As I prowl Covid vaccine sites for an available appointment and negotiate restrictions to avoid compromising my health and that of others, parallels with cybersecurity guidelines come to mind. (Of course, my family would say I’d find a cybersecurity parallels even if downhill skiing or hiking mountain trails. Oh wait! I’ve already written those pieces.) There are some obvious similarities around social behavior and reducing contamination, but there are also similar ones around threat detection and even advanced persistent threat recovery. What physical hygiene practices learned through the Covid-19 experience can be applied to information hygiene?
Social Behavior. Maintaining a safe distance from others has become second nature, so much so that watching old (pre-2020) movies with party scenes is deeply disturbing. We can maintain safe distance in the digital world by not sharing passwords, controlling access privileges to proprietary information or devices, segregating corporate wireless communications from ephemeral wireless communications (e.g., by using a guest network for staff video or music streaming, internet surfing), and by segmenting or layering networks through the use of gateway devices (e.g., routers, firewalls) and clearly defined permissions about what kind of traffic or software is allowed (i.e., whitelist) or what kind is blocked (blacklist).
Forming a social pod is another technique that Covid has led many to practice. A social pod is trusted because of the mutual assumption that other members of the pod share common standards of hygiene. The digital equivalent would be to restrict equipment purchases to those obtained from approved manufacturers, trust (but always verify) your regular online correspondents, only visit known websites. This will not guarantee that trust is justified—the ratio of spoofed or look-alike websites to legitimate ones is about 20:1—but this approach does reduce the unknowns and also makes it easier to identify where contamination came from, if needed.
Contamination Reduction. Wearing masks lowers the risk of passing along virus cells unwittingly and the risk of receiving virus cells. If two masks are better than one against Covid-19 contamination would three be even more effective? Possibly. Certainly in the digital world using more than one strain of anti-virus software can fill in signature “gaps” through which a virus could pass undetected. Other ways of avoiding digital contamination include restricting the downloading of untested software, inserting portable media of uncertain origin into your computing device, and revealing too much personal information. The latter is a pet peeve because software and hardware providers tend to front load programs and devices with extra features rather than taking a more minimalist approach. Performing a privacy audit to restrict geo-location services, automatic activation of surveillance functions (yes, that means Siri), and limit a vendor’s rights over the contents of your documents is worthwhile. Periodically clearing out your cookie cache is not only a good cyber hygiene step but also can improve your system’s performance.
Disinfecting contact surfaces (e.g., washing hands, wiping down counters and writing instruments) helps limit the potential for virus cells to work their way into our bodies. In like manner, setting filtering mechanisms to eliminate suspicious email traffic (whether incoming or outgoing) can keep staff inboxes “cleaner” and reduce network congestion from spam or phishing attempts. Contact surfaces need to be wiped regularly. In the digital world, that can be equated to scanning system activity logs for anomalous behavior: numerous failed login attempts, messages from unfamiliar domains, access to restricted files by staff who do not have a job-related “need to know.”
Threat Detection and Advanced Persistent Threat Recovery. Detecting threats in a timely way is both art and science. During the first few months of Covid alerts, I took my temperature multiple times a day. Apple watch apps that track subtle changes in an individual’s heartbeat have been suggested as another possibility. On a recent vacation, I was required to take four Covid tests in one week and respond to a daily survey from the Bahamian government as a contact tracing tactic. But as with health condition awareness, persistent vigilance is imperative. From a digital perspective even painfully expensive installations of security information and event management (SIEM) technology will not assure complete situational awareness. As mentioned before, understanding what anomalous behavior looks like presupposes understanding of what normal behavior looks like. This is where engaging staff as “early detection” system elements can be useful. Rather than relying solely on automated alerts, human alerts can pick up on unexpected behavior that an expensive tool isn’t programmed to recognize.
Advanced persistent threat recovery seems to be where we are now with respect to the Covid-19 vaccine(s). We know already that the virus is mutating, and we do not know with confidence what level of protection either these vaccines or antibodies produced from Covid survivors will deliver against the new strains—nor do we know the duration of that protection period. These vaccines are effective within certain boundaries of our knowledge. This means that we need to discover ways of strengthening our immune systems so that recovery from compromise is encouraged. Similarly, advanced persistent threats (APTs) rely on insidious background, often undetected, activity that is frequently controlled by adversarial nation-state actors. The October 2020 revelation of the SolarWinds software compromise is one such instance. In that case, foreign digital “agents” were embedded deep in the systems of multiple US Government agencies (e.g., Departments of Commerce, Energy, Justice, Treasury, Justice, Commerce) as well as private companies. And although deeply embedded, security expert Brian Krebs described the compromised SolarWinds software—malware was installed in a product update released to some 18,000 organizations around the world some nine months before the problem was detected—as hiding in plain sight.
The US Department of Defense has signaled its concerns about APT by emphasizing the need for vigilance as evidenced in its rollout of the Cybersecurity Maturity Model Certification (CMMC) program. NIST announced on 2 February 2021 release of NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171 to offer a set of tools designed to counter the efforts of state-sponsored hackers. NIST SP 800-172 complements another NISTSP 800-171, which is also aimed at protecting controlled unclassified information (CUI).
“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” said Ron Ross, a computer scientist and a NIST fellow. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”
It’s something like living through a pandemic. Be healthy!