The Hacker Mindset is a Benefit for Cybersecurity

When most people think of cybersecurity, they think of trying to protect digital assets from cybercriminals and hackers. And that’s often accurate. But just because hackers are often the enemy doesn’t mean hacking is always a bad thing. Ethical hacking does exist. And even outside of the hacking itself, the hacker mindset can helpful to keeping things secure.

See Empowering the Vulnerable with Sam Curry for a complete transcript of the Easy Prey podcast episode.

Sam Curry is currently the Global VP and CISO in Residence at Zscaler, but he has been in cybersecurity for over thirty years. He’s been in just about every security role in that time, from engineering to CTO to CISO. He is also a fellow at the National Security Institute and an instructor on cyber topics at Nichols College. Before Nichols College, he ran RSA Labs at MIT.  He primarily describes his career as “having too much fun with cyber.”

An Accidental Cyber Career

Sam didn’t start off planning to get into cyber. Initially, he wanted to be a science fiction author, so he studied physics and literature. But he started his career in cryptography and cryptanalysis. After a while, he decided he wanted to get back into tech, specifically biotech. One of his friends had a brother who was investing in biotech, so he asked the friend for a connection. The friend asked for more details about his background. About an hour into the conversation, Sam realized he was being interviewed. He ended up getting hired for a cybersecurity company. Sam wound up developing some patents in VPN technology and was one of the co-inventors of the personal firewall. Eventually, the company was bought by McAfee, and Sam became a product manager.

At one point, a mom called trying to buy a personal firewall. This was in the late 1990s – firewalls were technical things that only companies used, not something for home use. Sam didn’t understand why this mom needed one. It turned out that she had a disabled son who used certain websites as part of his education. Hacker were targeting those sites because the victims didn’t know what was happening. So a group of parents had gotten together to purchase personal firewalls.

Sam was disgusted with these hackers’ behavior. But he also realized the problem was just going to get worse. That’s where he found his mission. He’s always felt a personal drive to protect people. And he had been fascinated by the hacker mindset for most of his life. Sam’s brother once said it was no shock that he wound up in an industry where he could protect people. He made a mission out of trying to make sure people aren’t getting hurt at any scale.

Nobody is a Failure for Being a Victim

Even though he works in cybersecurity, Sam has been victim of scams and fraud multiple times. He’s always willing to talk about it, because he doesn’t consider them failures or anything to be ashamed of. Being targeted by a crime is not a failure on your part.

Nobody’s a failure for being put in the crosshairs [of a scam].

Sam Curry

In the professional sphere, Sam was the CTO at RSA during the major breach thirteen years ago. That was a miserable experience. But he’s also been attacked personally. He’s been spear phished before, which was not a great thing to feel. His wife has also been attacked. One specific incident nine years ago was very good – she got a call that she thought was from her bank, and it had all the correct information. She realized it didn’t feel right directly after she hung up and called the bank to cancel it. It was well-done, even then.

Sam ran a product that helped mitigate loss to banking and card not present fraud for half a billion people. It doesn’t matter how smart you are or how good at security, you can still be a target. And you can still fall for it. Sam has been personally targeted by everything from “we have inappropriate photos of you” to “we have your credit card.” He’s gotten good at not clicking anything now. But it’s terrible when marketing departments send things that look like phishing. It’s really hard sometimes to determine what’s legitimate and what’s not.

It doesn’t matter how smart you are or how well-versed in security. You can still be the target and still fall to it.

Sam Curry

The Hacker Mindset and Disruption

Phishing, hacking, spyware, none of these things are new. And it can feel like it’s worse now. The Shepard tone is an auditory illusion that sounds like the tone is always increasing in frequency. It’s not, but the way that it loops tricks the ear. The same kind of thing is happening with cybersecurity. There’s a sense that it’s always rose than before. If it were, that would be a bubble. Some things are getting worse in a localized way, true. But that may also be because of more awareness now. Some things can get worse locally, and in terms of absolute numbers it’s going up, but overall things are roughly the same.

Change can be disruptive. Different people talk about singularities that could be caused by genetics, robotics, information technology, or nanotech. Either way, we can’t predict what things will look like after. But a singularity doesn’t have to be a massive disruption – the internal combustion engine was one of those moments. Canadian writer Cory Doctorow said that there’s a bubble around AI, but that may not be a bad thing. Anything interesting has a bubble effect. The question is what’s left after. The telecom bubble left behind infrastructure. The Enron bubble left nothing of value.

There’s always a bubble effect when something interesting is happening because capital rushes to it.

Sam Curry

The hacker mindset, especially when used by criminals and applying AI, has the potential to be a very disruptive challenge. Security and privacy have to catch up.

The Challenge in Getting Security to Catch Up

It used to be called the investor paradox. In unchallenging times, companies tend towards single points of failure. The CFO wants less suppliers, to buy less things, and more strategic providers who give more stuff. But in times of strife, well, look at the world wars. The way you protect from the enemy damaging your logistics or supply chain is to build redundancy. Have lots of sources so that if someone takes out your fuel depot, you have another one. The investor paradox means that in peacetime, companies build infrastructure that’s not resilient.

