Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
The Perfect InfoSec Mindset: Paranoia + Skepticism
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
CNACHREINER981,
 User Rank: Author
8/1/2014 | 3:42:14 PM
Re: Maybe not "paranoia"...
Good perspective... Getting distracted or misdirected by delusional issues is definitely something we want to avoid.... and I like your comment... "less about being paranoid and more about being prepared."  I do, however, think the rote nature of day in, day out IT and IT security does sometimes create some level of apathy among security folk... For instance, if you are so used to seing false positives, you may not hear the next time someone cries wolf for real...  Perhaps paranoia isn't the right word, since it's so tied to fear of something false, but I do think that Infosec pros need something to keep them on their toes enough to not ignore the real incident when it happens...

I believe in preparation, but I also know the right bad guy can slice through all our carefully crafted defenses, so we need some attribute that makes sure that we are never too confident in our own defenses...

Thanks for the counterpoint... I hoped other would share whether or not they thought paranoia could be valuable. 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
8/1/2014 | 3:26:33 PM
Re: Paranoia and skepticism stop short of a "perfect" infosec mindset
That was a well done post John, and I agree. I guess when I was writing it I didn't really think much about my use of "prefect," as containing all aspects of what a infosec pro mindset was... In all honesty, it just started with the thought of does our tendency towards paranoia (or lack of trust) have any benefit, or is it a detriment...

That said, I totally agree that "enablement" should definitely be in every security pro's arsenal. As I mention, often I see security pros live in their "white tower" and impose seemingly draconian rules down on their users, with no real explanation why, nor with trying to figure out what the users needs are. I agree with you that this is the WRONG mentality, and it's why infosec is often perceived as a roadblock to innovation.

Rather, as you suggest, we need to learn what our users are trying to accomplish to get their job down (and help the business run). Then with can make the risk-based decision about how to allow the user to do this easily, without putting exposing to much risk (furthermore, sometimes the rewards to doing things someway may be big enough to accept the risk). This sort of communication helps users understand your perspective (trying to keep everything safe), while also providing what they've asked for.

Thanks for your addition, John. Good stuff!
CNACHREINER981
CNACHREINER981,
 User Rank: Author
8/1/2014 | 3:18:47 PM
Re: I think you've got something here, Corey.
I think you said this very well... And I like that you brought up risk management. When I started in Infosec, I began as a more techincal personality that thought mostly about the threat, and the prevention. I lived in a security "white tower," where I believed security meant beating back every possible threat, no matter the cost.

This is not the way to do profesional informations security...

Infosec is all about risk management We know that we can't beat every threat, and we should also know that our goal isn't perfect security, it is to make sure that our business can run with minimal risk... I like Risk-based security since it tries to more scientifically quantify threats (thought that can be hard), and only focuses on prevention and security practices that keep business running while minimizing risk...

Anyway... thanks for you comments... ^_^
ToopherLaura
ToopherLaura,
 User Rank: Apprentice
8/1/2014 | 1:28:04 PM
Maybe not "paranoia"...
While it is definitely true that a healthy dose of skepticism is necessary to effectively do your job in InfoSec, I don't believe that paranoia is the most effective way to achieve this (even when served up with a side of skepticism). If you're paranoid, you're getting distracted by  conspiracy theories and misdirected assumptions. In my opinion, the best way to approach today's cypersecurity landscape is with the understanding that there is always someone out there who is actively trying to steal your personal information, your secrets, your money – because they are. InfoSec should be less about being paranoid and more about being prepared. If your system is designed only to be used a certain way - what would it do if it were given an unfamiliar command, or put in an unnatural setting? Would it spew out information? Shut down? Or, deny access? Hackers are successful because they find ways to make a system accidentally do something it was never intended to do. Testing your system for unlikely and unthinkable - even obvious - faults isn't being paranoid, its being realistic. 
jfbauer01
jfbauer01,
 User Rank: Apprentice
8/1/2014 | 1:07:53 PM
Paranoia and skepticism stop short of a "perfect" infosec mindset
Corey, I enjoyed your article but I think the "perfect" infosec mindset needs "enablement" above and beyond paranoia and skepticism.  I expanded upon this claim on my recent blog post here: http://bit.ly/Xp7PlY
GonzSTL
GonzSTL,
 User Rank: Ninja
8/1/2014 | 9:38:34 AM
Re: I think you've got something here, Corey.
It has been said that there is a fine line between sanity and insanity. The same goes for paranoia in terms of information security. An antonym for paranoia is trusting, so the question is: how much trust can an InfoSec professional place on an unknown entity? I've been in IT for a very long time, and in that context, I begin with the assumption that I cannot trust anyone. That isn't to say that I go overboard because without some sort of balance, the paranoia becomes insanity. Risk management serves to provide that balance in the assessment phase, where actions (or inactions) are based on the analyses. Healthy doses of paranoia, skepticism, and sanity motivate InfoSec pros to research any perceived threat, and if there is no evidence to corroborate it, then theoretically, they give it the least regard. Now if you skip the research phase and straightaway go full bore into protection mode against that perceived but unqualified threat, then you are no longer teetering on the proverbial brink of insanity, but instead have gone over the edge. I have to admit that as I look down from that brink, the bottom looks awful dark, deep, and full of unknowns. That is why my passwords are a bit more complex than 12345, and I'm sure Dark Helmet approves of that practice.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
7/31/2014 | 3:36:18 PM
Re: I think you've got something here, Corey.
But seriously here, folks. Do you think paranoia is an occupational hazard if you are in InfoSec? How do you know when you are going over the edge?
CNACHREINER981
CNACHREINER981,
 User Rank: Author
7/31/2014 | 3:00:43 PM
Re: I think you've got something here, Corey.
HA! So true!
j.h.keegan
j.h.keegan,
 User Rank: Apprentice
7/30/2014 | 4:44:50 PM
Re: I think you've got something here, Corey.
Another good one would be:

 

"a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."

~Douglas Adams (Mostly Foolproof/Hitchhikers Guide to the Galaxy)
CNACHREINER981
CNACHREINER981,
 User Rank: Author
7/29/2014 | 4:03:09 PM
Re: I think you've got something here, Corey.
Heh... yup... Definitely a lot of paranoia in our profession!
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-34835
PUBLISHED: 2022-06-30
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.
CVE-2021-40597
PUBLISHED: 2022-06-29
The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.
CVE-2022-30467
PUBLISHED: 2022-06-29
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.
CVE-2022-33061
PUBLISHED: 2022-06-29
Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.
CVE-2022-2073
PUBLISHED: 2022-06-29
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.