-2

Unpredictability and Predictability in security.

I am tasked to come up on which is more important in terms of security, if possible, on cyber security.

After reading through several articles on cyber security, i noticed many of the examples used falls under predictability, as most security engineers are dealing with known threats throughout the cyber world, however, is it possible to classify them as part of unpredictability as well. Since it is impossible to know when an attacker will attack, how he/she will attack, how much resources he/she will use.

Like a vaccine, you would not know when you will get sick, therefore, having regular vaccine shots will keep you safer, in a sense.

However, similar to cyber security, if we are to discuss about unpredictability, we will not know what new kinds of attacks are developed and can our current defending system defend against such new attacks.

In my opinion, unpredictability is without a doubt the more important factor compared to predictability. How am i to go about debating and explaining about this? Are there any references that I can look into to understand more about this factor?

P.S Such a good question yet it is closed

Zac
  • 119
  • 2
  • 4
    I disagree, in my opinion, you're more likely to get downed by something that is known about than a zero day – Arlix Nov 04 '15 at 16:47
  • 4
    First - you have to define what "more important" means. – schroeder Nov 04 '15 at 16:56
  • @schroeder More important in a sense which is more urgent, which will cause more damaged than the other, or any factors that can be used in comparison between these 2 points – Zac Nov 05 '15 at 04:26

2 Answers2

0

What might help you is to look through InfoSec Risk Frameworks (NIST 800-39, 800-30 r1, ISO 31000, etc.) and see how they deal with the concept of "Likelihood" in terms of assessing risk.

You might also gain some insight by looking at Bayes Theorem. It's a massive topic, but it is a great way to gain a foothold in understanding how the unpredictable affects the predictable.

You also have to define what you want to do with the unpredictable/predictable. Why make the distinction? How does it help an InfoSec professional? If you can't predict something, how do you suppose to account for it.

schroeder
  • 129,372
  • 55
  • 299
  • 340
0

I think this is an example of an "incorrect question". It's kind like asking which is more important: water or food. One is more urgent but if you don't have both you'll be in trouble.

Known vulnerabilities are urgent. As soon as they are published, attackers will be racing to exploit them. You need to be racing to mitigate or eliminate them.

When you aren't actively addressing known threats, you should be working to bolster your resistance to unknown threats. These could include zero-day vulnerabilities but they also might include bad actors within your organization or those from the outside who have previous compromised security and gained unauthorized access. The main activity here is moat-building e.g. not running server applications with root authorities.

JimmyJames
  • 3,059
  • 2
  • 18
  • 25
  • 1
    I don't see it as an incorrect question, it's just a question that needs context. Your water or food question can be answered, given enough context. "What's more important, water or food, when taking 2 day trip across a desert?". The same applies here. Whats the context? – Steve Sether Nov 04 '15 at 18:30
  • Can you think of a non-artificial security context that would create a meaningful difference? The only thing I can think of is something like "we know we are subject to N vulnerabilities, should we do something about that or work on trying to address unknown risks." In that context the known vulnerabilities are clearly more important (urgent) but that was really of the point of my answer above. – JimmyJames Nov 04 '15 at 18:52
  • It's an important question in terms of assessing historical risk. i.e. "How many of the exploits we've been vulnerable to were known exploits at the time, and how many were unknown". If you're subject to a lot of unknown threats, you should be doing a better job of trying to identify unknown threats. My point is really a more general one that you shouldn't just simply dismiss the question as incorrect, as it depends on context. – Steve Sether Nov 04 '15 at 19:33
  • And more generally, not being able to invent meaningful contexts isn't really a valid reason to dismiss the question. Filtering on ignorance leads to maintaining the status quo. – Steve Sether Nov 04 '15 at 19:34
  • My point basically boils down to this: the way this question is asked paints a picture of an enviroment where there is a camp arguing for focusing on known risks and the author is alone or in another camp arguing for focusing on unknown risks. That the author is putting effort into figuring out "to go about debating and explaining" implies a larger problem as both are crucial. You can make up for a lack of focus in one area with more focus in the other. – JimmyJames Nov 04 '15 at 22:33
  • Saying it is an "incorrect question" is not meant to dismiss the larger concern. What it means is that it is based on a false or questionable presumption. A completely stupid example would be if I asked whether you wanted me to punch you in the left eye or your right eye. Your true desire is likely neither but the question is presented as a dichotomy. – JimmyJames Nov 04 '15 at 22:39
  • It's tempting to make up a context when presented with questions without context. It's not really appropriate though. Personally I don't see the two camp context you're envisioning. – Steve Sether Nov 04 '15 at 22:42
  • Let us continue this discussion in chat. – JimmyJames Nov 04 '15 at 22:49
  • Hello all, i first want to thank everyone for their opinions, very much appreciated, i missed out the point that known vulnerabilities are as important and dangerous as well since it is known to all attackers for exploitation. Before reading everyone's comments, i thought unpredictability was the more important issue as we do not know what we are facing, however, after reading everyone's comment, i now have a balanced point of view. – Zac Nov 05 '15 at 04:25
  • @Zac I think you are confusing the "unpredictable" with the "unknown" – schroeder Nov 05 '15 at 04:31
  • @schroeder please enlighten me – Zac Nov 05 '15 at 08:40
  • @Zac you can predict the unknown, and the known can be unpredictable – schroeder Nov 05 '15 at 15:48