COVID-19

What do learnings from COVID-19 and cybersecurity have in common?

In my travels, I have met cybersecurity professionals from many different backgrounds. That is not so surprising – it is a relatively new profession only recently taught in universities, and it takes on the order of ten years of on-the-job training to become an expert. Most seasoned cybersecurity veterans came from some other discipline. 

I moved into cybersecurity from epidemiology, studying how disease spreads. There are some surprising and interesting parallels between cybersecurity and epidemiology – starting from the point that most people really do not want to talk to you about the icky stuff that you spend your time on until they face a real crisis and suddenly demand answers!

Coronavirus is a good example of crisis-driven attention to a neglected area. Normally, we fly around visiting busy places, shaking hands, and generally behaving as if the outside world was not out to get us. But publicity around Coronavirus has abruptly caused people to pay attention, buying disinfectant, stocking groceries, and above all, washing their hands. 

This spike and eventual dip in awareness is familiar to cybersecurity professionals. Our recommendations and policies – do not click on unknown links, for example – are as hard for most people to live with every day as is the epidemiologist’s advice to wash your hands and keep them from your face. 

Heightened awareness of the danger from microbes will change behavior for a while. But you do not have to be clairvoyant to predict a future where people will gradually go back to attending sports events, getting on cruise ships, and in the process, increasing their attack surface to microbes. We are not surprised when our security awareness training only seems to bring benefits for a while, so we keep repeating it.

Of all the advice coming out of epidemiologists around Coronavirus, the most frequently repeated point is the simplest: wash your hands. Do it a lot. Do it well. Use soap. This is perhaps not what most people were expecting. 

The mundane nature of the best counter to Covid-19 – just wash your hands – is a reminder that basics are still our most important line of defense. Microbes have to obey the laws of biology – they cannot just teleport from person to person, they need a way to get between them, and at least for airborne pathogens, it creates a chain that we can break with something far less costly than a super drug. 

In the security business, we are also prone to falling for the promise of a super drug – my newfangled AI system is so advanced, it will figure out the attacker’s intentions before they have even realized they are coming after you, and so on. It sounds great, except it is neither practical, nor your best line of defense even if it worked. 

Your best line of defense is boring old security fundamentals – just the way that handwashing can combat a scary new contagion. It starts with knowing what you have, then looking at how it is configured, and finally looking at how all the pieces interact. Epidemiologists follow the same basics – what is the susceptible group, how strong are their defenses, and what is the attack pathway? 

Every company I visit has some kind of inventory program in place, and not a single security team I have met believes it is complete and reliable. Sadly, in my line of work, I end up proving that they are right – it is not just professional paranoia, inventories really are riddled with gaps and faulty data. 

Is it any wonder, then, that breaches continue to succeed? Attackers thrive in the places we cannot see, in much the same way that microbes hang on wherever we do not spray the disinfectant. 

The current strain of Coronavirus may be new, but it still exploits the same attack vectors that humans have had since prehistoric times – make one victim cough and depend on poor hygiene to infect the next person. Modern humans have the ability to stop these diseases, because we have hot water and soap, but they are only effective if we actually use them.

Between my earlier training as an epidemiologist, and my current work on network security, I suppose I should be a pessimist – a dysfunctional germophobe with a disdain for all things networked. But honestly, I have come out more as an optimist albeit with a good sense of how grateful we should be, given the fragile nature of the world we live in. 

I believe the Coronavirus shock will have a positive legacy once it has peaked, if only in the mindset it brought to get people thinking about washing their hands. 

And as we know from security awareness training, most people can have their online behavior changed, at least for a while. But we still need to be prepared – map out your stuff, check it for basic violations, then move on to thinking about lateral movement, the way that epidemiologists try to predict where Coronavirus is going next. And above all, people, wash your hands.


Key takeaways

  • Attackers thrive in places we cannot see; the same way microbes hang on wherever we do not spray. 
  • The current strain of Coronavirus may be new, but still exploits same attack vectors that humans have had since previous times.
  • Modern humans have ability to stop these diseases, but they are only effective if we actually use them.
  • Being prepared takes time and attention, the catch is that attention has become our most precious commodity.
  • I believe the Coronavirus shock will have a positive legacy once it has peaked, it brought people thinking about washing hands. 

By Dr Mike Lloyd, CTO RedSeal.

Leave a Reply