Cybersecurity lessons from a pandemic We often hear the phrase, “layers, layers, and more layers”. The reality, as I have written before, is that not all layers are created equal and some do more harm than good. An example of this is a policy without enforcement. A policy is only as good as your ability to enforce it. This is really no different than today’s mandate of masks. The idea is that we wear a mask not because we are sick but because we may not know that we are sick.
Are you familiar with the concept Zero Trust? In Cybersecurity, Zero Trust does not mean we don’t trust users but that we do not assume trust. It is similar to “trust but verify”, at every point where a risk can be mitigated we do what is reasonable to mitigate it. From a convenience standpoint, it is simply not convenient, there are no two ways about it. All else being equal, security is less convenient than insecurity. That statement is true until shit hits the fan. “when shit hits the fan, I’m the guy that cleans the fan”
I have been using a catchphrase I coined when asked what my responsibilities are I say “when shit hits the fan, I’m the guy that cleans the fan”. This actually runs deeper. When shit hits the fan, the priority is cleaning the proverbial fan first, because that is what is spreading the mess. Only then can we move on to cleaning the mess that already exists. When we compare Covid to security, we need to make some base assumptions. For my example, Covid is analogous to the exploit, being used by nature rather than an attacker. The respective governments are analogous to the corporations defending from an attack. The epidemiologists are the security executives. The hospital staff are the incident response teams. Virus researchers are security researchers. Lockdowns of a specific country, city, state are the proverbial IP blacklisting. Closing the borders to all travel inbound and outbound is IP whitelisting. Social distancing is like a password, often the only line of defense. Lastly, masks are MFA (multi-factor authentication) and we are all expected to use them.
Malware is a tool. It doesn’t have an inherent desire to cause us harm Seeing Covid as the attacker is easy, but actually, it’s more analogous to malware. The attacker has a goal and uses tools to accomplish it. Malware is a tool. It doesn’t have an inherent desire to cause us harm, similarly, Covid is just a mindless thing that can be used to exploit our vulnerabilities. In this case, the vulnerability exists in the cells of our lungs and nasal passages. To enter the cell the virus uses a spike protein, the spike protein is designed to fit into a particular slot. As with all attack vectors the virus must either bypass authentication or forge it. This is how computer exploits work, a mistake in computer code creates a vulnerability. Once exploited, this allows an attacker to do something that the system was not intended to do. Once inside the cell, the virus does what a hacker would