Are there holes in your cybersecurity map?

You wouldn’t expect the mention of ancient cartographers, or famous names like Vespucci, to evoke thoughts of cybersecurity. But cybersecurity truths are like cyberattackers they pop up in unexpected places. Recently, while reading Sapiens by Yuval Noah Harari, that’s precisely what happened. I was struck by the parallels between ancient cartography and modern cybersecurity

In the chapter titled “The Marriage of Science and Empire,” Harari notes that ancient cartographers had only partial knowledge of the world. Their understanding of Asia and Europe was extensive. Yet, there were considerable sections of the world that they knew nothing about. Because they believed their information was complete, it led to misconceptions, inaccurately labeled discoveries, and missed opportunities.

Security professionals and even executives often fall prey to similar erroneous beliefs. As experienced and dedicated leaders, it’s easy to buy into the mentality that because we’re experts and know more than most people about a topic, we know all we need to know, and anything we don’t know isn’t important.

Attackers understand this phenomenon and probe relentlessly to map out the cybersecurity of an organization before they strike. Using this information, they determine the path of the least resistance into your organization that results in the most reward. There is no reason to summit a digital mountain range if you can find the hidden mountain pass. As an organization, you can’t guard a security gap in your cybersecurity map if you don’t know one exists.

To stay ahead of attackers, we’d be well served when mapping our external attack surface to take a few key lessons from the adventurers who mapped the world.

‘I don’t know’ is the foundation of the future

Knowledge is power. This maxim has been accepted for centuries, but the source of the power is less well-known: it comes from an awareness of one’s own ignorance. Recognizing that “the unknown” exists grants us the ability to improve choices by seeking new information. Knowing there are “empty spaces” on the cybersecurity map motivates us to seek them out and make them known.

Ancient cartographers had many misconceptions about what existed in the world. Even the shape of the earth was a matter of debate. Yet, their maps never had any empty space.

Similarly, organizations need to recognize that their understanding of their IT environment has empty spaces. Many IT departments claim to fully understand what assets exist and how they interact, but few actually do. If you don’t acknowledge that there are things you don’t know, there is no reason to dedicate time and resources to discover or explore them. This is where attackers gain the upper hand as they work to discover and analyze your extended IT ecosystem and find the gaps.

Explore the empty spaces of your cybersecurity map

Know and protect your digital assets: that’s the mission of cybersecurity summed up in one sentence. I’ve noticed that organizations often focus more on the “protect” aspect than the “know” aspect. The belief that knowing is a secondary function is a fundamental misconception. A complete picture of your digital assets is the foundational piece of a healthy cybersecurity program because you can’t protect anything if you don’t know about it.

Many organizations know “most” of their IT assets and have a general idea of how they interconnect, but not the full picture. The holes in their knowledge leave huge gaps for attackers to step into, and prevent organizations from choosing and implementing the right security controls.

Attackers begin with an awareness that they don’t know your organization well, but that you probably have an incomplete or outdated cybersecurity map. So, they explore, looking for things that might be interesting — assets that belong to abandoned projects, solutions that integrate with partners, or assets with misconfiguration. Like explorers of the past, it is a race for discovery, as the first one to find a valuable resource is the first to lay claim. Whether that will result in remediation or exploitation depends on who gets there first.

Limited tools offer limited results

Ancient cartographers had limited tools, which prevented them from seeing a complete picture. Similarly, security professionals focus on specified, known areas or use a set of tools that can’t see the full map of their assets. They also aren’t able to fill in all the details like ownership and business purpose of assets, or create a prioritized list of the risks to those assets.

What often prevents security teams from knowing the unknown and seeing the full picture is that they approach the problem piecemeal, and only utilize their preconceived map. They typically combine disparate tools like network scanners, pen testing, and vulnerability scanners with “human glue” to integrate the siloed data and act on it. The challenge with all of those technologies is that they rely on the security team to designate which assets to scan or test, and the team is limited to the assets and entities that are already known to them.

Exploring helps us draw better cybersecurity maps

Like cartographers of old, we need to take steps to improve the maps that we have. Once we acknowledge there are things we don’t know lurking out there, and additional details that we need to uncover, we must explore to ensure a more accurate picture of our attack surface.

Legacy tools help organizations find and manage known attack surfaces, but organizations need to be forward-thinking like explorers to find any unknown assets and business relationships. Attackers pursue the path of the least resistance and look for areas that are “empty spaces” on your map. Legacy technologies that only or mainly look for machines and websites within known boundaries not only don’t solve the problem — they worsen it by offering a false sense of confidence.

New ways of looking at the attack surface and mapping the full breadth of all the assets, known and unknown, will help fill in the true security map. By creating more in-depth maps, we uncover our security gaps, which is critical. You cannot protect what you cannot see.