These days you can't open your email box or scroll through Twitter without reading of some new exploit against a system or platform you depend on. You'd think that when I read that there are "no known exploits circulating in the wild" I'd be excited or at least relieved, right? Not so much ... here's why.
Any time I see someone write, or hear someone say that there are "no known exploits in the wild" I cringe a little.
While on the one hand it's good that the people who are doing the detecting haven't found anything or anyone out there actively exploiting your Java install with today's sandbox bypass, it gives me pause to ask whether it's because there isn't anything out there ...or if it's simply not being found.
Outside the ring of seasoned security professionals the phrase "not known to be exploited in the wild" is dangerous. Why? Simple - people who don't know to think past the word known may assume that it's OK not to take precaution against this exploit du'jour. It's been said before many times, but the good attacks you catch when someone becomes patient zero, while the best attacks are the ones where no one figures it out until much, much later.
So should you take precaution (notice I didn't say "worry about") against the exploit du'jour? Of course.
The detection mechanisms we have available to us, by nature, necessitate a patient zero. Like in medicine, someone has to be the first to get sick so we can detect and respond otherwise the bug is just floating around in the air being menacing. The problem in cyber space, and much like in real life illness, it seems that if it's out of sight it's out of mind. Defensive security professionals are busy worrying about *active threats* so a potential threat isn't much bother until someone can tell them there is reason for alarm. Phrases like "not known to be exploited in the wild" can have the unfortunate consequence of allowing people who are already overloaded on 'security' worry to put it out of their mind and get back to more relevant "right now" risks.
It's human nature, and just the way we are wired... I know I can feel some of that on myself when I hear that phrase. I guess I would change it to be slightly more effective (or harder to dismiss) by adding "at this time" at the end of the sentence - although I doubt it would make too much of a different.
This is just something to think about, as you read the newswires, talk to your colleagues and leadership - keep this bit of psychology in the back of your mind. I'd love to hear how it impacts you, and whether you feel that it has the same effect on you that it does on me?
Cross-posted from Following the White Rabbit