Perils of Looking but Not Seeing
As we go about our lives and work there is a good chance we often look but do not see what is around us. Depending on the situation this can either be harmless such as sitting at the window of train watching fields go by but can turn deadly such as looking at the traffic lights and failing to see whether it is red or green leading to crash as you go straight through.
The key difference between them is to look at something means to gaze your eyes upon or acknowledge its presence. In order to see, not only does one look at the object but also understands it and pays attention to it. To look and to see are two different things, even if they both refer to visual perception. Visual perception is the ability to see and interpret our surroundings by processing information contained in visible light.
Merriam Webster defines ‘looking’ as, “to ascertain by the use of one's eyes; to exercise the power of vision upon; to search for.” In layman terms, to look at something means to gaze your eyes upon or acknowledge its presence. It is considered as a passive action. For example, Sarah asked Sam to look at her new watch. In this example, Sarah is telling Sam to acknowledge the presence of her new watch, all he needs to do is glance at the watch and acknowledge that Sarah has bought a new watch.
‘Seeing’ is defined as, “To perceive by the eye; to perceive or detect as if by sights.” It is a more active action. In order to see, not only does one look at the object but also understands it, perceives it and pays attention to it. Perception means recognising or relating what the eyes see with prior knowledge of the object. Let’s take the same example of Sarah and Sam. When Sarah shows her new watch to Sam, he sees it instead of just looking at it. He goes on to notice that it is different from the one Sarah had before. This means to see, not only just acknowledging it, but also understanding it and paying attention to it. It also means to look past the just obvious and actually take time to notice.
It is important to acknowledge this because often when things go wrong or when we make mistakes realising can sometimes be put down to looking but not seeing. So we overlook or fail to understand what had gone wrong.
But also this is linked to the issue of hindsight bias after the matter has passed. While hindsight is a useful way to acknowledge mistakes and to learn to do things differently trying to be clever with hindsight is a quick way to cause more problems or not to solve problems.
|The enterprise attack surface|
The x-axis includes the organisation's traditional infrastructure (servers, databases, switches, routers, and so forth), applications (standard and custom), endpoints (managed, un-managed, mobile and fixed, IoTs, industrial controllers, and so forth), and cloud apps (sanctioned and unsanctioned).
At the right end of the x-axis, there are the organisation's third-party vendors. The x-axis effectively repeats itself recursively in the organisation's supply chain, where each third-party vendor is an entity with an x-axis and attack surface just like that of the organisation, and this brings risk into the enterprise network because of certain trust relationships. The ellipses on the x-axis indicate that these categories of assets are large sets. It is quite difficult for most organizations to even enumerate their x-axis with accuracy.
On the y-axis, there are the different methods of attacks—starting from simple things like weak and default passwords, reused password, passwords stored incorrectly on disk, or transmitted in the clear, on to more complex things like phishing, social engineering, and unpatched software. Further down the y-axis, there are zero-day vulnerabilities—security bugs that are "unknown" until they are first used by an adversary. There are quite literally 100s of items on the y-axis in dozens of categories.
Each point in this x-y graph represents one way by which adversaries can compromise an enterprise asset.
Post a Comment