Security is always a cost centre, but it allows for benefits. So, for example, the telephones in a company are always a cost centre. Yet without the telephones, you couldn't make sales. You couldn't make profits. Security will be a cost centre -- again, let's take Amazon as an example -- their Web security is a cost centre, but without it, they can't sell books. They can't make money. So, security does cost, but security facilitates better things. If you have good security, you can do things that maybe your competitors can't. It is always looked myopically -- it's a cost. But you look at it in the broader context, it's a benefit that allows the company to do things it couldn't do otherwise.
In your upcoming talk at Linux World Open Solutions Summit on Feb. 14, you're going to be talking about the economics of Internet security, and I noticed in the announcement that you'd be looking at it from the attackers' point of view, too. What's an attacker doing to maximize return on investment, and should security people be paying special attention to those types of attacks?
I think they should. If you think about it, an attacker goes through an economic decision just like a defender. An attacker is spending time, an attacker is spending time, money, risk -- the risk of capture -- for some attackers, death, if you're thinking of a terrorist. And this attacker wants to maximize his return on investment. And that might be money in the case of a criminal. It might be deaths in the case of a terrorist. Depending on whether it's organized crime or a loan criminal, they'll have different resources they can expend.
You have to look at the attacker as a capitalist; as someone who is trying to get the best return on his investment. And this isn't to excuse him or to figure out why it's OK, but if you don't understand your attackers' motivations, you'll never defend yourself. For example, the kind of defenses we might put in place for a fraudster, a criminal trying to get money, is very different than the kinds of defenses you put in place against a hacker who wants to deface your Web site and look cool. Those attackers have different goals. They have different resources. They have different levels of risk they're willing to tolerate, and they're not the same, and the defenses won't be the same.
Does it make sense to have somebody on your security team or within your company play the role of an attacker in a what-if scenario?
You certainly have to think like an attacker. And this is true for policemen, for computer security, for counter terrorists. You always have to try to put yourself in the mindset of the attacker; otherwise, you'll never see how your defences look from that point of view, and that's very important. In the military, there are all sorts of war games where people playing the attacker will pit themselves against people playing the defender. In computer security, we do vulnerability testing and penetration testing, where you hire people to act like the attacker and break in. In some areas, in home burglaries, that doesn't make that much sense because attackers are pretty well known and well understood. They don't do new things. So, it depends. But it's certainly a good idea to have someone thinking like an attacker. And whether they have to actually play the role for real, really depends on circumstance.