Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Michael Sutton
Michael Sutton

In Security, Know That You Know Nothing

Only when security professionals become aware of what they don't know, can they start asking the right questions and implementing the right security controls.

As I head into one of the most popular security conferences of the year, Black Hat, there are a few things that I expect to be top of mind for security professionals both at the show and in the various enterprises where they work: In security today, everyone claims to know what the problem is and how to solve it, but the challenge is to sift through the noise and understand where the true vulnerabilities lie. Regardless of all the tools an enterprise might have, its assumptions—like those in encryption’s ability to protect data or that every security threat can be identified—can quickly lead to a compromise.

The truth is that although security measures may work, industry professionals can’t set them and forget them—or operate under false assumptions. They need real visibility, they need to be aware that they won’t always know what to look for and, ultimately, they need to take proactive steps to ensure they can keep up and get ahead of possible threats. Only when security professionals become aware of what they don’t know, can they start asking the right questions and implementing the right security controls. Here are a few things I’m most concerned with.

Encryption, a double-edged sword
Encryption has been a hot topic of discussion for some time, most recently at the center of the FBI vs. Apple debate. And it’s one of the most important tools in security, especially when an organization is not in control of its data. But, as an industry, we’ve been ignoring a very real threat factor that comes with encryption. Namely, that malicious traffic can breach an organization’s security when masked with encryption. Encryption protects hackers as much as it protects a business.

The issue is exacerbated by the fact that we are rapidly headed toward ‘encryption by default’ on all major Internet properties—meaning traditional passive packet sniffers can’t observe what’s coming in. And as hackers continue to breach organizations, they are benefiting from it, even though they are not necessarily trying to leverage SSL/TLS encryption.

As such, organizations need to realize that they can’t know what is being obfuscated via encryption. From there, they can begin a conversation about how they can manage encrypted data and gain visibility into it to prevent an attack. Once the right people are involved and concerns are ironed out, the right technology can be set in place. Put simply, organizations can no longer think that because traffic is encrypted everything is safe.

We can’t protect what we can’t see
Encryption is one reason why data may not be visible, but increasingly, even when unencrypted, security teams simply do not have access to employee traffic. Gone are the days when employees leveraged corporate laptops connected to enterprise Wi-Fi to store data on in-house servers. Today, even when an employee is sitting at their desk they might be leveraging a personal device on a 3G/4G network to store data on Dropbox.

Security teams need to adapt to this new reality. We cannot assume that network traffic will travel a "preferred" path.  We cannot have differing levels of security and visibility based on the device that an employee has chosen to employ and where they’ve decided to work today.

We don’t know what to look for
There seems to be a false assumption in security that we know what to look for and how to go about it when scanning for threats. But this is not the case. Traditional signature-based security controls just aren’t good enough. Further, threats are constantly evolving and hackers have grown savvy to what organizations are looking for. Ransomware for example, has proven to be a blunt wake up call for enterprises relying solely on static signature based controls.

Even when an organization does know what to look for, there are encroaching factors that make this methodology less than optimal. SSL encryption makes knowing signatures pointless. Mobility means that traffic is not always within the scope of an organization’s control. And cloud-based services have created another space organizations don’t always have access to.

Security professionals need to be aware of this gap in knowledge and find ways to bridge it with tools that allow them to become aware of new and evolving threats as they happen. Only then can they be better at catching hackers banking on the use of traditional signature-based security models.

The need for a proactive approach
It’s apparent that security is not completely attuned to threats and their origins. What’s needed is a proactive stance, one that focuses on gaining visibility to break past encryption along with processes that screen and adapt to new threats as they happen. The enterprise cannot function under false assumptions that will only guarantee a breach down the line. So as you head into the sessions and solutions exposé at Black Hat (or read about them on Dark Reading), know what you don’t know and work to change that as much as possible. 

More Black Hat 2016 Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/27/2016 | 10:52:51 AM
a proactive approach

A proactive approach make sense to me. Obviously hackers are proactive so only solution to be a counter-puncher. 
User Rank: Ninja
7/27/2016 | 10:50:57 AM

Encryption is just another overloaded word. Now people started thinking that once you have encryption you are good to go. Unfortunately that is not the case, if you end device is compromised encryption could not help you
User Rank: Ninja
7/27/2016 | 10:50:39 AM
Re: You do not know what you do not know
"the faster we realize we operate most of the time in the dark"

good point. this is like unknown unknowns. Hard to make sense but still need to be part of the effort.
User Rank: Ninja
7/27/2016 | 10:48:33 AM
Re: Completely agree
"it's necessary to deal with the unknown and not only focus on what we know "

Good point. What we know is most likely not going to be pain point.
User Rank: Ninja
7/27/2016 | 10:46:50 AM
Know That You Know Nothing

Know That You Know Nothing? Agree. That is how it needs to start. Make no assumption check everything again and again. 
User Rank: Ninja
7/26/2016 | 10:52:03 PM
You do not know what you do not know
This is such a true statement and a reminder for all of us that at all time and after each small victory against hackers the game is back on. Hackers will find new ways to get to the data they seek and will use zero-day threats, and all other technology at their fingertips - including encryption- to deceit and reach their goal.  This seems like a dooming reality for IT security professionals, but the faster we realize we operate most of the time in the dark, the sooner we will get wise about searching for the unusual, the uncommon, the odd event. 
User Rank: Apprentice
7/26/2016 | 1:51:47 PM
Completely agree
I 100% agree with your point of view, and according to me that's even a part of the definition of security : we must plan what we ignore, guess what we don't see and search what's hidden. In other words, it's necessary to deal with the unknown and not only focus on what we know. And then cross the fingers we did it well :). Socrates said "I know that I know nothing" and later Descartes advised to doubt of everything to improve and be sure of what we consider as true. It could be a good method in security to avoid errors and do a perfect job.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.