Digg this story   Add to del.icio.us  
Security for the Paranoid
Mark Burnett, 2005-04-26

Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid?

"You can't ever find a place that's nice and peaceful, because there isn't any. You may think there is, but once you get there, when you're not looking, somebody'll sneak up and write F*** you right under your nose."
--J. D. Salinger, American Novelist

Something strange happened to me recently: a friend told me I was too paranoid when it comes to security. It was strange because he was the third person to tell me that in a couple weeks. Sure, I expect most people to call me paranoid, but these were all colleagues in the security industry. Is it time to worry when security professionals consider you too paranoid?

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

The first thing I did was try to understand the word paranoia. After checking a few dictionaries I found that it was a psychotic disorder characterized by delusions of persecution, grandeur, or excessive distrust. What is a delusion? It's a false belief held despite evidence to the contrary.

Are extreme security measures acting on false threats that don't really exist? Some consider some of my security strategies a bit extreme. I call it meticulous precaution. Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?

Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.

Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me. That's really not the point. There's no need to analyze the threat of every situation. Just practice strong security always and you should be okay.

I frequently see people posting PGP signed e-mails to security mailing lists. It's not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it's really not important, but I doubt they get caught not signing when it is important. If you always practice the best security, you never have to worry about mediocre security.

I use very long passwords for everything, even with the lamest accounts I have. I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it's good security. I try to run my own network the same way I tell my clients to.

Is this prudent and sensible proactive security or is it mental illness? Do you need a threat to practice the defense? I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.

I use a unique, secret e-mail address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.

Of all the changes Microsoft has made towards security in the last few years, the most notable in my opinion is that they now secure against threats that to many seem minor or that might not even exist. Is it insane and delusional for them to protect themselves from threats that haven't even been invented yet? Is it a senseless preoccupation to defend the inner layers rather than just focusing on hardening the outside?

I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

I never check in luggage when I fly.

I do my Internet browsing from a locked down VMWare box that has no rights on my network.

I use terrafly.com to see what others might be able to see about my home.

It takes five passwords to boot up my laptop and check my e-mail.

One of those passwords is over 50 characters long.

I also delete unused services on my servers. I block unused ports. And I install hotfixes the day Microsoft releases them.

Henry Kissinger said that "Even a paranoid can have enemies." The fact is that we don't know all the current and future threats so we might as well treat everything as high security. I do, but then perhaps I'm just paranoid.


Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.
    Digg this story   Add to del.icio.us  
Comments Mode:
Security for the Paranoid 2005-04-26
norwegian
Security for the Paranoid 2005-04-26
Anonymous (5 replies)
Security for the Paranoid 2005-04-26
Anonymous
Security for the Paranoid 2005-04-27
Rickard Johansson (1 replies)
Re: Security for the Paranoid 2005-06-09
Anonymous
Security for the Paranoid 2005-04-27
Anonymous (1 replies)
Re: Security for the Paranoid 2005-05-25
Bradbury9
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-26
Anonymous (1 replies)
Security for the Paranoid 2005-04-27
Anonymous (1 replies)
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-26
Times Enemy <times@krr.org>
Security for the Paranoid 2005-04-26
styliee
Security for the Paranoid 2005-04-26
Jeroen Kemperman (2 replies)
Security for the Paranoid 2005-04-26
Anonymous (1 replies)
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Shadowkill
Security for the Paranoid 2005-04-26
Anonymous
Security for the Paranoid 2005-04-26
Anonymous (1 replies)
Security for the Paranoid 2005-04-26
Anonymous
Security for the Paranoid 2005-04-26
Anonymous
Security for the Paranoid 2005-04-26
Anonymous
know your enemy 2005-04-26
Anonymous
When Paranoia Annoys Ya 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Kron
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
dan@3-e.net
Security for the Paranoid 2005-04-27
Anonymous (1 replies)
Re: Security for the Paranoid 2005-06-23
Morris Cox
Answers and clarifications 2005-04-27
Mark Burnett (1 replies)
Answers and clarifications 2005-04-28
Chatos Anonymous
sounds to be a reflection myself 2005-04-27
<visitbipin hotmail com>
Security for the Paranoid 2005-04-27
Anonymous
What OS are you using? 2005-04-27
Anonymous (1 replies)
What OS are you using? 2005-04-27
Zachary Palmer
Yet you use microsoft products? 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous coward
Security for the Paranoid 2005-04-27
ORBVS
Security for the Paranoid 2005-04-27
Anonymous (1 replies)
Re: Security for the Paranoid 2005-06-23
Morris Cox
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Stephen
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Forget TerraFly, use Google! 2005-04-27
Anonymous Bastard
Security for the Paranoid 2005-04-27
f1r3f1ght3r
Security for the Paranoid 2005-04-27
Anonymous Coward
Security for the Paranoid? 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
josh
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Autoversicherung
Not all that Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
JB kybrdcowboy@hotmail.com
the 50 character password 2005-04-27
Chirayu
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Security for the Paranoid 2005-04-27
Anonymous
Windows? 2005-04-27
Anonymous (1 replies)
Windows? 2005-05-02
Anonymous
Security for the Paranoid 2005-04-28
SafeCracka
Security for the Paranoid 2005-04-28
cornhead
Security for the Paranoid 2005-04-28
ZeroXeal
Absolutely right, although... 2005-04-28
Dmitry Kirsanov
Security for the Paranoid 2005-04-28
Anonymous
Security for the Paranoid 2005-04-28
Anonymous
Security for the Paranoid 2005-04-28
Anonymous
Security for the Paranoid 2005-04-29
Anonymous
my password is my wife's name 2005-04-29
Anonymous
Due Dilligence vs. Effeciency 2005-04-29
Anonymous
Security for the Paranoid 2005-04-29
Anonymous (1 replies)
Security for the Paranoid 2005-05-02
Anonymous [Information Security Defender]
50-character password is overkill 2005-05-03
Anonymous (1 replies)
Security for the Paranoid 2005-05-06
Anonymous (1 replies)
Re: Security for the Paranoid 2006-05-25
Anonymous
Links for the Paranoid 2007-06-16
Anonymous
Security for the Paranoid 2008-02-17
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus