SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Security Architecture: Knowing the Adversary

When I present or teach on a security topic, I take the time to cover the mindset of the adversary. There are a lot of maxims out there to “know thine enemy,” but here’s a good recent one that explains why:

“Unless you can think the way that an evil person thinks, then you’re defenseless against them, because they’ll go places you can’t imagine and then they win.” – Dr. Jordan Peterson

Dr. Peterson said this as he was talking on the Jocko Podcast, specifically episode 98.

The context of the quote was Dr. Peterson and Jocko were discussing a particular foreign affairs official. That official, after a horrific incident, stated he couldn’t think like people who committed the evil act. Peterson’s disagreed. His view is someone in that position had to be able to think like an evil person. Otherwise, such a person couldn’t adequately do the job because they would continue to lose.

The same is true in security. We can laboriously implement best practices and benchmarks but unless we can think like someone who seeks to actively do harm to us, we aren’t going to see the gaps. We aren’t going to see where the weaknesses are. Those gaps and weaknesses will be exploited. We will lose every time we come up against a motivated foe. Therefore, it’s not enough to know what safeguards you should put into place. It’s also critical that you think about how someone might bypass those protections or how they might exploit them.


Databases – Infrastructure – Security

Brian Kelley is an author, columnist, and Microsoft SQL Server MVP focusing primarily on SQL Server security. He is a contributing author for How to Cheat at Securing SQL Server 2005 (Syngress), Professional SQL Server 2008 Administration (Wrox), and Introduction to SQL Server (Texas Publishing). Brian currently serves as an infrastructure and security architect. He has also served as a senior Microsoft SQL Server DBA, database architect, developer, and incident response team lead.

Comments

Leave a comment on the original post [truthsolutions.wordpress.com, opens in a new window]

Loading comments...