Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2016
10:30 AM
Michael Sutton
Michael Sutton
Commentary
50%
50%

In Security, Know That You Know Nothing

Only when security professionals become aware of what they don't know, can they start asking the right questions and implementing the right security controls.

As I head into one of the most popular security conferences of the year, Black Hat, there are a few things that I expect to be top of mind for security professionals both at the show and in the various enterprises where they work: In security today, everyone claims to know what the problem is and how to solve it, but the challenge is to sift through the noise and understand where the true vulnerabilities lie. Regardless of all the tools an enterprise might have, its assumptions—like those in encryption’s ability to protect data or that every security threat can be identified—can quickly lead to a compromise.

The truth is that although security measures may work, industry professionals can’t set them and forget them—or operate under false assumptions. They need real visibility, they need to be aware that they won’t always know what to look for and, ultimately, they need to take proactive steps to ensure they can keep up and get ahead of possible threats. Only when security professionals become aware of what they don’t know, can they start asking the right questions and implementing the right security controls. Here are a few things I’m most concerned with.

Encryption, a double-edged sword
Encryption has been a hot topic of discussion for some time, most recently at the center of the FBI vs. Apple debate. And it’s one of the most important tools in security, especially when an organization is not in control of its data. But, as an industry, we’ve been ignoring a very real threat factor that comes with encryption. Namely, that malicious traffic can breach an organization’s security when masked with encryption. Encryption protects hackers as much as it protects a business.

The issue is exacerbated by the fact that we are rapidly headed toward ‘encryption by default’ on all major Internet properties—meaning traditional passive packet sniffers can’t observe what’s coming in. And as hackers continue to breach organizations, they are benefiting from it, even though they are not necessarily trying to leverage SSL/TLS encryption.

As such, organizations need to realize that they can’t know what is being obfuscated via encryption. From there, they can begin a conversation about how they can manage encrypted data and gain visibility into it to prevent an attack. Once the right people are involved and concerns are ironed out, the right technology can be set in place. Put simply, organizations can no longer think that because traffic is encrypted everything is safe.

We can’t protect what we can’t see
Encryption is one reason why data may not be visible, but increasingly, even when unencrypted, security teams simply do not have access to employee traffic. Gone are the days when employees leveraged corporate laptops connected to enterprise Wi-Fi to store data on in-house servers. Today, even when an employee is sitting at their desk they might be leveraging a personal device on a 3G/4G network to store data on Dropbox.

Security teams need to adapt to this new reality. We cannot assume that network traffic will travel a "preferred" path.  We cannot have differing levels of security and visibility based on the device that an employee has chosen to employ and where they’ve decided to work today.

We don’t know what to look for
There seems to be a false assumption in security that we know what to look for and how to go about it when scanning for threats. But this is not the case. Traditional signature-based security controls just aren’t good enough. Further, threats are constantly evolving and hackers have grown savvy to what organizations are looking for. Ransomware for example, has proven to be a blunt wake up call for enterprises relying solely on static signature based controls.

Even when an organization does know what to look for, there are encroaching factors that make this methodology less than optimal. SSL encryption makes knowing signatures pointless. Mobility means that traffic is not always within the scope of an organization’s control. And cloud-based services have created another space organizations don’t always have access to.

Security professionals need to be aware of this gap in knowledge and find ways to bridge it with tools that allow them to become aware of new and evolving threats as they happen. Only then can they be better at catching hackers banking on the use of traditional signature-based security models.

The need for a proactive approach
It’s apparent that security is not completely attuned to threats and their origins. What’s needed is a proactive stance, one that focuses on gaining visibility to break past encryption along with processes that screen and adapt to new threats as they happen. The enterprise cannot function under false assumptions that will only guarantee a breach down the line. So as you head into the sessions and solutions exposé at Black Hat (or read about them on Dark Reading), know what you don’t know and work to change that as much as possible. 

More Black Hat 2016 Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 10:52:51 AM
a proactive approach
 

A proactive approach make sense to me. Obviously hackers are proactive so only solution to be a counter-puncher. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 10:50:57 AM
Encryption
 

Encryption is just another overloaded word. Now people started thinking that once you have encryption you are good to go. Unfortunately that is not the case, if you end device is compromised encryption could not help you
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 10:50:39 AM
Re: You do not know what you do not know
"the faster we realize we operate most of the time in the dark"

good point. this is like unknown unknowns. Hard to make sense but still need to be part of the effort.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 10:48:33 AM
Re: Completely agree
"it's necessary to deal with the unknown and not only focus on what we know "

Good point. What we know is most likely not going to be pain point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 10:46:50 AM
Know That You Know Nothing
 

Know That You Know Nothing? Agree. That is how it needs to start. Make no assumption check everything again and again. 
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/26/2016 | 10:52:03 PM
You do not know what you do not know
This is such a true statement and a reminder for all of us that at all time and after each small victory against hackers the game is back on. Hackers will find new ways to get to the data they seek and will use zero-day threats, and all other technology at their fingertips - including encryption- to deceit and reach their goal.  This seems like a dooming reality for IT security professionals, but the faster we realize we operate most of the time in the dark, the sooner we will get wise about searching for the unusual, the uncommon, the odd event. 
paulno
50%
50%
paulno,
User Rank: Apprentice
7/26/2016 | 1:51:47 PM
Completely agree
I 100% agree with your point of view, and according to me that's even a part of the definition of security : we must plan what we ignore, guess what we don't see and search what's hidden. In other words, it's necessary to deal with the unknown and not only focus on what we know. And then cross the fingers we did it well :). Socrates said "I know that I know nothing" and later Descartes advised to doubt of everything to improve and be sure of what we consider as true. It could be a good method in security to avoid errors and do a perfect job.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11287
PUBLISHED: 2019-11-23
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header ca...
CVE-2019-11291
PUBLISHED: 2019-11-22
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user w...
CVE-2019-15593
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
CVE-2019-16285
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVE-2019-16286
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.