- Security TWENTY
- Women in Security Awards
Author Maxie Reynolds
ISBN No 978-1-119-80547-2
Review date 03/07/2022
No of pages 304
Publisher URL https://www.wiley.com/en-gb/9781119805472
Year of publication 03/02/2022
The Art of Attack: Attacker Mindset for Security Professionals
We might take it for granted that our credit card number is sensitive data, best protected from hacking – but health data, our blood pressure or blood type, or the fact that we have diabetes, is not such a big deal?
Think again, suggests the author of a book that usefully takes on the psychological rather than the technical side of security, as it delves into the ‘attacker mindset’. A hacker with such ‘leaked elite data’ can then pose ‘as your insurance company, doctor, nurse, psychiatrist, therapist, psychologist, optometrist, or pharmacist’ and seek to steal further data – such as your credit card details. And whereas you can change your credit card number to defeat the cyber attacker, you cannot change your blood type.
This thought-provoking book, then, seeks to teach us critical thinking; that defence ‘starts in the brain’, rather than having on our devices a particular piece of cyber protection. Although, we should use such things as password protection, and two-factor authentication.
While the book starts with a vivid description of the author about to embark on a physical penetration test of a New York bank, and covers open source intelligence (OSINT) and social engineering (‘an effective tool for making a target feel the way the attacker needs them to feel’), the author as she sets out at the very start seeks to teach how to think: ‘the attacker mindset, the gathering, processing, and applying of information for an objective’.
The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack.
If that sounds like the book is a how-to guide for the malicious, the author does add: “Companies should use physical testing as well as network testing to evaluate their security postures regularly, which will help build their populations' intuition and security. The attacker mindset should be used in boardrooms and other government and corporate settings as a way to scrutinise and analyse blind spots and vulnerabilities.
The difference in a word is the ethics of the security professional; learning how the bad guys go about their business ‘is not the same as actually becoming them’. To understand how bad things are done, is only, as the author says, ‘prudent’.
The author makes the wise point that for all the spread of the internet, many of us have a disconnect – we don’t see the connection between the invisible networks of the internet, and the real world (‘Many people will take the news seriously that thieves are operating in their area, going door to door, but not that hackers are always on the prowl and capable of getting on their network even though so much of our personal lives and details are held within the devices we connect to our networks’). Each networked IT user needs to carry on cyber hygiene, and be aware of security and privacy. For it’s not only the old who aren’t tech savvy who get targeted by the hackers, the author points out – ‘Socially savvy kids are also targeted often. Children often lack experience in the world with adults outside of their families and so can fail to understand how quickly and easily they can be manipulated by outside sources’. Social engineers, ‘human hackers, may pretend to be ‘coworkers, repair technicians, IT staff, and convenient outsiders with an apparent legitimate need to know’.
A particularly wise description is of privacy as ‘a spectrum, not a standard’. The author explains the difference between privacy, and security: ‘privacy limits the amount of information an attacker can discover about you, and security prevents unauthorised access to your accounts/events’.
Corporate readers may want to turn to chapter 11 on protection of the business. We are reminded that 'a win for an attacker doesn't have to be brilliantly technical to have adverse effects for hundreds of millions of people'.
The book makes a most readable case for using ‘behavioural security’ as a branch of cyber- and information security; ‘because, as humans, we do not always act rationally, so as security professionals, we must seek to understand individuals as they really are’.