The Unknown Unknowns

Please share this article:

I recently attended Robotex 18 in Tallinn, Estonia, and watched a very interesting talk given by Koen Maris, CTO of Cyber Security at Atos. His talk seemed mildly inspired by Donald Rumsfeld’s quote, “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” Of course, it’s towards the end of that quote where the concern lies, so how do we defend against the unknown unknowns?

Mr. Maris spoke of the good, the bad, and the unknown, and how our goal should be to reduce the unknown by learning as much as we can about the good and the bad. We can defend ourselves far better against what we know. He explained how classic cyber security defenses are perimeter-based; focusing on the prevention of attacker entry, while focusing less on the detection and mitigation of attacks taking place. A perfect example of why this is important surfaced just last week (Nov ’18) in the Marriott Hotel data breach which involved attackers being present in the system of Starwood Hotels and Resorts (bought by Marriott in 2016) for four years before being detected and releasing 500M customers’ details.

No doubt there was investment in stopping attackers getting in, and some effort was made to encrypt credit card information, but one must assume there was little focus when it came to detecting attackers in the system. The latest thinking appears to be Zero Trust security/architecture. The idea being to assume your databases have been breached and there are attackers on your network. If you assume this, you should be spending some time and money finding anomalies and identifying the intruders.

Zero trust reminds me of something I came across when working in Oil and Gas operations. I was told by a client I should have “chronic unease”, which to me, seemed a lot like anxiety, but anxiety with a purpose. We were told we should all have chronic unease; the feeling that we might kill someone at any minute due to a mistake we’ve made on the oil rig. Zero trust – the feeling that someone is already inside the house, and by not looking for them, we’re at fault.

Maris suggests, as does NIST for the most part, that cyber security investment should be split almost equally between prevention, detection, and remediation, which fits well with Zero Trust. Another idea to consider is that data is “radioactive”; it should be treated with extreme care, only by those suitably trained to handle it, and you should keep as little of it around as you can. This point appears contradictory to another school of thought that sees data as the “new oil”. Ten years ago, five of the top ten largest companies were Oil and Gas, with just one being digital tech (MS). Now, there isn’t an Oil and Gas company in the top ten, and the list now contains seven tech giants.

Assuming Capitalism is alive and well, data, like oil, will be drilled as much as possible. That’s unavoidable for now. But we should still see it as “radioactive”; once leaked, impossible to clean up. Technologies available, such as Sharemind, can facilitate data analysis and querying without the need for decryption. This means the data never needs to be in an unencrypted form. Leaked or not, the data is useless to an attacker that may be in the system. With strong two factor authentication that keeps the keys off the system, like SplitKey, movement within the network becomes strained.

These are just two kinds of technologies that can limit the damage done by someone already in the system, but as Bruce Schneier said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. Technology is just one piece. The right tech can help protect our data, but without the right attitude towards that data and how we actually secure it, we’re going to struggle.

@MaxCvdP

External | what does this mean?

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Please share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *