What Do Cyber Threats and COVID-19 Responses Have In Common?

Cyberthreats are ever-present in each of our lives. They do not sleep; they don't get sick or take days off. Situations like the COVID-19 outbreak are a treasure trove for hackers everywhere, offering a plethora of opportunities for nation-state bad actors as well as your everyday cyber criminal.   

Global supply chains are in jeopardy because so much technology is manufactured in China.  The tech world can't avoid getting pulled into the Coronavirus either.  Google offices report workers came in and took monitors, other equipment, and even snacks to supplement the "work from home" mandate.  While people are likely more productive with their large monitors and other tech toys, you can bet this will result in some additional business continuity planning and risk management for companies in every business sector. Not to downplay what is happening, but there are some parallels in how we manage cyber threats, which may be useful going forward.

Can threats be contained?  Quarantine is used to combat cyber threats and was one of the first moves by The People's Republic of China in the city of Wuhan on January 23rd in an attempt to contain the spread of COVID-19.  In the most simplistic terms: nothing leaves, and consequently, the threat is contained. The reality is that containment is rarely, if ever perfect, and quarantines leak, so the virus spreads anyway. With the Coronavirus, the process has repeated itself with a cruise ship in Tokyo where passengers were released even though they were still infected.

I am not suggesting a wholesale change in how we look at cybersecurity.  In the cyber world, the only way to contain is to disconnect systems from the internet, and each other, and then to eradicate the virus on each system and put protective measures in place before reconnecting.  All cyber professionals know that a mass sale quarantine will not stop every leak because companies cease to operate with zero connectivity.  The same holds true for human beings.  Like firewalls, containment controls being put in place are about managing the threat.   Managing can be mean reducing the attack surface or providing more data about the extent, acceleration, and characteristics of the threat.   What containment really does is buy some time, allow us to prepare defenses, and test our assumptions.  In cybersecurity, we know leaks will occur, and we plan for those situations. Containment is a single tool in our toolbox, so we always use a multi-threaded approach to security and incident response.

Pandemic containment is a series of different tactics all applied in distinct ways.  For instance, the isolation of people who are infected is similar to our use of anti-malware and bot-detection to quarantine specific systems.  Geographic quarantines are comparable to the use of network segmentation with firewalls. Log monitoring corresponds with the tracking of contact between individuals to determine the infection has spread and manifested itself.  To identify and contain new threats and variants, we inspect network traffic and leverage decryption tools to filter out perceived threats, which is similar to imposed travel restrictions and checkpoints currently being implemented.  Even with all these tools and many others in our arsenal, we know they rarely work seamlessly.

In cyber incident response, just like a pandemic, mere seconds can make all the difference in the final outcome. Containment can help, but it doesn't tell the whole story.  Being prepared requires a more in-depth analysis to gain more insight into future threats and potential target assets.  We conduct tabletop exercises, penetration testing, and, ultimately, disaster recovery planning to be best prepared for the time when everything goes crazy in a second.

In certain circumstances, people are overly afraid of a particular threat, but panic is not helpful in these situations.  Part of a preparedness plan is making sure decision-makers are informed on potential threats and expected outcomes, but this takes time.  When we are in a crisis, time is the most constrained resource, which leads to incomplete or incorrect information and misconceptions.  Often stories in the media result in creating unnecessary fear, mob mentality, and distract from the ultimate goal, which is to help leaders make wise decisions.

Just as we do in response to cyber breaches, we should focus energy on the issues which present the most significant risk. People should exercise an appropriate level of caution, but it needs to equal the level of risk.  We should heed advice from the World Health Organization: "This is a time for facts, not fear."

For those now relegated to working from home for the foreseeable future, it is a time to exercise caution.  Given the challenges in securing work and learn from home environments, the attack surface presents an attractive opportunity for attackers. From unencrypted wireless networks to new strains of malware or RATS, aka remote access trojans that take screenshots, deposit keyloggers, or download files, to phishing scams based on COVID-19 or personal details, we should all be mindful.

As cybersecurity professionals, we continuously see those who are either too afraid or have the mentality it merely won't happen to them.  To mitigate risk, it is critical key is to have a realistic picture, assessing the value of assets and quantifying the damages and their probability as clearly as possible in business terms.  For cyber professionals chartered with obtaining buy-in for programs to defend, protect, and triage, it is essential to consider all the risks company executives and board members must manage.  

Cybersecurity is paramount to business operations, and sustainability top executives must consider many other risks to the business as well, from regulatory changes, advances in technology, competitors, recession, and the global economy, to name a few.   

Sometimes we become too focused on our environment and must step back to prioritize. An example might be a hacker or malware spreading through an organization where we sacrifice a handful of systems to remediate the issue on critical ones and harden the rest.  Set realistic objectives about where to expend effort and what to save while minimizing total damage and provide clear, data-driven communication to key decision-makers.

Learning how to balance getting hacked against the multitude of risks executives face is challenging.  Only a few have a clear understanding of their business, the real attack surface, and associated potential cyber threats.  If you can step into their shoes for a moment, define the critical areas of business vulnerability, and convey that information to the executive team in terms of business impact and probability, you can make a significant and lasting impact on the business, and on your career.