The Null Hypothesis: A Wrench in the Works of Vulnerability Scanning
How a core scientific principle (The Null Hypothesis in Cybersecurity) exposes flaws in traditional security & points toward a smarter, data-driven defense.
What is the Null Hypothesis? 🧐
In scientific research, the Null Hypothesis (H₀) is the default assumption that there is no relationship between two measured phenomena. It’s the “statement of no effect.” For a new drug to be deemed effective, researchers must first disprove the null hypothesis that the drug has no effect. This principle is akin to the legal concept of “innocent until proven guilty.” You start with the assumption of no guilt (or no effect) and then gather evidence to the contrary.
In cybersecurity, the process of gathering evidence is critically important. The ISC2 emphasizes that without robust digital forensics practices, many cyberattacks would go unnoticed or remain misunderstood. While it is common for cybersecurity professionals to engage in this, too often the diagnosis of a cybersecurity issues begins and ends at the first step; the vulnerability scan.
The Vulnerability Scan: A Flawed Premise?
Vulnerability scanning operates on a principle that is, in many ways, the opposite of the Null Hypothesis. It essentially assumes guilt. A scanner probes a network or application and reports on potential weaknesses. The problem is that these scans often lack context and can be rife with false positives. A scanner might flag a vulnerability that, in the specific context of the system, is not actually exploitable. This creates a “guilty until proven innocent” scenario, where security teams are sent scrambling to patch issues that may not pose a genuine threat.
- Example: a notification of a patching vulnerability appears around a service (SSH), stating a device is not-patched. It may well have been successfully patched through an automated update although the specific documented release number (v1.153) wasn’t updated by the vendor. This is a quite common occurrence, and shows how easily scanning alone can fail to provide the full picture.
Analogy: What if Bob Marley Came Back For A One-Night Only Show?
Any large public venue hosting a popular concert or a sporting event, is a potent example. Imagine that Bob Marley & The Wailers were all to return to us to play for one massive concert. It would be an unforgettable event, and sell out at any price. Now, imagine that the security and venue management teams resolved a strategy to manage the show, operating on the single, sizable assumption that everyone going into the stadium or present within had a valid ticket. The absurdity of this is obvious.
You Just Can’t Assume That
We all know that in any large crowd, there will be individuals who have not paid for entry. In fact, you should anticipate that fake tickets will be sold and presented at the gate, people will be climbing walls and perimeter breaches will be happening, and even more. That’s why at any popular show tickets are checked and rechecked, scanners are used throughout the venue, badges and credentials are worn, large men in matching security jackets guard access points… all of whom are there to challenge the hypothesis that everyone present is legit.
The naive assumption that everyone has a ticket demonstrates the null hypothesis, and the realities observed by anyone who has attended a big show is that this assumption must always be challenged before it can be accepted. Sometimes, from many different possible alternative scenarios to get to a reliable level of confidence.
Similarly, in cybersecurity, the “legit purchased ticket” is a validated, secure configuration. A vulnerability scan, in its typical form, is like that cursory glance at the perimeter. It might easily spot some obvious issues, but it doesn’t come close to validating the security of each individual component from the inside out. And so, it may be useful for an expert to take a quick, cursory glance at the crowd to make some educated assumptions, but nowhere close to validating the entire audience nor the validity of each presented ticket. In fact, it may even create additional risks to communicate those observations and create a false sense of security. Is this how your business identifies risk?