Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/16/2020
02:00 PM
Dr. Mike Lloyd
Dr. Mike Lloyd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Cybersecurity Lessons from the Pandemic

An epidemiologist-turned-CTO describes the parallels between the spread of a computer virus and the real-world coronavirus.

I switched from epidemiology to network security as my day job years ago, but today's pandemic reminds me of the similarities between the two fields. There are many lessons we can take from the real-world virus and apply them to security in the online world. 

It may not be obvious, but the spread of information on computer networks is like disease processes.  It starts at the most basic level — when you connect to the Internet, you launch what epidemiologists would call a "nearest neighbor spread" process but what network gurus call a routing protocol. One router learns that you're there, it tells its neighbors, and they tell their neighbors, in a wave that spreads out across the network — spreading your information like a disease.

It's no coincidence that some of the first major computer threats were called viruses — they spread in ways that look like biological agents, with similar strategies for infection and reproduction. If you've ever received infected email from a colleague, you were watching evolution in action: attackers figuring out that they can more effectively spread if they contact you from someone you know rather than from an unfamiliar address. 

So, what can the study of epidemics teach us about online security? I see four broad lessons:

Lesson 1: Understanding Lateral Movement
Diseases spread between humans as we connect with each other. That's why many of us are sheltering in place as I write this — to reduce the ability of today's infection to move laterally around the population. It's clear that human networks are global and interconnected. The disease started in one country and has spread laterally to even small, remote island communities.

In the online world, attackers find it easiest to breach low-value targets first, then spread outwards to better targets. Why? We can't protect all of our networks down to every endpoint. Therefore, an attacker begins by finding one compromised location. Although a network is large, it doesn't take many lateral moves to get from one place to any other place. Similarly, air travel is a great help for the spread of real-world bugs. In the online world of social networks, lateral movement is one of the best tools in an attacker's arsenal.

By remaining at home in our fight against the coronavirus, we're fighting back by blocking its lateral movement. Likewise, digital defenders need to break up patterns of lateral movement through segmentation that walls off data into distinct areas. This prevents infections from moving into new segments.

Lesson 2: Know Where Infections Are
In the fight against disease, it's increasingly clear that the difference between countries that have better or worse outcomes comes down to who can test the most. They can see where the disease really is and get ahead of it. Digital security is the same. We struggle to know where we have infections, and response teams are often scrambling to catch up with something that has already begun to spread. 

For real-world diseases, we use contact tracing. If you just learned one person is a carrier, immediately track down their contacts, test them, and quarantine as necessary. The digital version of the challenge is much harder because computers communicate across a network in many different and shifting directions, comparable to having every person on earth flying country to country every day.

In an online crisis, there is no simple answer to the question "how did this infection get here, and where is it going next?" To find that answer, security teams need to map out a network well ahead of an attack and understand all the access pathways and normal information flows for the organization. This isn't easy, but we're getting better at automation and algorithms to analyze questions like this that defy human thought.

Lesson 3: Slow It Down
The global effort to stay home and "flatten the curve" for disease spread is a great move to reduce the strain on our taxed medical systems. Similarly, just slowing down an online attack brings powerful benefits. We know you won't be able to stop every determined attacker or nation-state, but slowing them down buys time for your sensors to detect digital intruders so you can respond to block or quarantine them. You can also see this in traditional safes, which are rated based on how long they can resist a determined thief. 

Lesson 4: Hygiene Is Critically Important
The most important and repeated advice about the current COVID-19 outbreak is always the same: Wash your hands. This is our first and best line of defense. It's much the same online: Basic hygiene matters. In the digital realm, network hygiene includes knowing what is on your network, that your devices are securely configured, that your network is set up as intended, and that any change doesn't affect your security, none of which is easy to do consistently at large scale — even the simple things. Real-world networks are riddled with unintentional hygiene failure; even 90% compliance with basic hygiene standards isn't enough. It's far more important for security teams to perform the basic controls well, everywhere, every time. So, please, people — wash your hands!

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Dr. Mike Lloyd is CTO of cyber terrain mapping company RedSeal. Dr. Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.