn’t just focused on nefarious deeds. They also have to know your way around things such as databases, operating systems and exploits. These are skills anybody can learn, but having those skills doesn’t make you into a hacker. It’s about the mindset, the mentality of how a hacker approaches issues and tasks. And this is where we get into those trust issues.
“I don’t trust anyone who tells me something,” Freaky Clown told his audience. “Someone comes to me and says their product is military-grade secure. I don’t think so. I’m going to test that and check it out until I see that it is trustworthy. And then I’ll start using it.”
Gaining Trust
Do you trust your security systems to protect your data and your network? Probably yes, because otherwise you’d deploy other systems. But how well did you investigate those systems before you deployed them—and do you continue to test them after you’ve been relying on them for a year, two years?
Trust is especially important in cybersecurity, yet many of the security tools we use aren’t secure. Freaky Clown said he was able to find vulnerabilities in some open source security tools just by using them—not testing them, but in regular use. Yet, organizations invest and use many security tools and systems just because they think they’re effective and, in turn, they’re improving their security stature. Instead, by automatically trusting the system rather than gaining trust through testing, these organizations are engaging in security theater.
“Being a hacker means you don’t take security theater lightly,” Freaky Clown said. “You have to go after it. Every time you see security theater, you have to knock it down.”
How much does Freaky Clown advocate his theory of trusting nothing until he understands it? Well, one of the stories he shared was his fear of planes. He refused to fly—until a friend gifted him with flying lessons to help him get over his fear. “Until I’d flown a plane myself,” he said, “I wouldn’t get on a plane. Unless I completely understand it, I’ll never use it.”
We don’t all have to go to that extreme, of course, but his overall theory makes a lot of sense. You and your organization have a lot to lose if your security isn’t top notch—not just your cybersecurity, but also the physical security of your building, your data center, your devices. Do you trust your security systems to protect your organization’s most valuable assets? If you don’t have a high level of trust, you probably don’t have a high level of security.
