Are there any holes in your cybersecurity map?
Missed a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.
This article was contributed by Rob Gurzeev, CEO of CyCognito.
You wouldn’t expect the mention of ancient cartographers, or famous names like Vespucci, to trigger thoughts of cybersecurity. But truths about cybersecurity are like cyberattacks: they pop up in unexpected places. Recently, while reading Yuval Noah Harari’s Sapiens, that’s exactly what happened. I was struck by the parallels between ancient cartography and modern cybersecurity.
In the chapter entitled “The Marriage of Science and Empire,” Harari notes that ancient cartographers had only partial knowledge of the world. Their knowledge of Asia and Europe was extensive. Yet there were significant parts of the world that they knew nothing about. Believing their information was complete led to misconceptions, mislabeled discoveries and missed opportunities.
Security professionals and even executives often fall prey to similarly erroneous beliefs. As experienced and committed leaders, it’s easy to believe in the mindset that because we’re experts and know more than most people about a subject, we know everything we need to know, and anything we don’t know isn’t important.
Attackers understand this phenomenon and relentlessly probe to map an organization’s cybersecurity before they strike. Based on this information, they determine the path of least resistance in your organization that yields the most reward. There’s no reason to climb a digital mountain range if you can find the hidden mountain pass. As an organization, you can’t monitor a security hole in your cybersecurity map if you don’t know it exists.
To stay ahead of attackers, we’d do well to map our external attack surface to learn a few key lessons from the adventurers who mapped the world.
‘I don’t know’ is the basis of the future
Knowledge is power. This maxim has been accepted for centuries, but the source of power is less known: it comes from a sense of one’s own ignorance. Recognizing that ‘the unknown’ exists gives us the opportunity to improve choices by seeking out new information. Knowing that there are “blank spaces” on the cybersecurity map motivates us to seek them out and make them known.
Ancient cartographers had many misconceptions about what existed in the world. Even the shape of the Earth was a matter of debate. Yet their cards never had an empty space.
Likewise, organizations must recognize that their understanding of their IT environment contains empty spaces. Many IT departments claim to fully understand what assets exist and how they interact with each other, but few actually do. If you don’t recognize that there are things you don’t know, there’s no reason to spend time and resources discovering or exploring them. This is where attackers gain the upper hand as they work to discover and analyze your vast IT ecosystem and find the gaps.
Explore the empty spaces of your cybersecurity map
Know and protect your digital assets: that is the mission of cybersecurity summarized in one sentence. I notice that organizations often focus more on the aspect of ‘protecting’ than on the aspect of ‘knowing’. The belief that knowing is a secondary function is a fundamental misconception. A complete picture of your digital assets is the foundation of a healthy cybersecurity program, because you can’t protect anything if you don’t know about it.
Many organizations know ‘most’ of their IT assets and have a general idea of how they are connected, but not the full picture. The gaps in their knowledge leave large gaps for attackers to step in, and prevent organizations from choosing and implementing the right security measures.
Attackers start with the realization that they don’t know your organization well, but you likely have an incomplete or outdated cybersecurity map. So they investigate, looking for things that might be of interest: assets that belong to abandoned projects, solutions that integrate with partners, or assets that are misconfigured. Like explorers of the past, it is a race for discoveries as the first to find a valuable resource is the first to lay claim. Whether that leads to remediation or exploitation depends on who gets there first.
Ancient cartographers had limited resources, which prevented them from seeing the full picture. Likewise, security professionals focus on specified, known areas or use a set of tools that cannot see the full map of their assets. They also cannot fill in all the details, such as ownership and business purposes of assets, or prioritize the risks to those assets.
What often prevents security teams from knowing the unknown and seeing the full picture is that they approach the problem piecemeal, using only their preconceived map. They usually combine disparate tools such as network scanners, pen tests, and vulnerability scanners with “human glue” to integrate and act on the silo data. The challenge with all those technologies is that they rely on the security team to point out which assets to scan or test, and the team is limited to the assets and entities that are already known to them.
Exploring helps us create better cybersecurity maps
Like cartographers of old, we need to take steps to improve the maps we have. Once we recognize that there are things we don’t know are lurking, and additional details that we need to uncover, we need to investigate to get a more accurate picture of our attack surface.
Legacy tools help organizations find and manage known attack surfaces, but organizations must be progressive as explorers to find unknown assets and business relationships. Attackers follow the path of least resistance and look for areas that are “empty spaces” on your map. Outdated technologies that only or mainly search for machines and websites within known boundaries don’t just fail to solve the problem – they exacerbate it by giving a false sense of trust.
New ways of looking at the attack surface and mapping the full breadth of all assets, known and unknown, will help fill the real security map. By creating more in-depth maps, we uncover our security gaps, which is critical. You cannot protect what you cannot see.
Rob Gurzeev is the CEO of CyCognito.
Welcome to the VentureBeat Community!
DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.
If you want to read about cutting edge ideas and up-to-date information, best practices and the future of data and data technology, join DataDecisionMakers.
You might even consider contributing an article yourself!
Read more from DataDecisionMakers