Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Perfect InfoSec Mindset: Paranoia + Skepticism
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Author
8/1/2014 | 3:42:14 PM
Re: Maybe not "paranoia"...
Good perspective... Getting distracted or misdirected by delusional issues is definitely something we want to avoid.... and I like your comment... "less about being paranoid and more about being prepared."  I do, however, think the rote nature of day in, day out IT and IT security does sometimes create some level of apathy among security folk... For instance, if you are so used to seing false positives, you may not hear the next time someone cries wolf for real...  Perhaps paranoia isn't the right word, since it's so tied to fear of something false, but I do think that Infosec pros need something to keep them on their toes enough to not ignore the real incident when it happens...

I believe in preparation, but I also know the right bad guy can slice through all our carefully crafted defenses, so we need some attribute that makes sure that we are never too confident in our own defenses...

Thanks for the counterpoint... I hoped other would share whether or not they thought paranoia could be valuable. 
User Rank: Author
8/1/2014 | 3:26:33 PM
Re: Paranoia and skepticism stop short of a "perfect" infosec mindset
That was a well done post John, and I agree. I guess when I was writing it I didn't really think much about my use of "prefect," as containing all aspects of what a infosec pro mindset was... In all honesty, it just started with the thought of does our tendency towards paranoia (or lack of trust) have any benefit, or is it a detriment...

That said, I totally agree that "enablement" should definitely be in every security pro's arsenal. As I mention, often I see security pros live in their "white tower" and impose seemingly draconian rules down on their users, with no real explanation why, nor with trying to figure out what the users needs are. I agree with you that this is the WRONG mentality, and it's why infosec is often perceived as a roadblock to innovation.

Rather, as you suggest, we need to learn what our users are trying to accomplish to get their job down (and help the business run). Then with can make the risk-based decision about how to allow the user to do this easily, without putting exposing to much risk (furthermore, sometimes the rewards to doing things someway may be big enough to accept the risk). This sort of communication helps users understand your perspective (trying to keep everything safe), while also providing what they've asked for.

Thanks for your addition, John. Good stuff!
User Rank: Author
8/1/2014 | 3:18:47 PM
Re: I think you've got something here, Corey.
I think you said this very well... And I like that you brought up risk management. When I started in Infosec, I began as a more techincal personality that thought mostly about the threat, and the prevention. I lived in a security "white tower," where I believed security meant beating back every possible threat, no matter the cost.

This is not the way to do profesional informations security...

Infosec is all about risk management We know that we can't beat every threat, and we should also know that our goal isn't perfect security, it is to make sure that our business can run with minimal risk... I like Risk-based security since it tries to more scientifically quantify threats (thought that can be hard), and only focuses on prevention and security practices that keep business running while minimizing risk...

Anyway... thanks for you comments... ^_^
User Rank: Apprentice
8/1/2014 | 1:28:04 PM
Maybe not "paranoia"...
While it is definitely true that a healthy dose of skepticism is necessary to effectively do your job in InfoSec, I don't believe that paranoia is the most effective way to achieve this (even when served up with a side of skepticism). If you're paranoid, you're getting distracted by  conspiracy theories and misdirected assumptions. In my opinion, the best way to approach today's cypersecurity landscape is with the understanding that there is always someone out there who is actively trying to steal your personal information, your secrets, your money – because they are. InfoSec should be less about being paranoid and more about being prepared. If your system is designed only to be used a certain way - what would it do if it were given an unfamiliar command, or put in an unnatural setting? Would it spew out information? Shut down? Or, deny access? Hackers are successful because they find ways to make a system accidentally do something it was never intended to do. Testing your system for unlikely and unthinkable - even obvious - faults isn't being paranoid, its being realistic. 
User Rank: Apprentice
8/1/2014 | 1:07:53 PM
Paranoia and skepticism stop short of a "perfect" infosec mindset
Corey, I enjoyed your article but I think the "perfect" infosec mindset needs "enablement" above and beyond paranoia and skepticism.  I expanded upon this claim on my recent blog post here: http://bit.ly/Xp7PlY
User Rank: Ninja
8/1/2014 | 9:38:34 AM
Re: I think you've got something here, Corey.
It has been said that there is a fine line between sanity and insanity. The same goes for paranoia in terms of information security. An antonym for paranoia is trusting, so the question is: how much trust can an InfoSec professional place on an unknown entity? I've been in IT for a very long time, and in that context, I begin with the assumption that I cannot trust anyone. That isn't to say that I go overboard because without some sort of balance, the paranoia becomes insanity. Risk management serves to provide that balance in the assessment phase, where actions (or inactions) are based on the analyses. Healthy doses of paranoia, skepticism, and sanity motivate InfoSec pros to research any perceived threat, and if there is no evidence to corroborate it, then theoretically, they give it the least regard. Now if you skip the research phase and straightaway go full bore into protection mode against that perceived but unqualified threat, then you are no longer teetering on the proverbial brink of insanity, but instead have gone over the edge. I have to admit that as I look down from that brink, the bottom looks awful dark, deep, and full of unknowns. That is why my passwords are a bit more complex than 12345, and I'm sure Dark Helmet approves of that practice.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 3:36:18 PM
Re: I think you've got something here, Corey.
But seriously here, folks. Do you think paranoia is an occupational hazard if you are in InfoSec? How do you know when you are going over the edge?
User Rank: Author
7/31/2014 | 3:00:43 PM
Re: I think you've got something here, Corey.
HA! So true!
User Rank: Apprentice
7/30/2014 | 4:44:50 PM
Re: I think you've got something here, Corey.
Another good one would be:


"a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."

~Douglas Adams (Mostly Foolproof/Hitchhikers Guide to the Galaxy)
User Rank: Author
7/29/2014 | 4:03:09 PM
Re: I think you've got something here, Corey.
Heh... yup... Definitely a lot of paranoia in our profession!
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-05
A vulnerability was found in SpringBootCMS and classified as critical. Affected by this issue is some unknown functionality of the component Template Management. The manipulation leads to injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VD...
PUBLISHED: 2022-12-05
A vulnerability has been found in Facepay 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /face-recognition-php/facepay-master/camera.php. The manipulation of the argument userId leads to authorization bypass. The attack can be launched remotely...
PUBLISHED: 2022-12-05
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASK...
PUBLISHED: 2022-12-05
Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKa...
PUBLISHED: 2022-12-05
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.