Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Dr. Mike Lloyd
Dr. Mike Lloyd
Connect Directly
E-Mail vvv

4 Cybersecurity Lessons from the Pandemic

An epidemiologist-turned-CTO describes the parallels between the spread of a computer virus and the real-world coronavirus.

I switched from epidemiology to network security as my day job years ago, but today's pandemic reminds me of the similarities between the two fields. There are many lessons we can take from the real-world virus and apply them to security in the online world. 

It may not be obvious, but the spread of information on computer networks is like disease processes.  It starts at the most basic level — when you connect to the Internet, you launch what epidemiologists would call a "nearest neighbor spread" process but what network gurus call a routing protocol. One router learns that you're there, it tells its neighbors, and they tell their neighbors, in a wave that spreads out across the network — spreading your information like a disease.

It's no coincidence that some of the first major computer threats were called viruses — they spread in ways that look like biological agents, with similar strategies for infection and reproduction. If you've ever received infected email from a colleague, you were watching evolution in action: attackers figuring out that they can more effectively spread if they contact you from someone you know rather than from an unfamiliar address. 

So, what can the study of epidemics teach us about online security? I see four broad lessons:

Lesson 1: Understanding Lateral Movement
Diseases spread between humans as we connect with each other. That's why many of us are sheltering in place as I write this — to reduce the ability of today's infection to move laterally around the population. It's clear that human networks are global and interconnected. The disease started in one country and has spread laterally to even small, remote island communities.

In the online world, attackers find it easiest to breach low-value targets first, then spread outwards to better targets. Why? We can't protect all of our networks down to every endpoint. Therefore, an attacker begins by finding one compromised location. Although a network is large, it doesn't take many lateral moves to get from one place to any other place. Similarly, air travel is a great help for the spread of real-world bugs. In the online world of social networks, lateral movement is one of the best tools in an attacker's arsenal.

By remaining at home in our fight against the coronavirus, we're fighting back by blocking its lateral movement. Likewise, digital defenders need to break up patterns of lateral movement through segmentation that walls off data into distinct areas. This prevents infections from moving into new segments.

Lesson 2: Know Where Infections Are
In the fight against disease, it's increasingly clear that the difference between countries that have better or worse outcomes comes down to who can test the most. They can see where the disease really is and get ahead of it. Digital security is the same. We struggle to know where we have infections, and response teams are often scrambling to catch up with something that has already begun to spread. 

For real-world diseases, we use contact tracing. If you just learned one person is a carrier, immediately track down their contacts, test them, and quarantine as necessary. The digital version of the challenge is much harder because computers communicate across a network in many different and shifting directions, comparable to having every person on earth flying country to country every day.

In an online crisis, there is no simple answer to the question "how did this infection get here, and where is it going next?" To find that answer, security teams need to map out a network well ahead of an attack and understand all the access pathways and normal information flows for the organization. This isn't easy, but we're getting better at automation and algorithms to analyze questions like this that defy human thought.

Lesson 3: Slow It Down
The global effort to stay home and "flatten the curve" for disease spread is a great move to reduce the strain on our taxed medical systems. Similarly, just slowing down an online attack brings powerful benefits. We know you won't be able to stop every determined attacker or nation-state, but slowing them down buys time for your sensors to detect digital intruders so you can respond to block or quarantine them. You can also see this in traditional safes, which are rated based on how long they can resist a determined thief. 

Lesson 4: Hygiene Is Critically Important
The most important and repeated advice about the current COVID-19 outbreak is always the same: Wash your hands. This is our first and best line of defense. It's much the same online: Basic hygiene matters. In the digital realm, network hygiene includes knowing what is on your network, that your devices are securely configured, that your network is set up as intended, and that any change doesn't affect your security, none of which is easy to do consistently at large scale — even the simple things. Real-world networks are riddled with unintentional hygiene failure; even 90% compliance with basic hygiene standards isn't enough. It's far more important for security teams to perform the basic controls well, everywhere, every time. So, please, people — wash your hands!

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Dr. Mike Lloyd is CTO of cyber terrain mapping company RedSeal. Dr. Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...