Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
6/4/2021
10:00 AM
Matt Shea
Matt Shea
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

What the FedEx Logo Taught Me About Cybersecurity

Cyber threats are staring you in the face, but you can't see them.

Negative space is not a common term, but if you spend any time studying company logos or graphic design, you will hear it. "Negative space" is the space between and around objects in design. Talented artists look for opportunities to create additional meaning or hide Easter eggs when creating logos, choosing fonts, and spacing letters in the company name. 

One of the more famous examples of negative space is the FedEx logo. The logo's design team realized that by picking a specific font and letter spacing, they could create an arrow between the letters E and X. An arrow is the perfect symbol for a company that's always in motion delivering products to customers. The story goes that at the first design review, only the CEO immediately saw the arrow and the rest of the team missed it. Maybe, even after all these years, you have missed it as well.

Credit: Pixiellogo
Credit: Pixiellogo

Related Content:

Stopping the Next SolarWinds Requires Doing Something Different

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cloud Security Blind Spots: Where They Are and How to Protect Them

Many see what they expect to see and miss what is staring them in the face. Since they aren't viewing things in a full context, people experience something like the FedEx arrow and other negative-space objects as a blind spot. Once someone points out the negative space, peoples' blind spots usually disappear so that they can see the whole picture. 

Cybersecurity vs. the Blind Spots
Cybersecurity is rife with blind spots, but the consequences have more serious impacts than missing a hidden marketing message. In cybersecurity, there is a constant war to find the next attack, whether from financially driven hackers or adversarial nation-states, before it's too late. To counter these attacks, many companies do what they think they are supposed to do: build up a library of known attacks, also called signatures. Then they compare network traffic or event logs to these signatures to try to match previous events to what is happening now on the network.

This approach was somewhat successful initially, but hackers quickly varied their attacks to avoid matching known signatures. The cybersecurity industry responded with pattern matching and complicated attempts to interpolate between what happened and determining whether the attack closely resembles anything they've seen before. It's a statistical rolling of the dice, sometimes using tools like neural networks and the like. 

Pursuing larger and larger signature and rule sets comes with ballooning costs and runtime inefficiencies. Marketing tries to spin this as a good thing, pitching the biggest, largest, or most complex database (or data lake) of past known signatures with a "bigger is better" value proposition. Weekly updates lend even more false assurance that you are constantly protected. 

Zero-Days Undermine the "Bigger is Better" Approach
The problem is that this approach has a blind spot, which is that the bad guys are using adversarial artificial intelligence (AI) to develop attacks that don't match historical signatures in any way and won't be detected with signature or signature-variant approaches. 

These novel attacks are exemplified by the SolarWinds attack in late 2020 and other "zero-day" attacks, so called because they are not known before they are put on the threat list. Cybersecurity vendor FireEye said it could not effectively alert on the SolarWinds attack because the hackers "used a novel combination of techniques not witnessed by us or our partners in the past." Therefore, the attack was able to bypass its defenses.

So, how do you find something if you don't know what it, or something close to it, looks like?

Just like the FedEx logo, the answer is staring you in the face. The solution is to change how you are seeing everything you are looking at.

In cybersecurity, this means in order to identify threats you've never seen before, you must change how you are looking for threats. Rather than looking for what you think is an attack, examine everything that is not normal behavior. If you elevate what isn't normal, you will examine all anomalies, including attacks that you have and haven't seen before.

Just like in real life, sometimes seeing an arrow you don't expect will point you in the right direction.

Matt Shea serves as Head of Federal for MixMode, which is a "Third Wave AI" (by DARPA) company with products in cybersecurity. With over 20 years of experience in the technology space, Matt has concepted, architected, and developed groundbreaking solutions that blend ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John-Roy
John-Roy,
User Rank: Apprentice
6/7/2021 | 6:00:54 PM
My Mantra
What about this quote?

 

there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know.

 

Donald Henry Rumsfeld
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...