Type to search

Cybersecurity Risk

What Coronavirus (COVID-19) Teaches Us About the Nature of Infosec

4 min read
No alt text provided for this image

As an American who spent the past 3 weeks in Taiwan for Lunar New Year, it’s been impossible to ignore the impact of Coronavirus. Over 1800 have passed away, including a 34-years-young doctor in Wuhan, one of the first to discover and warn about the severity of the virus.

Although Taiwan only has ~20 infected, nearly everyone on the streets—over 85% of folks —are diligently wearing masks and queuing outside 7-11s and pharmacies to buy disinfectant, supplies, and yes, more masks.

No alt text provided for this image

As I sit in Taoyuan International Airport, about to enter a danger zone, a 14-hour crowded flight back to Boston, my mind races around how similar the challenge is to cybersecurity. As a father to a newborn and a member of the infosec community, I must manage the risk of infection. But what can I do, and is it even under my control?

Fear, uncertainty, and doubt (FUD) aside, there are three strong parallels we can learn from, as we combat a virus that will leave its mark long after the chaos settles.

1. We don’t understand how every virus works.

When listening to a low-tech relative ask about “beet-coin” and why files on their PC won’t open, it’s tempting to give a wry smile. “You didn’t backup?!” We all have gaps in knowledge, whether it’s how the Coronavirus is transmitted and its level of risk, or just how bad it might be to open a PDF from an unknown sender.

Even when prevention may be as simple as wearing a mask and regular disinfection, it quickly leads to more questions:

  • What’s our risk of catching the virus on a plane?
  • How strict is the protocol – should we abstain from in-flight meals?
  • If my friendly neighbors start hacking, coughing, and spraying liquid… does our prevention even matter?

When facing outbreaks of this magnitude, it’s common to see underreported figures around infection and spread. We experienced this in 2009 with H1N1: governments, and not just China, just can’t keep up. On a micro and macro level, it’s very hard to quantify the risk.

We collectively roll our eyes at the FUD statistic, “Millions of cyberattacks take place each second…”, but today’s security leaders must manage risk based on often nebulous threat intelligence and a “sense of the future” (e.g. Iran retaliation).

Another shared challenge: just like the biological Coronavirus, we usually can’t spot a cyber infection taking place right before our very eyes.

2. Preparation requires defense-in-depth – and that can be a pain.

As my lovely wife aggressively briefed me on the way to the airport, my security stack should be:

  1. Mask
  2. Disinfectant wipes
  3. Clean hands regularly (don’t touch face!)

The mask is the common persons’ anti-virus/EDR tool, meant to protect our human body endpoint. This protects me from liquids (saliva) expelled from my plane-mates. If I am infected myself, perhaps as a symptomless carrier, the mask limits my exposure to others.

Disinfectant wipes? Network segmentation. This will clean the tray table and other surfaces I will touch, and remove bacteria from my hands.

The last is regular hand washing. As a human, I will inadvertently touch my face and massage vulnerable attack surfaces such as my eyes, nose, and mouth.

These are all prudent countermeasures, but how does it apply in the real-world? In New York City, a woman was allegedly beaten for wearing a face mask. And let’s admit it, in the United States, masks are a big cultural no-no.

Masks come with disadvantages. Aside from rendering Face ID useless, it’s terrible in the business world, where we travel in order to build personal, face-to-face connections. In America, the stigma is if you wear a mask, it means you’re already sick. We might not change this line of thinking until we face such a potent opportunistic virus. (Similarly, China may reconsider their range of animals eaten for pleasure in the wake of COVID-19.)

Bringing it back to infosec, how do we decide as leaders, which systems need to “wear masks”, and how “disinfected” our networks need to be? Threat intelligence—analysis of past attacks—offers answers, but by design, only prepares us for the past. It’s a rearview mirror. A starting suggestion is to focus on Crown Jewels, our most precious assets (e.g. wife & baby), and prepare and improve against the highest areas of risk.

3. The only way to “battle” the disease is to face it head-on.

For Coronavirus, the real battle takes place inside our bodies, where our immune system will fight against a virus impersonating as good, urging our body to attack our lungs.

To become resilient, we must battle via vaccine. As of this writing, several countries have formulated a vaccine; NPR reports we may see it in fall 2020. Like most, the vaccine will be a weakened, yet very real version of the virus that will force the body to test their defenses and train a response, giving the body a fighting chance when facing the real thing.

Today’s penetration tests and red team engagements play a parallel role in information security, validating if defenses are working and exercising incident response. However, they usually happen once a year, and lose track of the company as it changes. Mergers and acquisitions, cloud migrations, and digital transformations all introduce new attack surfaces and opportunities for an adversary seeking access into the company network.

For that reason, security leaders today are changing their approach, seeking testing that offers continuous sparring against a trusted, data-driven adversary. Crafting solutions based on outdated data is dangerous—it’d be like asking a doctor to give you last year’s flu vaccine. The threat has changed and while the vaccine is valid, it won’t protect you from what you face today.

The next few months will continue to be turbulent, and my heart goes to the millions of people who are quarantined across Asia. In extreme cases, known-infected are literally barricaded in their homes, unable to leave their house for basic food and needs.

Should Coronavirus increase its threat profile to impact your region, please consider ways you can mitigate risk, especially for those that matter most — your Crown Jewels. It’s hard to know where to draw the line. I was berated in a crowded, mask-filled elevator for chatting with my wife, due to the close quarters and possibility of transmission. But at the very least, Coronavirus is an extremely potent adversary and a reminder of the many risks we accept and must overcome—together.

This article originally appeared in the author’s LinkedIn page.