- Last Week As A vCISO
- Posts
- Cybersecurity Is Full Of Secrets
Cybersecurity Is Full Of Secrets
An Archaeological Expedition To Uncover Artifacts
Ayman Elsawah
September 22, 2024
Table of Contents
(Make sure to allow images to get the experience today)
Secrets Are To Be Discovered
In Peter Thiel’s book, Zero To One, one thing he asserts is the notion that there are secrets everywhere and it’s up to us to discover those secrets. When there are no secrets, then we can become complacent or worse make drastic mistakes.
The mathematical relationship between a triangle’s sides, for example, was secret for millennia. Pythagoras had to think hard to discover it.
Secrets In Cybersecurity (Not API secrets 😅)
Well, in the field of cybersecurity, it’s chock full of secrets. There are undiscovered vulnerabilities everywhere. In fact we call them known and unknown vulnerabilities sometimes.
Known Vulnerabilities
For example, a known vulnerability like the Apache exploit, could be known my millions of people. Of course, it may not be known to the System Administrator, which makes it their responsibility to always be apprised of any known vulnerabilities within their ecosystem.
Unknown Vulnerabilities
There are plenty of unknown vulnerabilities as well. Zero days are the most well known version of these, where a vulnerability exists but is not known to anyone, or known to just a few nation state actors or adversaries willing to pay $MM on the grey market for them. (Yes, these exist and are known!)
Unknown Unknowns, We Are Archaeologists
There are also the unknown unknowns. These are known vulnerabilities hiding in plain sight, but not yet documented or revealed to the owner. This is where security people come in and do assessment. It’s basically an archaeological exercise where security practitioners dig through dirt and uncover hidden gems and artifacts (vulnerabilities).
These gems vary in size (severity), rarity (exploitability), and value (impact). Not only that, but just like archaeological artifacts, they will vary in impact, severity, and exploitability based on their environment (company size, industry, type of data) and geo-location (internal, external, accessibility, etc).
Just like in archaeology, sometimes the more we dig, the more we find! Sometimes we find nothing but dust.
Responsibility to Disclose
Whether you disclose to the world your newly discovered artifact, or hide it and sell it to arts dealer, depends on your ethics and often your employer, just like in cybersecurity. However, for the sake of argument, let’s talk about the normies that work in Information Security.
Our job as security professionals is to discover, verify, and triage issues. This is the minimum. Sometimes we are responsible for fixing them as well, however this can get tricky as we are often not able to directly fix the problem (the industry is changing though).
Delivering The Bad News
Security people are often in a position where we are the bearer of bad news, just like a doctor that has to tell a patient an unpleasant diagnosis.
Just as a doctor though, we are responsible for providing options and clarity regarding the vulnerability in a language they can understand. Oh and we need some bedside manners too!
For a patient it’s plan English.
In cybersecurity, it may have to be interpreted in multiple languages simultaneously, depending on the audience:
If it’s Engineering, it would have to be in technical terms, time to remediate, and impact to current workflow.
If it’s Sales, it would have to be how could this affect our likability score or competitive answers. Or simply, will this be a “No” on a questionnaire.
If it’s to the Business, it may need to be in terms of how much will this cost, how will it impact product roadmap, and what happens (or what’s the cost) if we decide not to fix it.
For the Board, it could be why was this not addressed, or how could it negatively affect the valuation of the company.
Delivering the same information can vary depending on the recipient
Summary
There are many facets to being a security professional today. Not only that, but our job is epigenetic and varies based on our industry, company stage, data handled, and of course the people we work with. Our success is determinate on a number of factors, but requires an immense cumulation of social, experiential, and technical skills to be successful.
In a future article, I will go more in depth about the courage to disclose vulnerabilities, speak up when necessary, and how to do so with tact. Here is some reading for you: Resistance (with a capital R)
and now, here is your moment of zen…
If you liked this post, feel free to share on LinkedIN, socials, or fwd to friends. It would mean a lot to me.
Hope you had an amazing weekend and have a great week!
-Ayman
Reply