To defeat cyber-adversaries, cybersecurity professionals should adopt a contrarian attitude, says Greg Shannon, chief scientist at the CERT Division of Carnegie Mellon University's Software Engineering Institute.
"Having that contrarian point of view allows you to get into the mindset of the adversary," Shannon says in an interview with Information Security Media Group.
"How would this technology work if it did something the designer of it didn't think of?" he asks. "Certainly, that's the way the adversary is thinking, coming up with new attacks, new threats. They're looking at an app, a piece of software or some websites, [and they think] 'What can I do here that the designer didn't think of? Is there a way to get information through channels, through tricks that weren't anticipated? Is there some frailty of humans that I can exploit to get information out of them that they wouldn't normally give me?'"
In the interview, part of an ISMG series of conversations with leading IT security practitioners and thought-leaders, Shannon discusses:
- Why cybersecurity should be considered a science. "Engineering and math have not made cyberspace secure and private. We're looking at more scientific approaches to understand the problem, particularly in how humans interact as well as the general unpredictability of the Internet."
- The objectives of the IEEE [Institute of Electrical and Electronics Engineers] Cybersecurity Initiative, which Shannon chairs. Among the initiative's goals: seeking common tools organizations can deploy to secure IT and developing a broader community outside academia to enhance cybersecurity education.
- What attracted him to the cybersecurity field. "It's that bridging of the mathematical side with the engineering side."
Shannon also is the co-organizer for the Workshop on Scalable Energy-Efficient Algorithms for Security, sponsored by the Center for Discrete Mathematics and Theoretical Computer Science. Before joining CERT, Shannon served as the chief scientist at two startups working on scalable statistical anomaly detection, the science of cybersecurity and insider threats. In earlier positions, he led applied research and development in cybersecurity and data analysis at Lucent Technologies, Lumeta, Ascend Communications, Los Alamos National Laboratory, Indiana University and his own startup company.