This is the 10th blog in a series about security and how security is about how you think.
I wish I knew who coined the phrase “You’re not really paranoid if they are out to get you.” The typical response to many security practices is one of skepticism, to the point of “Why do I have to do that? Nothing usually goes wrong.” Pick a security mechanism or “best practice” (in security lingo) and there will always be push-back by people on why they have to do it.
But are all security professionals paranoid? Do we all look at the glass of water as “half-empty” pessimists (or even worse, “empty”) rather than “half-full” optimists? Are we really paranoid that the next big problem is just waiting around the corner?
Honestly, the answer to that is a resounding “yes”. Part of being a security professional is always thinking about how things can go wrong. Input data will overflow a buffer. A default password won’t get changed. People are always looking for the easy way out by clicking through a dialog box to get their job done. “Hey, I got it to work” is as far as they go. And if you’ve got some valuable assets (information or money), people will always be looking to take it. It’s just part of the normal day to think this way. That’s what security professionals get paid to do.
But that mindset is really at the heart of what this blog is trying to do. It’s about changing the way that people think – not to be really pessimistic, but to do “due diligence” with regard to security and be “complete” about that thinking. There are no shortcuts to good security.
Is it perfect? No, but that is the ultimate goal. It falls into the “you don’t know what you don’t know” bucket in that you only know about the information that you can confirm and are oblivious to attacks or information that you don’t know about. Knowing that my toaster will explode if I put socks into it and set it to “bagel” is an attack that I wouldn’t usually think about because no one puts socks in their toaster. But to be totally secure, I’ve got to ensure that doesn’t happen. And I have to be always thinking of new and interesting attacks to make sure that I’m totally secure. I’ve got to spend some time during the day to think of different ways (both logical and maybe some illogical) to discover new attacks and ways that I have to secure my environment.
Is it bad thing to be this paranoid? No – security is about preparedness and understanding of the environment – this mindset is even more important in mission-critical, high value environments – like those which use the ClearPath Forward systems. These systems are used for businesses which need the best security for their data – and they put their faith in the ClearPath Forward systems because Unisys has already done the thinking for them in the architecture. By doing that, they can use their paranoia in other places, knowing that the ClearPath Forward is secure.
Do I need to be that paranoid about all computers in my life? Well, it depends. Do I need an activity log on my smartphone (so that I can see all of what happens there to see if it’s good or bad)? Probably not, unless I save my banking account information and secret passwords there – then it may be a good idea. Do I use it as an authenticator (like with Apple Pay)? Well, then I need to make sure that I know where it is at all times so no one else uses it for me.
So, it’s not *really* paranoia that is at the heart of the security professional. It’s really the way of thinking that separates security professionals from others. Most security professionals are skeptical of what is said until they can try to break it. They know that if they can understand how it works, completely, then they can then determine if it is totally secure or not. Again, as we’ve seen other times in this blog, it comes down to how you think about security.