Covit-19 Lessons for Cyber Security Leaders

As a IT Security professional, if you ask me what other profession IT Security is similar to, I would answer the Military. I think the reason for that answer is because we feel like we are in a constant war against known and unknown threats, preparing for the worst with our red and blue teams (now purple as well), relying on intelligence feeds and planning each step in case of a breach of our well designed defenses.

Other Security professionals might answer differently as they see our job more similar to Medicine professionals and this answer is not surprising as we are used to Medical terms in our day to day activities as Virus, Vaccines, Hygiene, Infection, Containment, Eradication, Recovery and etc..

In Covit-19 times, it is hard for a Security professional to not relate the pandemic to the computer viruses we have to deal with everyday.

By the way, Computer Viruses have this name not by mistake. Below we have a definition from the McAfee website:

A virus is a specific type of malware that self-replicates by inserting its code into other programs... Viruses spread by attaching themselves to legitimate files and programs, and are distributed through infected websites, flash drives, and emails. A victim activates a virus by opening the infected application or file. Once activated, a virus may delete or encrypt files, modify applications, or disable system functions.

The similarities between bio-viruses and computer viruses is pretty clear, so we might have some lessons to take from the Covit-19 outbreak, right? The answer is a big yes and I believe this type of comparison is something that can be useful to IT Security Leaders pitching for focus, priority and budget for their teams.

I have listed below some of my thoughts around this topic and I would be glad to read yours at the comment section as well!

Security Incident Response Plan

During the Covit-19 outbreak, it became clear the importance of being ready to defend against a pandemic. Unfortunately it was also clear that many governments were not able to properly respond and take the necessary actions to minimize its impact.

In the technology field, the need for adequate preparation is also key as since the 80s computer viruses have demonstrated to be able to travel the whole internet in a matter of minutes.

Lesson Learned: Every organization must have a well defined, communicated, trained and tested Security Incident Response Plan which will allow your organization to quickly identify, contain, eradicate and recovery from the crisis with minimum impact as possible.

Security Training

According to specialists, the Covid-19 virus is not as lethal as a other known viruses and diseases we are used to. What is really different is its contagiousness and the velocity it is able to spread among humans.

It means that independent of how quickly new hospitals can be built or new vaccines can be developed, the first line of defense is the people and how they behave. Not surprisingly, washing the hands or self isolating are actions dependent on each individual, not on the government.

Lesson Learned: Security Awareness is extremely important and is applicable to the entire organization, not only to the IT Staff. Without the help from everyone a proper level of security will never be achieved.

Basic Hygiene

As mentioned above, washing the hands is one of the most recommended actions to avoid getting infected with Covid-19 and this is one of the first basic hygiene actions we learn when we are kids.

Lesson Learned: Paying technical debt and maintaining a health IT environment is key to keep security at a desirable level. Basic activities as keeping systems up to date, properly configured, inventoried, monitored, clean of vulnerabilities and aligned security best practices might be boring but they are a must.

Protect against the Unknown

Covid-19 is a new virus and even though many expected this situation would happen sooner or later, nobody could predict how the virus would look like, where it would come from and therefore how to create a vaccine for it.

In IT Security it is just the same. We are familiar with many threats but there is no way to predict what will be the next 0 day vulnerability from tomorrow. Independent of it, we must be prepared as much as we can.

Lesson Learned: There are specific technologies and services available to protect against unknown threats and we must adopt them if we want to be secure. Just having signature based security tools is not sufficient anymore and there is a myriad of solutions available, from threat intelligence services to Security Information Event Management tools which can correlate information, identify suspect behaviors and protect against. Some security solutions are leveraging Machine Learning to learn a system behavior and be able to protect in case something different happens, automatically avoid unkonwn services and processes to be executed or even isolating the system from the network.

Risk Management

Last but not least, how we deal with Risk is maybe the most important take away from this article. The Covid-19 virus has demonstrated itself as a catastrophic incident to the humanity and in many places it is only starting.

During risk assessment exercises, it is common for professionals to ignore catastrophic scenarios due to its low probability of happening. Events as earth quakes, world wars or pandemics are classified as very unlikely to happen and therefore are easy to be completely ignored or accepted during good times.

Lesson Learned: When performing Risk Assessments, remember that when you accept to take the risk just because the probability is very low, you might regret about it in the future. Bad things happen and when they do, you are expected to be prepared, not to give excuses.