As a security administrator you do have to assume that “they are all out to get you”. Not you specifically, but the resources it is your responsibility to manage. They aren’t doing this because you are guarding the crown jewels of Denmark. Attackers are trying every doorknob on the street hoping to find one unlocked, not just trying the ones where they suspect there is a brand new LCD TV.
As a good security administrator you need to be systematic with your paranoia. Not only do you have to catalog the threats you face, you need to analyze and prioritize those threats. You need to do this in terms of the likelihood that the threat will be exploited and the possible damage a successful exploit will incur. Working out the likelihood of a threat being exploited is tricky, but as a rule of thumb the one where you have to hop on one leg on the 3rd Tuesday of the month when there is a full moon should be less likely to worry you than the one that is part of an automatic exploit tool available from a hackers website.
Paranoia can help when it comes to cataloging the possible threats, but don’t go overboard with it! Not every USB stick that a user finds on public transport is going to host nefarious software that will take over your network. Think about how you should respond. Is it better to send out an email to the people in your organization explaining why they might not want to plug a USB stick they found into their computer or is it better to apply software policies that restrict USB connections to a specific set of authorized devices? The answer to that question depends on your environment.
The key is to not spend more money protecting an asset than the asset is worth. Asset worth isn’t just a dollar value, it is the cost to the organization if that asset is completely 0wned by a nefarious third party. In some cases even if an asset is completely 0wned, the financial cost to your organization might be negligible. If someone defaces a website you regularly back up, you might be able to restore it pretty quickly at little cost to the organization (obviously this is a bit different if you are running an ecommerce site where the stakes are different). The amount of time and money you spend protecting a static website that hosts a list of the products your company makes is going to be different from an online shop where customers can actually order those products over the web.
Security dollars only stretch so far, so you need to make sure that the holes you plug are the ones that most need plugging. If you’ve got a team working with you, workshop your list of threats and get feedback on what others you work with consider to be the biggest security risks you face. Keep the list up to date. Take it out of the draw and look at it from time to time and ask yourself “have I got these priorities right?” As a part of your security process, systematize and schedule your paranoia.
