My latest superfluous and random supposition is that a dash of paranoia paired with a side of skepticism makes for the perfect security pro mindset.
Chances are if you’ve worked in the security field for any significant period of time, you’ve developed at least a slight modicum of paranoia. This is a pretty natural occurrence in our field. When you immerse yourselves in the newest threat research, follow every new vulnerability, zero day, and breach disclosure, and see first-hand what the latest malware or exploits can do, it’s not that startling when you increasingly suspect random computer “glitches” are due to some sort of malicious ghost in the machine.
This increased level of paranoia -- perhaps better described as a general state of suspicion -- has certainly happened to me over my security career. Today, whenever a program crashes, my display flashes, or there’s any sort of “hitch” with my system, my immediate, knee-jerk impression is, “I’ve been hacked!”
Of course, if my thoughts ended there, my paranoia would be a very bad thing. While many of us informally consider paranoia as excessive suspicion or fear, it has a more clinical definition. Specifically, real paranoia is baseless or irrational fear. In other words, anxiety based on delusion.
Obviously, true delusional paranoia has no place in infosec. Panicked reactions to fictional threats are a recipe for disaster. However, I believe the proper dose of paranoia can be a good thing for security professionals. After all, it does increase your vigilance and quickens your response to threats. So how do you get the right dose? Temper your paranoia with a dash of skepticism.
When I say, “skepticism,” I don’t just mean indiscriminant doubt. Rather, I’m talking about scientific skepticism. This is where you question new concepts or beliefs, not accepting them as truth until you have empirical evidence backing them up. Keep in mind, scientific skeptics don’t just dismiss unconventional ideas either. Even if something seems inconceivable today, that doesn’t necessarily make it untrue. Skeptical inquiry simply means you stay doubtful until you can prove something repeatedly with evidence.
This is why I believe a dash of paranoia, complemented with a healthy portion of scientific skepticism, can keep security professionals stay on their toes, while solidly grounding them in reality.
Let’s put this little theorem to the test…
Remember BadBIOS, the incident where a well-respected security researcher warned of super-sophisticated, sci-fi-sounding malware? He claimed BadBIOS could infect any computer platform, could inject itself into your computer’s BIOS (making it nearly impossible to remove), and could even spread via high-frequency sound waves. If it weren’t for the researcher’s reputation, most would’ve dismissed his claims as paranoid delusions (which they may be).
How would a paranoid skeptic respond to news of BadBIOS? First, paranoia would kick in, putting you in a heightened state of alert. You’d remember BIOS infecting malware exists, and you’d recall variants of cross-platform Java-based attacks. You may have even read the latest research proving attacks can spread via audio transmissions. These thoughts would entice you into wanting to learn more and protect yourself.
However, before your paranoia turns into unjustified panic, your skepticism takes hold. You ask yourself, is there any evidence for this extraordinary claim? Is there a malware sample others have validated, or that I can analyze? Are there logs, transmissions, or any other evidence to corroborate the story? In the end, if evidence supports the claim, you’re not suffering paranoid delusions, and you should do something to protect yourself. However, if there is no evidence (which is the case with BadBIOS), you remain skeptical, and take no action.
This skeptical paranoia ensures you have the impulse to react quickly to new threats, while retaining the logic to separate fact from fiction. In the end, I think a quote from the movie Catch-22 summarizes this idea more succinctly: Just because you’re paranoid doesn’t mean they’re not out to get you.
What do you think? Is a smidgeon of paranoia an asset to security professionals, or does it just turn us into doomsayers? Let me know in the comments.