A little bit of paranoia is a good thing

Vendors will never explain that before buying their equipment an in-depth threat and risk assessment will help you decide whether their products are right for your business.

A story that’s been rattling around the media all week relates to the discovery of three zero-day vulnerabilities affecting the iPhone. Security vendor Lookout, along with the University of Toronto’s Citizen Lab research team, discovered the vulnerabilities had been weaponised to create a new spyware kit, which they branded ‘Trident.’

Trident completely compromises the iPhone. It allows the attacker to intercept all of the device’s communications channels and makes all the data stored on the phone available remotely.

This is the first time we’ve publically seen the iPhone so completely compromised. Apple’s had a pretty good reputation for building a good security model and assessing the software sold through the App Store, so up until now it’s seemed, from a security perspective, a good choice.

Trident was discovered because a naturally-paranoid human rights activist named Ahmed Mansoor in the United Arab Emirates (UAE) followed his instincts when he received a suspicious text message, and passed the link on to Citizen Lab.  

This story will undoubtedly make people somewhat paranoid. However, the lesson is that Mansoor was already a target and he knew it. He understood the threat from the UAE government and that is why he instinctively didn’t click on the enticing link.

This kind of targeted spear phishing is becoming commonplace, but luckily for Mansoor, his previous experiences allowed him to make the right decision. In effect, probably without necessarily knowing the underlying security process, he quickly assessed the risk, calculated the impact of it being malicious and decided to manage it by transferring it to the experts.

By knowing what the threats are, you can determine how to best treat the risks. So before you decide to buy the next generation security technology, which purports to thwart the “bad guys”, you need to ask yourself who those bad guys are, how motivated are they, and what means they have to attack you.

Security is not an attribute that can ever be guaranteed. It’s nothing more than a belief system that allows you to feel protected from the dangers that may be threatening you.

To become secure, especially from the perspective of buying products and services, you need to fully and implicitly understand the threats and how they need to be mitigated, so that all of the known methods of exploiting you have been addressed in one way or another.

Ahmed Mansoor understood that he was likely being targeted by the UAE government. He’s learned from experience that they would likely use malware to attack his IT, so he was naturally paranoid and expected this kind of attack.

A little bit of paranoia in business will certainly help you make better decisions, as long as that paranoia is based on fact, which you get through a threat assessment. So start there and feel comfortable in the knowledge that the rest of your security decision making will be from a sound footing.