“…As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And … it is the latter category that tend to be the difficult ones.” – Donald Rumsfeld
Don’t worry, you’re not drunk – the title of this post is rather confusing to read at first but once I’ve put it into context you’ll start to see the relevance to this blog.
The “Known knowns” phrase comes from the former US Secretary of Defence, Donald Rumsfeld, in response to a question about WMDs and terrorists. So how does this relate to IT in any way? Well, for IT security, I see this as being analogous to how network administrators should view security of their infrastructure. We can separate out threats based on this idea and ensure our focus is kept in those areas we feel are the biggest threat to our organisations.
My view is that there are the below categories:
- Known knowns – we know about these threats. They are well documented and standard procedures have been created to mitigate them. As they are well known, they are likely to be the most common threats observed
- Identified exploits, common attack methods (e.g. CAM overflow, DHCP attacks etc), insecure passwords and unencrypted communications, rogue access points
- Can be mitigated by: Signature based AV, firewalls, patching, enabling DHCP snooping, password policies, using secure protocols in place of less secure ones and so on
- Unknown knowns – we know there are these types of threats but not the exact nature of them given their constantly evolving nature
- AV evading viruses, undocumented vulnerabilities, spam emails with previously unseen malicious payloads that circumvent AV detection or spear-phishing attempt
- Can be mitigated by: Behavioural based AV, web filtering (with updated blacklists), user awareness training to spot suspicious emails
- Unknown unknowns – we don’t know the nature of the attack, nor when it would occur
- Zero day attacks
- Can be mitigated by: Keeping on top of latest IT security news to be reactive, ensuring policies in place to handle situations
- And ensuring access is locked down to an as-needed basis with correct segmentation between business functions
By stacking security with a modular view you’re able to progressively approach a level of risk that matches your organisations appetite. You’d start off with a firewall to control the access into and out of the network, bringing your risk down considerably but perhaps not to an acceptable level. Then you may deploy an AV solution on the end devices. After that, you might incorporate web filtering and spam protection to prevent access to malicious sites and emails. By now you’ve potentially reduced the risk level to a satisfactory amount for your organisation – but there is certainly more that can be done if you’re wanting to lower it further. You might then consider IDS or IPS to mitigate even further, all depending on your acceptance of the risks and potential damage that may come if an attacker is successful.