“So I gotta ask you…”
On literally every ski trip I go on, I’ll eventually hear some version of this question about a specific element of my ski gear: my poles.
Or I should say, my lack thereof.
You see, I ski without poles. That is something that is so unusual, it almost always draws the curiosity of other skiers and snowboarders.
For those of you who don’t ski, let me give you a quick primer on gear. You need skis to glide down the mountain, boots to attach your feet to the skis, a helmet to protect your head, and technical clothing to keep you warm and dry. And you need poles to… well, I’m actually not sure why you need poles.
One day, I found myself pondering that question. What is the purpose of poles? No one could really give me a solid answer. Some people told me that I need poles for moguls, but I skip that type of terrain because I don’t enjoy it. Others told me I need them to get off flat terrain (where gravity isn’t pulling me downhill) but it’s more effective to use your legs to skate out of those spots. A lot of people told me I need them for balance, but, that’s not true – I’m actually even better balanced without them. One guy even got so frustrated that he said to me “Look, I don’t know what to tell you Ted. Girls like guys who ski with poles.” After I laughed, I realized he was serious.
No one could give me a compelling reason why I needed poles. What makes this even more absurd is that it’s just one more thing to carry, one more thing to buy, and worse yet, they make loading and unloading chairlifts more complicated. Why take on all that hassle if there is no benefit?
So one day, I did an experiment: “What would happen if I ski without poles today?”
And let me tell you, I skied better than I ever had in my life. I felt so much more in tune with my body. My rhythm was a straight up metronome. My life was simpler with less gear to lug around. And, maybe best of all, it was a fun conversation starter.
So what does all this have to do with how you can think like a hacker?
This story is a vivid example of one of the most crucial mindsets that make hackers successful: contrarian thinking. Contrarian thinking is when you reject norms, challenge assumptions, and explore if there’s a better way. I challenged the assumption that almost every single skier holds: you must ski with poles. In the process of challenging that assumption, I discovered that it was flawed (at least for my use case). As a result, I was able to change my behavior, which resulted in a significantly improved experience.
Those are the kinds of things that contrarian thinking delivers you. This (admittedly whimsical) story is a great example of the power of contrarian thinking. For any of you who have watched my TED Talk “Why You Need to Think Like a Hacker,” you’ll recognize the idea I advocate for: hackers are contrarian, and you should be too. (Haven’t seen it yet? Watch it here).
Usually, contrarian thinking makes other people uncomfortable (just like we saw with my ski poles) because it brings into question subconscious thoughts, innate bias, or deeply held beliefs. People generally do not like when those things are brought into question.
But you really want to question those thoughts, biases, and beliefs. When you do, it helps you think differently about the situation. And when you think differently, that helps you reveal new pathways to achieve your goals.
So let’s talk about how to apply this to your security program.
Using Contrarian Thinking to Improve the Security of Your System
As you build your system, there are several actionable steps you (or more likely, your outsourced security assessment company) can take to inject contrarian thinking into your security program:
- Question how users will behave. As you build a system, you’re assuming the user will interact with it the way you intend. But what if they don’t? For example, a common attack vector is to find an input field such as you’d find on the login page; but rather than entering a password, an attacker will enter a command. You’d be surprised how often the system will respond to that command. The user is not supposed to enter a command into the password field… but what happens if they do? By applying contrarian thinking to user behavior, you can probe your own assumptions. You do this simply by asking a lot of “what if” questions.
- Eradicate security through obscurity. Security through obscurity is when you lean on the fact that the attacker might not know how the system works as the thing which keeps the system secure. Secrets are good, but they should not be the entire basis upon which the security of a system rests. You’d be shocked at how often we’ll ask a current or prospective client “what happens if an attacker did X?” and they’ll respond with some version of “oh no one would think to do X.” But… we literally just did! If we did, someone else will too, eventually. You need to find where you have those beliefs, those blinders, those assumptions – and once you’ve found them, challenge them. Again, the question “what if” is your friend.
- Explore how to abuse functionality. One of the most effective techniques in the hacker tool kit is functionality abuse, which is where you use existing functionality of the system in an attack. For example, we recently worked on a project where a certain sequence of failed attempts would lock a specific user out. We found a way that an attacker could use that functionality to make the system inoperable for all Whatever you are building has the potential to be misused, so you need to examine the system through the lens of how abuse could play out. That requires you to think about the functionality through a different lens than the lens you look through to build a beautiful, effective system.
Hire an Expert
I’ll be the first to admit that there are three things that kinda stink about contrarian thinking.
First, it’s hard to do. Human beings are wired to follow patterns, because they allow us to allocate brainpower to other things (a relic of our caveman days when we needed that attention to look out for things that could kill us). Because we are wired to follow patterns, it makes the very act of looking at the components of those patterns feel unnatural. Have you ever noticed how almost everyone at an amusement park just finds lines to go stand in? But have you ever paused to see if there was a shorter way to get to the ride? If you did, you’re thinking like a hacker. But most people don’t. It’s easier to follow the pattern we know how to follow.
Second, once you start thinking in contrarian ways, it’s pretty much the only way you see the world – for better or worse. In the classic movie The Matrix, there’s this idea of unplugging from the matrix (btw, sorry if this is a spoiler for you… but then again, the movie is like 20 years old so it’s kinda on you at this point). Anyways, there’s this idea that people are plugged into the matrix, and it’s a nice existence. But some people unplug from the matrix, and the world outside of the matrix is cold and unforgiving. But once you’re unplugged, being back in the matrix isn’t appealing anymore. That’s kinda what it’s like once you start applying contrarian thinking. You can’t easily follow patterns blindly anymore – you question everything. Sometimes that feels icky.
Third, by definition, you will be considered “wrong” by most people. Contrarian thinking requires you to consider (and potentially even adopt) a viewpoint that is different from widely held beliefs. That is both what makes it powerful, but also makes it feel isolating. You gotta be ok with being told you’re wrong. A lot.
So, if contrarian thinking is critical to system security, but it’s both difficult and unsettling, what should you do?
That part is easy.
Hire an expert.
You’re probably already hiring someone to help you with security testing (such as penetration testing, red teaming, vulnerability assessments, and more). Just make sure that whoever you hire thinks in this manner. And note that not everyone does, especially since a lot of security testing today is little more than running automated scanners. Naturally, I’d like to make an unveiled, shameless pitch that the brilliant minds at ISE are one such company you should talk to about this, but even if not ISE, just make sure you are getting this contrarian mindset (if you need tips on how to vet for this trait, hit me up and I can guide you).
Just like how I got the wonderful outcome of a better life skiing without poles, I hope that you too can leverage contrarian thinking to improve your life.
Make sure that you (or someone on your team, or your security partner) are deploying contrarian thinking. Weave it into various aspects of your security program, including looking at user behavior, secrecy, and functionality differently. Once you do those things, it’ll reveal new ways to improve the security of your system.
Hackers are contrarian, and you should be too.
And remember: you shouldn’t necessarily take my advice on ski equipment – ask an expert!
See you on the slopes.
Ted Harrington is the #1 bestselling author of Hackable, and a TEDx speaker. He is the Executive Partner at ISE, and co-founder of both Start VRM and IoT Village. Learn more at https://ise.io