Reasonable Paranoia

Let's start off by saying you can find it here.

First, let's look at the first sentence of the conclusion:

The conclusion to our previous report began with the statistic that, in 87 percent of cases, investigators concluded that the breach could have been avoided if reasonable security controls had been in place at the time of the incident.

Now let's take a look at the very first line of the second paragraph of the conclusion:

In 2008, investigators concluded that 87 percent of the breaches could have been avoided through the implementation of simple or immediate controls.

Apparently someone took them to task for using the word 'reasonable' in the previous report, but I can't see how simple or immediate controls can't be viewed as reasonable. Especially after looking at the table of categorization of what should have been done (Figure 39).

I think though, the very last recommendation is my favorite, "Define "suspicious" or "anomalous" (and then look for whatever "it"is)". Why? Because to me it says pay attention, be reasonably paranoid, and do something about what you notice.

I think that all of us, at a fairly early age, were taught not to give out information over the phone. First, we had to be supervise, then slowly who and what we could talk about was enlarged until we were able to judge for ourselves what was prudent to disclose over the phone.

When a telemarketer calls, we tend to hang up the phone as soon as we figure it out. When someone calls asking for vital information, we hang up the phone. Some of us try to get information out of them to pass on to the authorities or the ones being impersonated. We all know that if someone calls claiming to be from TheBank not to trust them, and the best thing to do is to get a number and name to call them back, then go look up the number for TheBank and try to contact that person through the official channels.

It baffles me why the same caution isn't taken when people open their email. Do you know the person asking you for information? Does what they are offering seem realistic? How sensitive is the information they are requesting? Does sending someone money on a hope and a prayer make sense? Isn't there something a little hinky sounding about someone willing to pay you to receive and resend packages?

I'm seriously curious about the statistics because I feel like we hear about the email scams that people fall for all the time, but we don't often hear of telephone scams working. Is it just because phone scams aren't as sensationalist, or is it really as I perceive, that the email scams work much better?

We need to keep our reasonable paranoia when we sit down at our computers and realize that while it seems like a faceless machine everything that we see through it is created by people, some of whom really are out to get you.

A few years ago, I bought a condo (my first place, whoo). A couple months after I moved in, I received a nice flyer in the mail telling me "Apply This Updated Safety Sticker To Your Water Heater". Also on the address side of the card: Emergency Water Heater Shutdown Instructions DO NOT DISCARD

Well yay, I'm not actually sure that I know how to shut off my water heater if there's an emergency so this is will be useful. I flip it over and sure enough it has a safety inspection checklist, shutdown instructions, and directions on how to turn the gas off to the house. Then I notice along the bottom, the phone numbers for the offices in the local area, not of the fire department, police, or any emergency services. No, it's for a plumbing company in the area.

I'm split on this, my reasonable paranoia says "hey, they tried to trick me into sticking their advertising on my water heater". My practical side says "they provided me with good useful generic information, maybe they deserve to be stuck to my water heater".

Which way would you go?

I'm in the midst of finding my next position, it's not an easy thing with crafting an appropriate or appropriate resumes (and everyone has opinions about what resumes should be like), going through the various job sites, growing your network, and finding good job leads for things that you want to be doing.

I'm perfectly happy to talk to recruiters, they can be great assets in the entire process from giving good critiques of resumes to actually getting you in for interviews and assisting with salary negotiations. I do value the good ones highly.

Which is why it is so annoying to me that since I've signed up with a particular site I seem to get a high amount of, for lack of a better term, is job spam. I've received at least 3 emails that don't precisely say it, but work out to "come to our seminar to become ____" once you do a little research. Those are pretty easy to filter to the reasonably paranoid, they don't talk about you in anything other than vague terms "we saw something in your resume" (that you are still breathing?) and they just feel sketchy.

