There is a good interview with Bruce Schneier over at the Freakonomics blog. I am just getting through it, but here are a couple of Q&A excerpts that I tend to get a lot and completely agree with the answer given:
“Q: So seriously, do you shop on Amazon, or anywhere else online for that matter?
A: Of course. I shop online all the time; it’s far easier than going to a store, or even calling a mail-order phone number, if I know exactly what I want.What you’re really asking me is about the security. No one steals credit card numbers one-by-one, by eavesdropping on the Internet connection. They’re all stolen in blocks of a million by hacking the back-end database. It doesn’t matter if you bought something over the Internet, by phone, by mail, or in person — you’re equally vulnerable.”
I cannot stress this enough! It doesn’t matter whether your purchases are online or offline, in reality they’re all online. All of our transactions go through computer systems, are stored in large databases and are transmitted over networks. Look at the large security breaches in the news, many of them are ‘offline’ purchases.
“Q: What was the one defining moment in your life that you knew you wanted to dedicate your life to computer security and cryptography?
A: I don’t know. Security is primarily a way of looking at the world, and I’ve always looked at the world that way. As a child, I always noticed security systems — in retail stores, in banks, in office buildings — and how to defeat them. I remember accompanying my mother to the voting booth, and noticing ways to break the security. So it’s less of a defining moment and more of a slow process.”
Security is a way of thinking. When interviewing candidates for information security roles, one of the things I look for beyond learned skills is how they think about problems. Specifically, a ‘security person’ thinks of different ways to break things. They think of ways to deconstruct the system and make it perform actions it was never intended to perform.