Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Perfect InfoSec Mindset: Paranoia + Skepticism
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Author
8/1/2014 | 3:42:14 PM
Re: Maybe not "paranoia"...
Good perspective... Getting distracted or misdirected by delusional issues is definitely something we want to avoid.... and I like your comment... "less about being paranoid and more about being prepared."  I do, however, think the rote nature of day in, day out IT and IT security does sometimes create some level of apathy among security folk... For instance, if you are so used to seing false positives, you may not hear the next time someone cries wolf for real...  Perhaps paranoia isn't the right word, since it's so tied to fear of something false, but I do think that Infosec pros need something to keep them on their toes enough to not ignore the real incident when it happens...

I believe in preparation, but I also know the right bad guy can slice through all our carefully crafted defenses, so we need some attribute that makes sure that we are never too confident in our own defenses...

Thanks for the counterpoint... I hoped other would share whether or not they thought paranoia could be valuable. 
User Rank: Author
8/1/2014 | 3:26:33 PM
Re: Paranoia and skepticism stop short of a "perfect" infosec mindset
That was a well done post John, and I agree. I guess when I was writing it I didn't really think much about my use of "prefect," as containing all aspects of what a infosec pro mindset was... In all honesty, it just started with the thought of does our tendency towards paranoia (or lack of trust) have any benefit, or is it a detriment...

That said, I totally agree that "enablement" should definitely be in every security pro's arsenal. As I mention, often I see security pros live in their "white tower" and impose seemingly draconian rules down on their users, with no real explanation why, nor with trying to figure out what the users needs are. I agree with you that this is the WRONG mentality, and it's why infosec is often perceived as a roadblock to innovation.

Rather, as you suggest, we need to learn what our users are trying to accomplish to get their job down (and help the business run). Then with can make the risk-based decision about how to allow the user to do this easily, without putting exposing to much risk (furthermore, sometimes the rewards to doing things someway may be big enough to accept the risk). This sort of communication helps users understand your perspective (trying to keep everything safe), while also providing what they've asked for.

Thanks for your addition, John. Good stuff!
User Rank: Author
8/1/2014 | 3:18:47 PM
Re: I think you've got something here, Corey.
I think you said this very well... And I like that you brought up risk management. When I started in Infosec, I began as a more techincal personality that thought mostly about the threat, and the prevention. I lived in a security "white tower," where I believed security meant beating back every possible threat, no matter the cost.

This is not the way to do profesional informations security...

Infosec is all about risk management We know that we can't beat every threat, and we should also know that our goal isn't perfect security, it is to make sure that our business can run with minimal risk... I like Risk-based security since it tries to more scientifically quantify threats (thought that can be hard), and only focuses on prevention and security practices that keep business running while minimizing risk...

Anyway... thanks for you comments... ^_^
User Rank: Apprentice
8/1/2014 | 1:28:04 PM
Maybe not "paranoia"...
While it is definitely true that a healthy dose of skepticism is necessary to effectively do your job in InfoSec, I don't believe that paranoia is the most effective way to achieve this (even when served up with a side of skepticism). If you're paranoid, you're getting distracted by  conspiracy theories and misdirected assumptions. In my opinion, the best way to approach today's cypersecurity landscape is with the understanding that there is always someone out there who is actively trying to steal your personal information, your secrets, your money – because they are. InfoSec should be less about being paranoid and more about being prepared. If your system is designed only to be used a certain way - what would it do if it were given an unfamiliar command, or put in an unnatural setting? Would it spew out information? Shut down? Or, deny access? Hackers are successful because they find ways to make a system accidentally do something it was never intended to do. Testing your system for unlikely and unthinkable - even obvious - faults isn't being paranoid, its being realistic. 
User Rank: Apprentice
8/1/2014 | 1:07:53 PM
Paranoia and skepticism stop short of a "perfect" infosec mindset
Corey, I enjoyed your article but I think the "perfect" infosec mindset needs "enablement" above and beyond paranoia and skepticism.  I expanded upon this claim on my recent blog post here: http://bit.ly/Xp7PlY
User Rank: Ninja
8/1/2014 | 9:38:34 AM
Re: I think you've got something here, Corey.
It has been said that there is a fine line between sanity and insanity. The same goes for paranoia in terms of information security. An antonym for paranoia is trusting, so the question is: how much trust can an InfoSec professional place on an unknown entity? I've been in IT for a very long time, and in that context, I begin with the assumption that I cannot trust anyone. That isn't to say that I go overboard because without some sort of balance, the paranoia becomes insanity. Risk management serves to provide that balance in the assessment phase, where actions (or inactions) are based on the analyses. Healthy doses of paranoia, skepticism, and sanity motivate InfoSec pros to research any perceived threat, and if there is no evidence to corroborate it, then theoretically, they give it the least regard. Now if you skip the research phase and straightaway go full bore into protection mode against that perceived but unqualified threat, then you are no longer teetering on the proverbial brink of insanity, but instead have gone over the edge. I have to admit that as I look down from that brink, the bottom looks awful dark, deep, and full of unknowns. That is why my passwords are a bit more complex than 12345, and I'm sure Dark Helmet approves of that practice.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 3:36:18 PM
Re: I think you've got something here, Corey.
But seriously here, folks. Do you think paranoia is an occupational hazard if you are in InfoSec? How do you know when you are going over the edge?
User Rank: Author
7/31/2014 | 3:00:43 PM
Re: I think you've got something here, Corey.
HA! So true!
User Rank: Apprentice
7/30/2014 | 4:44:50 PM
Re: I think you've got something here, Corey.
Another good one would be:


"a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."

~Douglas Adams (Mostly Foolproof/Hitchhikers Guide to the Galaxy)
User Rank: Author
7/29/2014 | 4:03:09 PM
Re: I think you've got something here, Corey.
Heh... yup... Definitely a lot of paranoia in our profession!
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.