Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/16/2020
02:00 PM
Dr. Mike Lloyd
Dr. Mike Lloyd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Cybersecurity Lessons from the Pandemic

An epidemiologist-turned-CTO describes the parallels between the spread of a computer virus and the real-world coronavirus.

I switched from epidemiology to network security as my day job years ago, but today's pandemic reminds me of the similarities between the two fields. There are many lessons we can take from the real-world virus and apply them to security in the online world. 

It may not be obvious, but the spread of information on computer networks is like disease processes.  It starts at the most basic level — when you connect to the Internet, you launch what epidemiologists would call a "nearest neighbor spread" process but what network gurus call a routing protocol. One router learns that you're there, it tells its neighbors, and they tell their neighbors, in a wave that spreads out across the network — spreading your information like a disease.

It's no coincidence that some of the first major computer threats were called viruses — they spread in ways that look like biological agents, with similar strategies for infection and reproduction. If you've ever received infected email from a colleague, you were watching evolution in action: attackers figuring out that they can more effectively spread if they contact you from someone you know rather than from an unfamiliar address. 

So, what can the study of epidemics teach us about online security? I see four broad lessons:

Lesson 1: Understanding Lateral Movement
Diseases spread between humans as we connect with each other. That's why many of us are sheltering in place as I write this — to reduce the ability of today's infection to move laterally around the population. It's clear that human networks are global and interconnected. The disease started in one country and has spread laterally to even small, remote island communities.

In the online world, attackers find it easiest to breach low-value targets first, then spread outwards to better targets. Why? We can't protect all of our networks down to every endpoint. Therefore, an attacker begins by finding one compromised location. Although a network is large, it doesn't take many lateral moves to get from one place to any other place. Similarly, air travel is a great help for the spread of real-world bugs. In the online world of social networks, lateral movement is one of the best tools in an attacker's arsenal.

By remaining at home in our fight against the coronavirus, we're fighting back by blocking its lateral movement. Likewise, digital defenders need to break up patterns of lateral movement through segmentation that walls off data into distinct areas. This prevents infections from moving into new segments.

Lesson 2: Know Where Infections Are
In the fight against disease, it's increasingly clear that the difference between countries that have better or worse outcomes comes down to who can test the most. They can see where the disease really is and get ahead of it. Digital security is the same. We struggle to know where we have infections, and response teams are often scrambling to catch up with something that has already begun to spread. 

For real-world diseases, we use contact tracing. If you just learned one person is a carrier, immediately track down their contacts, test them, and quarantine as necessary. The digital version of the challenge is much harder because computers communicate across a network in many different and shifting directions, comparable to having every person on earth flying country to country every day.

In an online crisis, there is no simple answer to the question "how did this infection get here, and where is it going next?" To find that answer, security teams need to map out a network well ahead of an attack and understand all the access pathways and normal information flows for the organization. This isn't easy, but we're getting better at automation and algorithms to analyze questions like this that defy human thought.

Lesson 3: Slow It Down
The global effort to stay home and "flatten the curve" for disease spread is a great move to reduce the strain on our taxed medical systems. Similarly, just slowing down an online attack brings powerful benefits. We know you won't be able to stop every determined attacker or nation-state, but slowing them down buys time for your sensors to detect digital intruders so you can respond to block or quarantine them. You can also see this in traditional safes, which are rated based on how long they can resist a determined thief. 

Lesson 4: Hygiene Is Critically Important
The most important and repeated advice about the current COVID-19 outbreak is always the same: Wash your hands. This is our first and best line of defense. It's much the same online: Basic hygiene matters. In the digital realm, network hygiene includes knowing what is on your network, that your devices are securely configured, that your network is set up as intended, and that any change doesn't affect your security, none of which is easy to do consistently at large scale — even the simple things. Real-world networks are riddled with unintentional hygiene failure; even 90% compliance with basic hygiene standards isn't enough. It's far more important for security teams to perform the basic controls well, everywhere, every time. So, please, people — wash your hands!

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Dr. Mike Lloyd is CTO of cyber terrain mapping company RedSeal. Dr. Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...