During my travels, I have met cybersecurity experts from a variety of backgrounds. That’s not too surprising – it’s a relatively new profession that has only recently been taught in universities, and it takes ten years of on-the-job training to become an expert. Most seasoned cybersecurity veterans come from some other industry. I moved into cybersecurity from epidemiology, studying how diseases spread. There are some surprising and interesting similarities between cybersecurity and epidemiology – starting from the point where most people really don’t want to talk to you about the confusing stuff you spend your time on. when they face a real crisis and suddenly demand answers!
The coronavirus is a prime example of crisis attention directed to a neglected area. Usually, we fly around visiting busy places, shake hands, and often behave as if the outside world isn’t out there to approach us. But the publicity surrounding the coronavirus has suddenly brought people to attention, buying sanitizer, stocking up on groceries and, above all, washing their hands. I’m writing this on an empty plane. I’ve seen students use slams instead of shaking hands, learned from a half-joking video online by people in Wuhan. But we know this attention won’t last.
This spike in awareness and ultimately decline is familiar to cybersecurity professionals. Our recommendations and policies – such as not clicking on unknown links – are just as difficult for most people to accept on a daily basis as are epidemiologists’ advice on hand washing and avoiding touch your face. Raising awareness of the dangers from bacteria will change behavior for a while. But you don’t have to be clairvoyant to predict a future where people will gradually return to attending sporting events, boarding cruise ships, and in the process increasing the attack surface of viruses. bacteria. We’re not surprised that security awareness training only seems to be beneficial for a while, so we keep repeating it.
The importance of basic knowledge
Of all the epidemiologists’ advice around the coronavirus, the point that gets repeated most often is the simplest: wash your hands. Do it a lot. Well done. Use soap. This is probably not what most people expect. Between Hollywood’s disaster movies and most people’s wild imaginations, I think most people expect something complex and technical, like “taking a new breakthrough drug.” this with a long name full of x and z”.
The mundane nature of the best defense against Covid-19 – simply washing your hands – is a reminder that the basics are still our most important line of defense. Bacteria are subject to the laws of biology – they cannot teleport from person to person, they need a way to move between two people, and at least for airborne pathogens, it creates out a chain that we can break with something much less expensive than a virus. medicine.
In the security business, it’s also easy to fall for the promise of a super drug – “my novel AI system is so advanced it will figure out an attacker’s intentions before they even know it. So they’re chasing you”, etc. on. It sounds good, except that it’s impractical, nor your best line of defense even if it works. Your best line of defense is boring old security fundamentals – just like how washing your hands can fend off the dreaded new contagion. It starts with knowing what you have, then seeing how it’s configured, and finally seeing how all the pieces interact with each other. Epidemiologists follow the same basics – what is the susceptible group, how strong are their defenses, and what is the path of attack?
Understanding your online inventory shouldn’t be a challenge, and everyone in the real world should be prepared for emergencies. But preparation takes time and attention – interestingly, attention has become our most precious commodity. Every company I visit has some sort of inventory program, and not a single security team I’ve come across believes it’s complete and reliable. Sadly, in my work, I end up proving them right – it’s not just professional paranoia, inventory is actually full of holes and faulty data. After that, are there any questions when the breach continues successfully? Attackers thrive in places we can’t see, in the same way that bacteria cling to wherever we don’t spray disinfectant. The current strain of coronavirus may be new, but it still exploits the same attack vectors that humans have since prehistoric times – making a victim cough and depending on poor hygiene to infect others. next person. Modern humans have the ability to prevent these diseases, because we have hot water and soap, but they are only effective if we actually use them.
Between my previous training as an epidemiologist and my current work in cybersecurity, I figured I should be a pessimist – a dysfunctional germ-fear. and despise all things networked. But honestly, I’ve become a more optimistic person (albeit with a good sense of how grateful we should be, given the fragile nature of the world we live in). I believe the coronavirus shock will leave a positive legacy when it peaks, if only in the thought that it makes people think about washing their hands. And as we know from security awareness training, most people can change their online behavior, at least for a while. But we still need to be prepared – map out your stuff, check for basic violations, then move on to thinking about lateral movement, the way epidemiologists try to predict where corona virus will go next. And above all, people, wash your hands.
Dr. Mike Lloyd, CTO, Red seal (opens in a new tab)