Fresh Thoughts #8: Seeing Signals & Why Some Bugs are Unpatchable

radio antenna on a hill side picking up signals

Seeing Signals

It seems obvious, but I missed it for years.

Trees have flowers. Not just fruit trees, all trees.

Tiny little flowers. And they bloom at this time of year.

Once I saw it, I couldn’t un-see it. It’s everywhere.

The signal had popped through the noise, and now I can spot it on every walk.

Detecting signals is what business is about...

...and innovation.

...and cybersecurity.

Security awareness training teaches your team how to spot the signals used in scams.

Once they see it...

Why Some Bugs Are Unpatchable and What To Do About Them

"Patch all the vulnerabilities." It sounds simple, but how?

Some bugs, vulnerabilities, and problems simply can't be fixed.

My elder sister had a friend who did an internship at GCHQ many years ago.

Her project was to make a 1990s TV "invisible to the TV license detector van".

After 8 weeks and mountains of tin foil (which I saw a few years later when I joined the same team), it was finally agreed that it wasn't possible.

Right now, you certainly have bugs and vulnerabilities that can't be patched.

It may be that the vendor has gone out of business.

Or they simply don't think it's necessary.

Or the patch breaks something else which your business depends on.

Or the root cause is a library deep in the software supply chain that isn't funded or has one maintainer - hello SSL. 👋

Or the device doesn't have a way to upload the patch - hello IoT devices. 👋

Or one of your team clicking on a phishing email.

There are many reasons why patches can't be applied.

And that's ok.

That's why we use compensating controls.

A compensating control is a different, complementary way to fix a vulnerability.

Security awareness training is a compensating control - there's no patch for human behaviour.

Putting unpatchable IoT door locks on a different network to your databases and file shares.

Having a guest or student wifi network that can't access confidential information.

These are all compensating controls.

Security certifications like ISO-27001 allow you to define compensating controls where no direct fix is available. This makes it more flexible than Cyber Essentials.

But you also need to know when to stop... compensating controls can be an endless path.

March 29, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

Broken fence

Fresh Thoughts #4: The Price of Cyber Insurance & Know Your Perimeter

The eye-watering price of cyber insurance renewals may be coming as a surprise... Let's have a look at why it's happening.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868