The InfoSec Blog

On ‘paranoia’ – revisiting “Paid to be paraoid”

Posted by Anton Aylward

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

"We're paid to be paranoid" doesn't mean we're ill.
It's a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.

"We're paid to be paranoid"

Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Learning to Counter Threats – Skills or Ethics?

Posted by Anton Aylward

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,' etc.) by practising lying (conning, `social engineering', etc.) is logically identical to innumerable arguments about whether "good guys" (e.g. cops and security folk) should teach, learn, and practice

  •  writing viruses,
  •  picking locks,
  •   penetrating firewall-protected networks,
  •  cracking safes,
  •  initiating and exploiting buffer overflows, or
  •  engaging in any other practice that is useful to and used by the bad guys.

We can't build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects.

Upside and downside: How I hate Journalists

Posted by Anton Aylward

And this doesn't actually stop them form making use of 'insider information' they just have to declare it within 30 days.

No, wait, sorry ... you mean that the legislators are saying that legislators shouldn't do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? ...

It gets worse:

I'd like to claim the system is rigged so 'the rich get richer' but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

Try this test:

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of 'how authoritarian'.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of 'root cause analysis' is no longer used in analysing plane crashes. The reality is that "its not just one thing", its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the "American Empire" by manufacturing more nails.

Except possibly Journalists.


Enhanced by Zemanta

He’s not Ian Paisley

Posted by Anton Aylward

Image of Ian Paisley cropped from Image:Ian_Pa...

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor's speakers, I'm sorry to say, was a CISSP.

OK, he wasn't Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company's products) and be SAVED by following the One True Faith (only buying his company's products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day's event also had some good speakers. It had some straight forward and 'humble' people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Enhanced by Zemanta

Throwing in the towel

Posted by Anton Aylward

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:

After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn't want any who knew the problems around.

Thank you.
Speaking as an auditor who occasionally does "due diligence" with respect to take-overs, you've just shown another use for LinkedIn - contacting ex-employees to find out about such problems.

Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?

People under extreme stress may behave unpredictably and have limited capacity for rational thought

Posted by Anton Aylward

Les Bell, another ex-pat Brit who lives in Australia was discussing the importance of training and reinforcement in such matters as DR/BCP.  Les is also a pilot and so many of his analogies and examples have to do with piloting and aircraft.

Part of our discussion has a much wider scope.
Les had said:

"People under extreme stress may behave unpredictably and have limited capacity for rational thought"

This is the basis of much of pilot training, particularly in simulators, where procedures that are too dangerous to be attempted in a real aircraft can be repeated until drills are automatic.

Don't quote me on this, but I seem to recall reading in an aviation safety-related article that in an emergency, something like 50% of people lose it to the extent that they are completely unable to cope, 25% are capable of functioning with some degree of impairment, and 25% of people are able to complete required tasks correctly. Training by means of drills and rehearsals is able to correct that situation to a considerable extent.

Therefore in BCP/DRP planning, it's important to - as far as possible - simulate an emergency, rather than just story-boarding it, or doing a whiteboard walkthrough. Hence the requirement for fire drills, evacuation drills and the like; repetition conditions the mind to perform the task correctly under stressful conditions.

Most of us don't get the chance to do a full interruption test for our DRP, but the closer we can get, the better.

Training - drill and reinforcement so that you can carry out the actions automatically even when extreme stress has completely blanked and cognitive functions - is an important part of military "boot camp" training and one reason I find it so comical that CISSP course training gets called "boot camp".

Les is quite right.  For a variety of reasons most people "loose it" under extreme stress.  This is why military heroes, people who can hang in there and think clearly and make critical decisions,  are held in such esteem.   Similarly test pilots (and those test pilots who became the early astronauts).  Having lightening fast reactions (racing drivers) and being in top physical condition helps, but there is something more.

Some authorities look to the old American 'gunslingers' and speculate about how the adrenaline rush in such situations is handled by the body and the brain.   Typically all that adrenaline pumps up the muscles for "fight or flight" and in such panic or near panic situations rationality is not the key issue.  But if we shift from the evolutionary context to the 'gunslinger', standing still means that there is a lot of 'shakes'.  Being able to stay calm and not have the shakes leads to being a sucesfull 'gunslinger'.   Evolution in action?

There are other forms of stress as well.   I've seen sysadmins who have been up for more than 30 hours trying in futile to solve a problem that to me, well rested, is simple and obvious.

The lesson here is two-fold.   The first is the point that Les makes.  Train and reinforce.
The second is that when the disaster does strike be aware that the stress will load up on fatigue and that stressed and fatigued people do not make good decisions.  Rest, shifts, alternates, standard plans and scenarios that can work to relieve the stress are important.


Posted by Anton Aylward


Its one of those bootstrap problems - the new CISSPs who need to read the information can't get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.

Yes, I know the information is at the (ISC)2 web site, but that's an incredibly difficult site to navigate.

Because of this, Gary Hinson and myself, each quite independently, took the CISSP Forum FAQ and converted it to a web page, adding hyperlinks etc. The two pages are at:

Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members - CISSPs - to contribute.

The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of "social network" that some vendors would pay millions of dollars to own - if it wasn't a closed group that spurns advertising.

The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration - - and sign up.

Technorati Tags: , , , ,

Enhanced by Zemanta