In my travels, I’ve met cybersecurity professionals from many different backgrounds. That’s not so surprising – it’s a relatively new profession only recently taught in universities, and it takes on the order of ten years of on-the-job training to become an expert. Most seasoned cybersecurity veterans came from some other discipline. I moved into cybersecurity from epidemiology, studying how disease spreads. There are some surprising and interesting parallels between cybersecurity and epidemiology – starting from the point that most people really don’t want to talk to you about the icky stuff that you spend your time on until they face a real crisis and suddenly demand answers!
Coronavirus is a good example of crisis-driven attention to a neglected area. Normally, we fly around visiting busy places, shaking hands, and generally behaving as if the outside world wasn’t out to get us. But publicity around Coronavirus has abruptly caused people to pay attention, buying disinfectant, stocking groceries, and above all, washing their hands. I’m writing this on a half-empty plane. I’ve seen school kids using a foot bump instead of a handshake, learned from an online half-joking video from people in Wuhan. But we know this attention won’t last.
This spike and eventual dip in awareness is familiar to cybersecurity professionals. Our recommendations and policies – don’t click on unknown links, for example — are as hard for most people to live with every day as is the epidemiologist’s advice to wash your hands and keep them from your face. Heightened awareness of the danger from microbes will change behaviour for a while. But you don’t have to be clairvoyant to predict a future where people will gradually go back to attending sports events, getting on cruise ships, and in the process, increasing their attack surface to microbes. We aren’t surprised when our security awareness training only seems to bring benefits for a while, so we keep repeating it.
Of all the advice coming out of epidemiologists around Coronavirus, the most frequently repeated point is the simplest: wash your hands. Do it a lot. Do it well. Use soap. This is perhaps not what most people were expecting. Between Hollywood disaster movies and most people’s fertile imagination, I figure most folks were expecting something sophisticated and technical, like “take this new breakthrough drug with a long fancy name full of x’s and z’s”.
The mundane nature of the best counter to Covid-19 – just wash your hands – is a reminder that basics are still our most important line of defense. Microbes have to obey the laws of biology – they cannot just teleport from person to person, they need a way to get between them, and at least for airborne pathogens, it creates a chain that we can break with something far less costly than a super drug.
In the security business, we’re also prone to falling for the promise of a super drug – “my newfangled AI system is so advanced, it will figure out the attacker’s intentions before they have even realised they are coming after you”, and so on. It sounds great, except it’s neither practical, nor your best line of defense even if it worked. Your best line of defense is boring old security fundamentals – just the way that handwashing can combat a scary new contagion. It starts with knowing what you have, then looking at how it’s configured, and finally looking at how all the pieces interact. Epidemiologists follow the same basics – what’s the susceptible group, how strong are their defenses, and what’s the attack pathway?
Understanding your online inventory shouldn’t be a challenge, and people in the physical world should be prepared for emergencies. But being prepared takes time and attention – the catch is that attention has become our most precious commodity. Every company I visit has some kind of inventory programme in place, and not a single security team I’ve met believes it’s complete and reliable. Sadly, in my line of work, I end up proving that they are right – it’s not just professional paranoia, inventories really are riddled with gaps and faulty data. Is it any wonder, then, that breaches continue to succeed? Attackers thrive in the places we can’t see, in much the same way that microbes hang on wherever we don’t spray the disinfectant. The current strain of Coronavirus may be new, but it still exploits the same attack vectors that humans have had since prehistoric times – make one victim cough and depend on poor hygiene to infect the next person. Modern humans have the ability to stop these diseases, because we have hot water and soap, but they are only effective if we actually use them.
Between my earlier training as an epidemiologist, and my current work on network security, I suppose I should be a pessimist – a dysfunctional germophobe with a disdain for all things networked. But honestly, I’ve come out more as an optimist (albeit with a good sense of how grateful we should be, given the fragile nature of the world we live in). I believe the Coronavirus shock will have a positive legacy once it has peaked, if only in the mindset it brought to get people thinking about washing their hands. And as we know from security awareness training, most people can have their online behaviour changed, at least for a while. But we still need to be prepared – map out your stuff, check it for basic violations, then move on to thinking about lateral movement, the way that epidemiologists try to predict where Coronavirus is going next. And above all, people, wash your hands.