This also puts security at odds with IT. Security needs at least two of everything for redundancies. That means IT has to test, maintain, and do disaster recovery scenarios with a lot more, while still trying to look efficient on the profit and loss sheet. These security steps are still aligned with business, though. Many businesspeople just haven’t realized that when done correctly, they can embrace change.

Incrementalism is a huge problem here. Nobody goes back and tears out the old architecture to start over. We’re fully capable of doing more and more securely, but businesses don’t want to get rid of a several-decade investment. It’s not until a disruptor, like the hacker mindset, comes along that they realize how much of a problem it can be. Most IT people would rather be on the front end of brokering new technological improvements in a company. Instead, we’ve made them custodians of old infrastructure.

IT has become custodians of infrastructure rather than brokers, which is where they should be – where they want to be, when you really ask them.

Sam Curry

The Hacker Mindset Changes the Game

Sam likes using the game of Go as an analogy. Go is a territorial strategy game played by placing colored stones at different intersections on the board. When AI first started playing Go, it came up with 59 new opening moves for the game. Like chess, Go has grandmasters, and these grandmasters said watching the AI play was like watching an alien. They couldn’t understand why it placed stones on the intersections it did. And playing against it, they kept losing. Unlike humans, the AI didn’t learn the game as a narrative. And because it worked different than a human mind, it could find unexpected vectors of attack.

In terms of security, this translates into vulnerabilities in places that you never expected. The hacker mindset is all about thinking differently. AI raises that to new heights. In Go, there’s a concept called joseki, which is the optimal response for a particular move. The grandmasters couldn’t find joseki for the AI’s movements, and in security, that’s the equivalent of a vulnerability with no way to patch it. There are some things out there with no patch and no solution. We just have to find a way to put security in the way.

How do I get the least privileged, least function accessibility? … this is, at the hard of it, the way that we beat the AI [attacks].

Sam Curry

Having an FTP server on your coffeepot is ridiculous. The way to get more resistant is to shut down as much access as possible. Everything should only have the bare minimum needed to do what it does. That’s how we beat AI. AI isn’t the only disruptor, though. Synthetic biology, robots, nanotech, drones, quantum, and more could all affect security.

How to Get Ahead

Nobody wants to be figuring out how to change their entire infrastructure on a time crunch because the hacker mindset discovered an unfixable vulnerability. The way to get ahead is to take principles. It’s not a binary game. You can start implementing zero trust and restricting access and permissions in small areas. Start at the places with the most risk.

It’s also essential to define the problem. If it takes an hour to pick the fancy lock on your front door but there’s a rock and a window right there, attackers are going to choose a different option. The problem isn’t actually making your front door stronger, it’s preventing people from getting in. As soon as you start focusing on securing one specific thing and lose track of the bigger picture, the attackers will start going somewhere else. This can happen in business and in security.

That’s the big problem with governance, risk, and compliance – it catalyzes behavior and it’s great that there’s some regulation, but it doesn’t define the problem correctly. The rule to log six failed login attempts to detect brute force attacks isn’t useful anymore. Hackers largely don’t brute force anymore. All you’re doing is logging which users are struggling to log in. To be secure and defeat attackers and the hacker mindset, you have to define the problem correctly, then check in and make sure you’re still defining it correctly.

At the end of the day, it doesn’t matter how smart you are, you can still get hacked. Nobody is immune. Sam knows brilliant people who wrote insightful things about hacking techniques who still got hacked. There’s no shame.

It doesn’t matter how smart you are. You can still get hacked. None of us are immune … and there’s no shame in it.

Sam Curry

We Need the Hacker Mindset

It’s important for society that we have people who think differently. We need the rebel mindset. We need hackers. They’re an important part of the human species. Psychopaths and sociopaths show up in most populations at a fairly consistent rate, which means they serve a purpose, or at least they did at some point. The same is true of other supposedly aberrant groups. They’re important for our resilience as a species.

The same is true of hackers. It’s a mindset of always testing boundaries. They’re the ones who made sure your hut wouldn’t collapse by seeing if it would. There are always people with a mindset oriented to seeing how things break. The difference is whether or not it’s malicious. A hacker mindset is one thing; the ethics and what you do with it is another. Mindset is thinking about how to break things and figuring out what happens when you do the unexpected or don’t follow the rules.

I believe that hacking is a mindset that’s important to us as a species.

Sam Curry

It’s hard for younger generations coming into security because of the language. It relys so much on acronyms and jargon, which makes it hard to understand. Sam encourages everyone to try to make sure people can understand. Using big words and jargon is just to impress people. The real mark of understanding something is making it simple. And we shouldn’t be gatekeeping. We need more people with a hacker mindset in cybersecurity.

Connect with Sam Curry on LinkedIn – just send a message and connection request. He accepts all invites. If you want to get to know him or ask for career advice, he will answer.