Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Michael Sutton
Michael Sutton

In Security, Know That You Know Nothing

Only when security professionals become aware of what they don't know, can they start asking the right questions and implementing the right security controls.

As I head into one of the most popular security conferences of the year, Black Hat, there are a few things that I expect to be top of mind for security professionals both at the show and in the various enterprises where they work: In security today, everyone claims to know what the problem is and how to solve it, but the challenge is to sift through the noise and understand where the true vulnerabilities lie. Regardless of all the tools an enterprise might have, its assumptions—like those in encryption’s ability to protect data or that every security threat can be identified—can quickly lead to a compromise.

The truth is that although security measures may work, industry professionals can’t set them and forget them—or operate under false assumptions. They need real visibility, they need to be aware that they won’t always know what to look for and, ultimately, they need to take proactive steps to ensure they can keep up and get ahead of possible threats. Only when security professionals become aware of what they don’t know, can they start asking the right questions and implementing the right security controls. Here are a few things I’m most concerned with.

Encryption, a double-edged sword
Encryption has been a hot topic of discussion for some time, most recently at the center of the FBI vs. Apple debate. And it’s one of the most important tools in security, especially when an organization is not in control of its data. But, as an industry, we’ve been ignoring a very real threat factor that comes with encryption. Namely, that malicious traffic can breach an organization’s security when masked with encryption. Encryption protects hackers as much as it protects a business.

The issue is exacerbated by the fact that we are rapidly headed toward ‘encryption by default’ on all major Internet properties—meaning traditional passive packet sniffers can’t observe what’s coming in. And as hackers continue to breach organizations, they are benefiting from it, even though they are not necessarily trying to leverage SSL/TLS encryption.

As such, organizations need to realize that they can’t know what is being obfuscated via encryption. From there, they can begin a conversation about how they can manage encrypted data and gain visibility into it to prevent an attack. Once the right people are involved and concerns are ironed out, the right technology can be set in place. Put simply, organizations can no longer think that because traffic is encrypted everything is safe.

We can’t protect what we can’t see
Encryption is one reason why data may not be visible, but increasingly, even when unencrypted, security teams simply do not have access to employee traffic. Gone are the days when employees leveraged corporate laptops connected to enterprise Wi-Fi to store data on in-house servers. Today, even when an employee is sitting at their desk they might be leveraging a personal device on a 3G/4G network to store data on Dropbox.

Security teams need to adapt to this new reality. We cannot assume that network traffic will travel a "preferred" path.  We cannot have differing levels of security and visibility based on the device that an employee has chosen to employ and where they’ve decided to work today.

We don’t know what to look for
There seems to be a false assumption in security that we know what to look for and how to go about it when scanning for threats. But this is not the case. Traditional signature-based security controls just aren’t good enough. Further, threats are constantly evolving and hackers have grown savvy to what organizations are looking for. Ransomware for example, has proven to be a blunt wake up call for enterprises relying solely on static signature based controls.

Even when an organization does know what to look for, there are encroaching factors that make this methodology less than optimal. SSL encryption makes knowing signatures pointless. Mobility means that traffic is not always within the scope of an organization’s control. And cloud-based services have created another space organizations don’t always have access to.

Security professionals need to be aware of this gap in knowledge and find ways to bridge it with tools that allow them to become aware of new and evolving threats as they happen. Only then can they be better at catching hackers banking on the use of traditional signature-based security models.

The need for a proactive approach
It’s apparent that security is not completely attuned to threats and their origins. What’s needed is a proactive stance, one that focuses on gaining visibility to break past encryption along with processes that screen and adapt to new threats as they happen. The enterprise cannot function under false assumptions that will only guarantee a breach down the line. So as you head into the sessions and solutions exposé at Black Hat (or read about them on Dark Reading), know what you don’t know and work to change that as much as possible. 

More Black Hat 2016 Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/27/2016 | 10:52:51 AM
a proactive approach

A proactive approach make sense to me. Obviously hackers are proactive so only solution to be a counter-puncher. 
User Rank: Ninja
7/27/2016 | 10:50:57 AM

Encryption is just another overloaded word. Now people started thinking that once you have encryption you are good to go. Unfortunately that is not the case, if you end device is compromised encryption could not help you
User Rank: Ninja
7/27/2016 | 10:50:39 AM
Re: You do not know what you do not know
"the faster we realize we operate most of the time in the dark"

good point. this is like unknown unknowns. Hard to make sense but still need to be part of the effort.
User Rank: Ninja
7/27/2016 | 10:48:33 AM
Re: Completely agree
"it's necessary to deal with the unknown and not only focus on what we know "

Good point. What we know is most likely not going to be pain point.
User Rank: Ninja
7/27/2016 | 10:46:50 AM
Know That You Know Nothing

Know That You Know Nothing? Agree. That is how it needs to start. Make no assumption check everything again and again. 
User Rank: Ninja
7/26/2016 | 10:52:03 PM
You do not know what you do not know
This is such a true statement and a reminder for all of us that at all time and after each small victory against hackers the game is back on. Hackers will find new ways to get to the data they seek and will use zero-day threats, and all other technology at their fingertips - including encryption- to deceit and reach their goal.  This seems like a dooming reality for IT security professionals, but the faster we realize we operate most of the time in the dark, the sooner we will get wise about searching for the unusual, the uncommon, the odd event. 
User Rank: Apprentice
7/26/2016 | 1:51:47 PM
Completely agree
I 100% agree with your point of view, and according to me that's even a part of the definition of security : we must plan what we ignore, guess what we don't see and search what's hidden. In other words, it's necessary to deal with the unknown and not only focus on what we know. And then cross the fingers we did it well :). Socrates said "I know that I know nothing" and later Descartes advised to doubt of everything to improve and be sure of what we consider as true. It could be a good method in security to avoid errors and do a perfect job.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka allows escalation of privileges by local users via manipulations involving files and using symbolic links.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.