May 1, 2020 •
If there are two things that the outbreak of the COVID-19 disease has reminded us of as a society, it’s that we live in
a world alongside invisible enemies like the SARS CoV-2 virus, but also that we can defeat these threats with certain precautions.
This shouldn’t come as a surprise, and yet when you consider some of our customs, it seems we weren’t really acting like we knew this, right? I mean, if we had genuinely appreciated the danger to the most sensitive among us, we would have been washing our hands for 20 seconds at a time all along, adding fashionable facemasks into our daily wardrobe, and why all the handshaking when a friendly wave or pat on the back could serve just as well?
We find ourselves in the middle of a coronavirus pandemic right now; but have you considered that we’ve been in the midst of a cybercrime pandemic for decades? And yet, just like our culture compels us to continue shaking hands with presumed immunity, many company cultures approach security with seeming impunity, subconsciously aware that invisible adversaries—like invisible viruses—exist, but ignoring the threat until it’s too late.
Fortunately, we can learn a lot from the same protective measures that are working to defeat this insidious coronavirus enemy. The parallels are striking between the social and professional measures that are swiftly becoming business-as-usual, and the security measures that should have been business-as-usual all along. Now may be the perfect time to remind ourselves of a few.
Social Distancing and Segmentation. Isolation is the number one most effective way to prevent the bad stuff from getting to the important stuff. As our scientific experts remind us, keeping our families safe within the walls of our home is currently the best way to stop the spread of this disease. And as security experts remind us, separating systems via firewalls, VLANs, or other forms of network isolation goes a long way to prevent access by attackers. With myself, my wife, and our three children, we have five people under one roof, which means the potential impact of an infection spreading within our home is greater than a family of two—but not nearly as large as a big social gathering. Similarly, smaller groupings of servers, based on common services and access privileges, is ideal for effective segmentation wherever possible.
Essential Businesses and Essential Ports. Of course, it is infeasible to disconnect ourselves entirely from the world. During the height of the COVID-19 epidemic, many countries restricted external activity to only essential businesses. For networked systems, this is attainable on an ongoing basis by only installing approved applications, and restricting access to external-facing systems to specific authorized ports and services. This limits the number of possible entry or exploitation points, and allows administrators to focus their efforts, limiting the attack surface on exposed networks.
Wash Your Hands and WSUS Your Servers. We should all be doing our part to make sure our hands are free from the invisible gunk with which they will inevitably come in contact. If not, these germs will wait patiently on the skin before making their way into the nose, eyes, and sinuses. This is just like the attacker that relies on unpatched vulnerable systems for the opportunity to move laterally into sensitive systems that sit behind a corporate firewall. Developing a program in which vulnerabilities in operating systems, software, and custom application code are identified and patched on a regular basis is akin to developing a habit of consistent hand washing. Also, you should stop touching your face. No analogy there, just a reminder. 😊
PPE and EPP. What if a virus does make its way to the nose, either through the air or by contact? The need for personal protective equipment (PPE), such as masks and respirators, form the final line of defense against infection. Just like PPE, EPP (endpoint protections) provide an important barrier when all else fails, and exist as the last line of defense to block an attacker from compromising a server or workstation.
Vaccines and Antivirus. We continue to pray that research into a COVID-19 vaccine is both swift and effective. Just like an immunization is designed to help our immune system improve its knowledge of threats by recognizing the antigen and neutralizing it, so too antivirus (also called antimalware) software is an important part of the computer’s immune response system. While I’m certainly not the first to make this comparison (there is a reason it’s called antivirus, after all), it is worth noting that this software is only effective if it’s turned on, up-to-date, and cannot be disabled. Early indications are that COVID-19 disease has been more harmful to those who are immunocompromised, or where medications suppress the body’s natural response. Be sure your antimalware software is always running, and always has the latest inoculation boosters (updates and signatures) to effectively fight the latest threats.
Learning and Logging. With three children and myself in school (one in high school, two in college, and one in a doctoral program), our household has been learning how to navigate the new reality of schooling from home—and our teachers are certainly learning as well! This area seems to be a significant challenge for many schools: taking attendance, recording homework, monitoring test-taking, and engaging remote learners so they are at their best. This required accountability is comparable to the challenges of logging and monitoring systems to ensure they are safe and ready for action. Students, like software, should record their critical activities to remote systems, so that these logs can be collected, correlated, and reviewed for indications of concern.
Older Software and Older Populations. The lifeblood of our society are the most seasoned among us, and the lifeblood of many organizations are the stalwart systems that drive their legacy applications. However, these are also the most vulnerable. This coronavirus has stolen far too many of our elders, and many of the sacrifices we have made are designed to protect our respected older generations. Similarly, greater protections are required for legacy systems, as these platforms are well-known to bad actors, and may no longer be receiving important patches from their vendors. Migration is recommended wherever possible, but if this is not feasible, additional security controls and monitoring are vital to keep any such systems safe from attack.
Doctors and Diagnostics. Even during times of quarantine, we are not immune from illness or injury, and we may need the assistance of a physician. My wife and I have been watching our kids like hawks over the past month, as a trip to the ER could lead to a worst-case scenario! I needed a routine medication refill last month, but instead of exposing myself by venturing to the doctor’s office, I was able to video chat with him from an app on my smartphone. Similarly, when systems require attention from a remote administrator, we must use caution to prevent attacks from these exposed channels. Remote admins should be authorized, connect from pristine systems, and always authenticate using multi-factor authentication.
Infection and Incident Response. In the unfortunate event that the virus affects you or the ones you love, it pays to act quickly. Know the most common symptoms (fever, dry cough, aching, and fatigue) and contact a health professional immediately. Similarly, your security operations team should be well-versed in common threats and indicators of compromise. Upon detection, your incident response team should promptly triage and isolate the affected system(s), working quickly to prevent contamination of any forensic evidence.
Fortunately, our health community is working hard to protect us during this crisis. And we know that you are working hard to protect your business. Learn more about stopping cybercriminals in their tracks by subscribing to this blog!