Blogs are meant to be topical so there can only be one starting point for this one. We only deal in the business of compliance and cyber security so I can only really write about anything from this perspective.
It’s not to make light of something that is deadly serious and causing so much suffering across the world, but simply that the way in which the topics of prevention, detection, containment and remediation are being exercised have such strong parallels within the cyber security world.If it was a computer virus, COVID-19 would be classified as a Zero Day threat. No vaccine exists and it’s likely this won’t change for another 12 months or longer, depending on what you read (and like everyone else, I am reading a lot of articles about this particular Coronavirus).
In cyber security terms, Anti-Virus (AV) technology is increasingly seen in the same way as the medical equivalent, the antibiotic. This once all-powerful cure for virtually every infection is now seen with its potency on the wane. Superbugs and MRSA germs have now mutated to become immune to antibiotics, similar to the way in which polymorphic malware changes repeatedly to evade signature-based AV quarantine rules.
Back to COVID-19, in the absence of any vaccine to prevent infection, the main tactic now in fighting the outbreak for most countries is to impose a lockdown. To extend the cyber security analogy, we know we have been hit by a Worm Virus which is replicating rapidly, so we are trying to unplug all the computers from the network to stop the spread.
Unplugging the computers buys time, but isn’t really a solution and similarly, slowing the spread of COVID 19 via lockdowns won’t defeat it, but will serve an invaluable purpose of relieving pressure on the healthcare infrastructure.
The more positive response to actively deal with an epidemic comes from the established, expert, international consensus, with the director general of the World Health Organization (WHO) recently saying he had a "simple message" for all countries: "Test, test, test” adding “We cannot stop this pandemic if we do not know who is infected."
By testing, you can then isolate the carriers and potential spreaders – a process known as ‘contact-tracing’ - and therefore more precisely confine the virus. For example, South Korea were experiencing what looked like an out of control situation, with terrifying, exponential growth of cases, and confirmed cases doubling every day. They have brought infection rates back to a manageable level, ‘flattening the curve’ of infections, albeit with over 350,000 people tested. By comparison, the UK has only tested 90,000 people so far.
But this same need to actively detect infections is why in the cyber security world, file integrity monitoring – and in particular, its role in providing change control - is such a key security control. We have the advantage in that our testing can be automated, operating continuously in real-time and covering every single device.
If you can detect breach activity early, if and when it does happen, then you can both isolate infected devices and stop the spread, precisely what didn’t happen fast enough when the WannaCry ransomware pandemic first hit back in 2017. Within 3 days it had spread over 150 countries and affected over 230,000 computers.
Discovery of cyber security breaches still takes months, but the time to compromise and exfiltrate is typically minutes (see the Verizon Data Breach Investigations Report). So early breach detection is still the best way of minimizing the impact of an attack, and your best chance of limiting damage and bringing about an early recovery.
It’s a worrying time for all of us but this was just a way of drawing parallels between the vastly different, but also very similar virus scenarios, and in particular to discuss what works for both. For now, there is only one priority, but once life returns to something approaching ‘normal’ for all of us, the hackers and cybercriminals will also be back to work. At that point we will be back to defending and detecting, but hopefully with the right level of attention paid to integrity monitoring and change control. Stay safe!
Share this post