编者按: 泰德·哈林顿 runs Independent Security Evaluators (ISE), the elite security researchers who pioneered car hacking, 谁最先利用了iPhone, 首先利用Android操作系统, 首创医疗设备黑客攻击, 并举办黑客活动物联网村. Harrington will be a keynote speaker at ISACA’s EVOLVE新兴科技虚拟会议, 于11月16日至17日举行, and he recently visited with ISACA Now to share his perspective on understanding attackers and the emerging tech landscape. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: How did you arrive at your understanding of how attackers think?
通过研究它们. A security researcher’s job is to find security flaws in a system in order to help drive security improvements, either in that system or more broadly in the impacted industry (or both). In order to find those flaws, we need to think like attackers think. The way to do this is by asking lots of “what if” questions, 挑战潜在的假设, and – very importantly – understanding motivation. 就我个人而言, I’ve always been drawn to understanding why people do the things they do and what motivates their decisions. This applies not just to ethical people, but also to attackers and malicious types.
ISACA Now: How are emerging technologies most impacting the threat landscape?
唯一不变的是变化. Everything that changes fundamentally impacts attack scenarios. Whether that’s changes in the tech itself, 市场条件, 或者攻击者方法, every moment of change impacts how things will be attacked and what we need to do to defend them. So, in its most simple sense, emerging technologies introduce new ways to be attacked. 也就是说, 毕竟,也不全是厄运和阴霾, new technologies deliver tremendous benefits and we should constantly be driving for better. The takeaway is simply that with change comes the need to reconsider how a system might be attacked. That should not be a deterrent from innovation, though.
ISACA Now: What is your view on the security outlook for self-driving vehicles?
我很乐观. The stakes are of course ridiculously high because we are talking about human lives being at risk if the security of a self-driving system fails. 然而, 正是因为这个原因, both the companies building these systems and the security research community are all very interested in addressing this problem. 一如既往地, 风险是存在的——在某些情况下, massive risk – of how this new tech could result in bad outcomes. But I believe in the work of the community of ethical hackers and security researchers focused on this and think self-driving cars will be viable from a security perspective. The obvious assumption implied here is that the companies building these systems need to invest the time, 努力, and money in actually working on building secure systems, 我希望他们会这么做.
ISACA Now: What is the best approach for enterprise leaders to take in calibrating their security investments?
First and foremost, throw off the nonsensical shackles that hold almost everyone back. Most companies establish their security budgets by finding out how much they can obtain certain products and services and use those quotes to set their budget, without realizing that they are basing this on the cheapest end of the market. Security is like anything worth doing: you get what you pay for. So, when a budget is based on the cheapest approach, you get the cheapest outcome. Not exactly the best way to think about how to secure high-value assets that enterprises protect. 而不是, I recommend leaders benchmark their security budgets on one or more of three methods: by overall software development budget, 由员工, 或者按收入计算. In 可删节, I outline percentages that should be allocated based on those various benchmarks.
ISACA Now: What do you think security excellence should look like for companies in 2022 and beyond?
以下是一些原则:
- Start with the right mindset and the right partner
- 选择正确的评估方法
- 进行正确的测试
- 破解你的系统
- 修复你的漏洞
- 再黑一次
- 明智地花钱
- 建立威胁模型
- 建立安全
- 赢得销售
每一个都有深入的解释 可删节!
