We don’t know what we don’t know

Citing the latest cyber security statistics is a popular way for security companies to show that they are keeping a watchful eye on the threat landscape. Where does the majority of threats come from? What industries are being targeted? Which countries are involved? Which mobile OS is better? We want answers to these and dozens of questions more, and we want those answers in nice, concise, tweetable metrics.

But the problem is that we simply don’t know. Sure, some companies claim to know, but here’s a secret: they’re wrong. They might know something, probably even a lot, but not everything.

Various CERT organizations, for example, often know more about security issues than most companies because that’s what they do: they track security issues – vulnerabilities, exploits and incidents.

Still, even they don’t know what they don’t know, because not everyone needs to or wants to report what they know to a CERT, not all vulnerabilities have been discovered, not all exploits have been dropped, and not all incidents are reported.

Yes, we’re all trying, and every data point helps. But are 59 percent of cyber security incidents unintentional? No, 59% of reported incidents are unintentional. That’s probably because it’s relatively painless to report that you made a mistake – some companies may even reward you for it. Still, not everyone will report their incidents to the same organization, and a good method of information sharing between organizations, industries and nations is still absent.

Are there six new malware samples created every 6 seconds? Several sources claim that there are six new malware samples captured every second, but there may be more that remain uncaught. We know as much about the true murky depths of malware in the wild as we do about what lies at the bottom of the Earth’s oceans.

As Albert Einstein once said, “If we knew what it was we were doing, it would not be called research, would it?”

Ironically, one of the world’s great malware research labs was recently breached by hackers who wanted to gain an offensive advantage by learning more about the firm’s security solutions’ detection capabilities. Is this a first-time-ever event? Surely other research facilities have also been targeted. Have they been successful in their defense, or are they simply unaware of their exposure? Don’t forget that malware is sophisticated these days. In fact, it’s so sophisticated we don’t even know how sophisticated it is.

The truth is that our current state of knowledge on cyber security is transient. Like a mayfly, we have a very short time to understand our surroundings and to learn. When we glance at the latest threat maps from companies like Norse (which admittedly are fun to watch), what we learn from them fades just as soon as we turn our heads.

Our adversaries are always changing, evolving. The targets change, and the vectors shift, branching out or converging. It’s a research project of truly epic proportions and everything we learn is quickly outdated.

Luckily, unlike the poor mayflies, we get to live another day and gain a collective experience that makes it a little bit easier to figure things out this time, and then easier still the next time. Thanks to the organizations and individuals mentioned here – the CERTs, labs, analysts and innovators – our defensive capabilities are evolving, too.

But even cyber security’s venerable and respected long-beards don’t know everything. Unlike the laws of nature, cybercriminals are actively trying to elude us.

My advice? Remind yourself every day that you don’t know what you don’t know, and let your imagination become the greatest source of threat intelligence in your cyber security arsenal.

Share this