The ones that are harder to discern whether they are actually legitimate contacts from potential job sources are the ones that look like recruiter contacts. I have a policy of typically not following links I get in email, and especially not following obfuscated links, so I wrote an email reply to the first of these that I received, but now having received a few more I think it's just a scam and I don't want to find where it leads. Again, I'm pretty sure it's a scam because it just feels off for some reason. I think maybe it's the letter itself:

Your resume was reviewed and passed on to our office. Your experience as Various was of interest. If you are still seeking a professional or executive career in the Information Technology sector or other fields, with pay between $60,000 and $500,000, please update your information here..

Doesn't that just scream professionalism and competence? It should make you stop and think: Is this legit? How might they be trying to scam me? Where does that link (the word here was linked) go to? If I go directly to their site does it look reasonable? If I google for them does it give me more information?

Just goes to show, there's never a time when it's not reasonable to be paranoid.

Things break, it happens, we know it happens. It’s why we have an mtbf measurement, why we have “days without injury” signs, why we know that things are, at some point hopefully far way, going to go ass over tea-kettle, go south, or whatever other euphemism for feces projectiles colliding with air-relocation device.

We already to disaster recovery (DR) planning, but do we do much in terms of planning for other failures? In your DR plan you have who gets notified when, when does the plan come into effect, what the steps are, what reports need to be created, and what are the steps needed to go back to situation normal.

Do you have a similar plan for a virus outbreak? How about a compromised system? What about a subpoena being handed to your organization for records?

Doing something similar on a smaller scale for how to react to various things may highlight where your technicians, your managers, and your execs have differing views on what the process should be. Setting the process and procedures so the manager keeps the execs off the techs as they get things worked out or done will help the techs perform better, and having the previously agreed upon procedure will help the manager keep the execs at bay. Granted, it might also mean that after the event the executivess want to re-write the process. Just remember that planning is best done when there isn’t a event in motion and everyone has their priorities in a knot while being pressured to resolve and fix everything immediately. Plans also need to have flexibility in them so that when things go sideways you have minor adjustments to make instead of scrapping the plan and running around headless.

An idea of a way to get at least a skeleton of a plan would be to have each member of a potential event write up their time-line, what will they do and when will they do it. Once that data has been collected and collated, it is likely that a meeting or two will allow you to fully flush out the procedures for an event and have them documented so when an event happens you have something to use, either to know what to do, or to keep the right people away from the workers so they can get things accomplished.

Now we’ve taken our reasonable paranoia to get from things break to having a plan for when they do so everyone can succeed.

Welcome to ReasonableParanoia! (dot com)

What is reasonable paranoia? It's a state of mind, of being. Remember back in driving school when they taught you to be a defensive driver? I grew up in an area (Hello DC) where if you didn't stake your claim to a piece of pavement someone else would definitely take it away from you. So you needed to be offensive in your driving style. I used to call the combination of those two as 'offensive defensive' driving.

The same principles are at work here, in computer security we tend to be paranoids. It helps a lot of situations when we can imagine all the bad things that some evil hacker overlord wants to do to us, our network, our information, our bank account, our credit score, and everything else that could cause us harm and involves a computer. If we were truly paranoid, we'd become luddites and use stone tablets again, but since that doesn't help with our daily lives and our professional work we're stuck with having to be reasonable in our paranoia.

While we can imagine someone getting past our firewall, we keep it because we know it reduces the number of attacks that make it onto our network. While we can imagine someone compromising a travelling laptop, we still allow them VPN access back into our network. While we know that there is polymorphic virus code out there, we mostly rely on virus signatures because it still protects us from most of them.

But it isn't just that, because sometimes they really are out to get you, and the right thing is to be paranoid! For some reason I haven't quite understood, people seem convinced that something is true because their computer told them so. They've forgotten that computers didn't evolve into sentience while we weren't looking, they are human creations, humans programmed them, and humans are behind everything that a computer presents to them. Maybe, just maybe, if they looked at what a computer tells them as if it was a person they didn't really know standing in front of them, they'd have the right level of reasonable paranoia.

Thus it begins, let's have some fun and be reasonably paranoid.