Knowing you don’t know what you don’t know

Working in IT, you’ve no doubt heard – and said – the phrase “we don’t know what we don’t know” more than a few times. Yet many technical and business professionals have convinced themselves that they truly have complete visibility into their network environment, but they’re just fooling themselves.

Mature IT, security, and business professionals know that no matter how much money you’ve invested in security, the reality is you cannot fully know where and how your business is at risk. So it’s up to you to find the gaps so that these risks can be properly mitigated or, ideally, eliminated.

So, how do you go about doing that? Well, if you want to find everything that matters, you’ll need more than basic configuration checks, vulnerability scans, and control audits. Here is a list of what I believe you should focus on to find most of your network security risks:

• In-depth vulnerability and penetration testing. I don’t condone basic vulnerability scans or niche penetration testing, but they leave too much on the table. You still need formal – end-to-end – testing of your network environment. This means looking at your external-facing systems, cloud systems, and your entire internal network in addition to basic vulnerability scans. These should be performed consistently in between your formal vulnerability and penetration testing exercises to look for any obvious gaps.
• Firewall configuration audits. Looking at your firewall rulebases is a great complement to your formal vulnerability and penetration testing. This exercise can find weaknesses and direct exploits in your firewall systems that you may not otherwise know about. This is especially true for complex environments containing multiple firewalls with hundreds of rules each.

• Security operations reviews. This exercise will uncover gaps in your IT management processes, people, and other areas related to the “soft” side of security. Many of these gaps often lead to the technical vulnerabilities that you will find in the previous exercise, so this is really important.

You then take all these practices and work them into your overall security program to provide you with the ongoing visibility you need. Put each of these things on your to-do list and ensure that each area is addressed on a periodic and consistent basis. The reason you want to do this is not just to find security gaps so you can minimize the associated business risks, it’s also so that you can demonstrate due care – that you are doing what’s reasonably expected of any business. This will prove beneficial if a security incident or confirmed breach occurs. The last thing you want is an investigation to discover that you did nothing – or very little – leading up to the network event (which is the case in many of the big breaches that we hear about, and the smaller ones too). I always talk about the importance of getting people outside of IT on board with security initiatives, and this is a big reason why.

The late Richard Carlson, author of the popular Don’t Sweat the Small Stuff book series, once said “It’s critical to remember that if you go on doing what you’ve always done, you will go on getting what you’ve always gotten.” Understanding where things stand with your network security doesn’t have to be that complicated if you do the right things and you do them repeatedly. It’s no different than performing maintenance on your car or doing what’s right in terms of diet and exercise for your own body. If you want positive outcomes – truly knowing what you don’t know – then you must be willing to put in the work to find out just what that is.