I grew up in a rough neighborhood (actually several rough neighborhoods) and got into more than my fair share of trouble. As a scrawny teenager learning to fit into society, I had to learn a lot of important lessons on how to protect myself and those around me.
Working as a security professional, I’m always surprised how often I use the things I learned growing up. You’d think mobile security has little in common with physical security, but the reality is that security is security. The rules are the same whether you’re trying to protect your body, your phone or a complex IT network.
Rule #1: You don’t need to be perfect; you just need to be a hard target.
Most people think of security as binary: A product is either secure or insecure. This couldn’t be further from the truth.
Security is about economics. Rational beings want the highest value for the least cost, and attackers (both physical and electronic) are much more rational than the media likes to portray. That’s why purse-snatchings are as common as ever, with perpetrators naturally targeting the weak and the elderly.
What this means is that your defense doesn’t need to be perfect; it just needs to be good enough, so that the effort to overcome it isn’t worthwhile. If there are similar targets with less security, attackers will go after them instead.
There’s an old joke about two guys being chased by a bear. One of them says, “It’s hopeless. We can’t outrun a bear!” His friend replies, “I don’t have to outrun the bear. I just have to outrun you!”
Rule #2: You’re only as strong as your weakest link.
When it comes to security, attackers have a natural advantage because they only need to find a single vulnerability. The best way to improve security is to strengthen the weak links. Making your strong points stronger doesn’t help; the attacker will simply work around them. Proper security needs to be built into every single part of a system – each of its components and all of their links—because a single insecure component or link makes the entire system insecure.
Smart home invaders don’t go through the front door; they smash a window. Getting through a locked door requires a lot of skill (lock picking) or strength (hulk smash). Getting through a locked window requires the ability to throw a heavy object. Advantage: Window.
So how does this apply to a fight scenario?
Rener Gracie is a fourth-degree black belt in Brazilian Jiu-Jitsu, the dominant fighting style in Mixed Martial Arts. His grandfather, Helio, invented the style, and his uncle Royce won three of the first four UFC tournaments. Rener is often asked who would win in a fight: Royce or Bruce Lee (both in their prime). His answer is that Royce has an advantage simply because Bruce would need to remain standing, while Royce would look to take him to the ground. Once on the ground, Royce would wear out Bruce Lee with his extensive training in the art of ground combat. By exploiting Bruce Lee’s one weakness, Rener believes his uncle could beat arguably the greatest fighter to ever live.
Rule #3: You need to know who to trust.
Security, by definition, involves fear, uncertainty and doubt. The more you can reduce the uncertainty and doubt, the less you have to fear.
But the unfortunate reality is that we all make dozens of security decisions every single day, and nearly all of them involve imperfect or incomplete information. We simply don’t have time to fully study, examine and understand the security of every system we interact with. As much as we’re always told to “never judge a book by its cover,” we simply can’t read every single book on every single topic.
The other problem is that many people claim to be security “experts.” As an old boss once told me, “An ex is a has-been and a spurt is a drip under pressure.”
Security is extremely difficult and requires many years of training and experience. Technology is always evolving and creating new threats and opportunities. Attackers are always looking for creative new ways to breach systems, and companies are always looking to stay one step ahead. Worst of all, the industry is filled with snake oil salesmen looking to make a quick profit.
There’s an old joke about a shop selling bottles of Monster Spray, a miraculous concoction guaranteed to keep monsters away. A customer picks up a bottle and asks the shopkeeper: “How do you know it works?” The shopkeeper replies: “Well, do you see any monsters around?”
So how do we steer clear of the unnecessary and the ineffective? We identify key people whom we trust, and we trust their advice. These are the people we know won’t sell us Monster Spray, and the ones who will gently nudge us when we try to buy it.
Technology is no different. There is simply no way to evaluate the security of every single vendor you do business with. Instead, pinpoint the organizations that have a proven track record, that innovate in their areas of expertise, and that make long-term investments in protecting their stakeholders’ interests. Also look at the size of the organization and how much they have to lose if they mess up. If I’m buying something online, I’m more likely to trust a well-respected vendor like Amazon than a small shop I know nothing about.
Last, but definitely not least, trust your instincts. They’re often the best tools for making quick and effective decisions when faced with uncertainty. If something feels fishy, over-hyped or too good to be true, it probably is.