During the last 3 decades since I started in IT and IT Security in 1991 with the Marine Corps, I was always taught to focus on the reportable outcomes of the defenses. As I later discovered - this wasn't necessarily the best approach. If we go only by what we see then we could potentially be missing a completely different vulnerability or exposure.
I'm going to use this image and the accompanying description as a guide for the rest of this discussion:
This is a picture tracking bullet holes on Allied planes that entered Nazi anti-aircraft fire in WW2. At first, the military wanted to reinforce those areas, because obviously that's where the ground crews observed the most damage on returning planes. Until Hungarian-born Jewish Mathematician Abraham Wald pointed out that this was the damage on the planes that "made it home", and the Allies should armor the areas where there are no dots at all, because those are the places where the planes won't survive when hit. This phenomenon is called survivorship bias, a logic error where you focus on things that survived when you really should be looking at things that didn't.
Replacing the aircraft with your computing environment, think about where you are getting reports and where you aren't. Reports being detections or quarantines of malware, attacks, or what have you. Most likely you have coverage at the gateway, on your firewall, on your network, and on your servers, desktops, laptops, and other endpoints.
Perhaps you have also adopted some sort of mobile device management (MDM) for phones and other supported devices. But now comes the area without dots like in the picture - what is happening that you aren't seeing? How about those devices you can't install security on? You know, those connected IoT devices like printers, copiers, medical devices, point of sales systems, etc.. But you already knew about these and have compensating controls in place...right? I hope so.
Did you also think about the smart lighting in your office or building? How about all those Bluetooth keyboards and mice? What about those smart TVs, video cameras, smart thermostats, HVAC and elevator controls in your building or lobby? Look, I could go on with creating a list of connected devices but the reality is we all know it's going to grow exponentially thus creating an even larger vulnerability in our already complex security infrastructure.
So what do we do? With so much out of sight or out of our control, how can we even begin to get control of this? We start to think outside the box. Think outside of what we were taught in our schools, classes and courses. Start with looking at the devices you have, your team members and coworkers. Of those devices, which ones can you positively identify as being secure, and which ones are you unsure of? Now think like an attacker - how would you compromise any of those devices to gain access to the network and then the data?
As part of an old security presentation I gave years ago in Vegas, I drew out a scenario where a hacker targets an executive's account by embedding code on the exec's Bluetooth enabled watch. The code waits for a specific time in the middle of the night, auto-activates and searches for any email on the exec's connected phone having financial attachments. It then forwards any items found to an email the attacker has pre-programed. Once sent it not only deletes the copy of the sent item(s) but also the app and any associated logs from the exec's account and devices. Virtually erasing the fact it was there.
Think about the above scenario for a minute. The smart watch has full access to the phone which has also been granted full access to the email app which is fully integrated and connected to the corporate mail server. Think about those dots! The email server is protected (dot), the phone is protected with MDM (dot), but what about the watch (no dot). The hardest part of the attack would be getting the app on the watch...right? Wrong! A malformed URL in a browser or email could potentially install the app directly on the phone or possibly even the watch.
I know what some of you are probably thinking - "DLP would prevent this from happening". Are you sure? Aren't most Data Loss Prevention solutions already configured to allow the executive access to that data as part of their job? And more than likely nobody would give the event a second glance...unless they happened to notice the time of access and or recipient of the email.
What about a user behavior based solution...could it have prevented this? Maybe. But more than likely it would have only recorded the event and not have stopped it based on how your solution is configured (if you have one) - again no dot. Remember - the executive already has access to that information and depending on travel schedules or deadlines could normally be working at 2am.
The reality for most IoT devices is that they aren't secured and have open connections with default passwords. Here's an example of what I'm talking about: I was recently going through my wife's Bluetooth connection in her car. Took a little bit of searching but I was able to find the settings to change the name and default passcode. Why isn't this setting more easily accessible? Why is it buried deep in the menu options? Better yet...why isn't it something you're given the option or even forced to change upon first use?
So now that I've painted a couple of scenarios, perhaps a little grim, I want you to go back to thinking about what you are not seeing. Is it because your security up to and around those areas is so great that nothing ever happens there? Oh wouldn't we love to think so! Or maybe you don't have anything covering that blind spot that you didn't think of until just now. Hopefully you are thinking about this.
As I stated earlier, think outside the box. Take an inventory and then think like an attacker. How would you compromise your environment? Make an challenge for your internal IT and security teams to figure this out. Because if you can answer that question - you'll find your plane has more dots than you ever imagined.
Let me know if you've found any new dots. You don't have to tell me what they are...just whether you found them or not.