COVID-19 has presented a visceral, public, and clear lesson in risk management and response. This got me thinking about how our responses to the pandemic can inform our responses to cyber risk. What can we learn from our successes and mistakes to reduce the likelihood of a breach?
As someone who has spent years in the cybersecurity (opens in new tab) space, it was easy to apply this thinking to what was happening around us. Experts saw an outbreak of a deadly virus and began assessing the risk and modelling the threat using available data (opens in new tab). Others began advancing their detective controls to find and track the danger and then formulate their preventive controls.
Anthony Israel-Davis is Senior Manager R&D at Tripwire (opens in new tab).
The response looks a lot like defense-in-depth, a collection of controls layered together to reduce vulnerability and protect against potential harm. Despite the effort, there was still a breach, which means we have lessons to learn in pandemic response and those lessons can inform how we approach cyber defense as well.
In early January 2020, the World Health Organization (WHO) issued its first situation report for COVID-19. Even in the virus’s beginning stages, the organization recognized the threat and began assessing the risk to formulate a response.
Each of the WHO’s preventative actions translate into an approach to a digital threat rather than a physical one. Surveillance, epidemiology, and diagnostics could be categorized as monitoring and detection. Limiting transmission requires preventive controls and infection (breach) requires containment and remediation or restoration.
Ideally, a risk assessment occurs prior to a breach, and as an emerging threat is recognized, evaluating an entity’s susceptibility to the threat is critical for reducing or eliminating the exploitability of system vulnerabilities.
The complexity of tackling an emerging pandemic is as challenging as defending against the digital attacks that threaten enterprises today. Over a decade of Verizon DBIRs have shown that we still have a significant way to go in preventing breaches of our cyber infrastructure.
There are three areas that inform how we improve our information security (opens in new tab): threat modelling and analysis, vulnerability assessment, and risk responses.
Threat modeling and analysis
Discovering weaknesses before they are exploited and exploring potential harm to a system aids us in developing defenses and responses to that harm.
In the case of COVID-19, the most important thing to protect is people’s safety. Using previous knowledge of coronaviruses, scientists could create initial scenarios, or models, based on assumed transmission rate and vectors, population mobility, and any defenses in place.
In any threat model physical safety is the top concern, and increasingly, cybersecurity is needed to protect physical assets as well as digital ones. Cyber-attacks have shut down fuel pipelines and almost poisoned a city’s water supply. Industrial cyber security is grabbing headlines now, and critical infrastructure must continue to advance its cybersecurity posture. Threat modeling that once focused on the physical plant must now also include potential attacks leveraging operational and information technology and consider supply chains for digital technology and vendors.
Even though most cyber attacks do not directly impact people’s physical safety, breaches can cause financial or privacy (opens in new tab) concerns, as well as significant disruption to business. Whether controlling a pandemic or securing physical infrastructure, the process of understanding assets, boundaries, and attack vectors informs defenses and responses to threats. Regular threat modeling exercises, especially when change is introduced into a system, can create a process for continually improving defenses and reducing risk on a continuous basis.
Defenses are put in place to mitigate damage. When looking at “Vulnerability”, another word for weakness, it’s important to ask, “How vulnerable are we?” This framing goes beyond whether a weakness exists (it almost always does) to whether a weakness can be exploited, as well as how easy it is for that exploit to cause harm.
Looking at COVID-19, a threat assessment occurs at multiple levels. The immediate assessment begins at the individual level. Who is most susceptible to contract the virus? Who will be most impacted? What are the transmission vectors?
Applying this example to the digital realm, the assessment process starts with identifying the vulnerabilities in the system. Rather than age or a specific malady, we look at applications (opens in new tab) or software and their versions, ports and protocols, or configuration settings. Those are tested against known exploits for susceptibility and impact. For instance, if an attacker needs physical access to a machine to take advantage of a weakness, that may inform whether it is considered a higher or lower risk depending on where that machine is located and who has access to it.
The lesson here is one of both complexity and response. A complex IT environment will increase the difficulty of assessing and managing vulnerabilities. In an environment like this, it is critical to prioritize response based on risk, as it will be impossible to address every vulnerability that arises.
When confronting a known or anticipated risk, it’s important to examine the type of risk, risk tolerance or appetite, likelihood of exploit, and impact of the threat.
Risk type can be categorized in multiple ways such as physical harm to people or property, financial loss, or damage to reputation. Risk is often not one-dimensional, when confronting COVID-19, nations rightly look at the physical risk to people but also consider economic and political impacts.
Risk tolerance is a spectrum that indicates how much risk one is willing to take. Having a high risk tolerance means one is prepared to take on significant loss or damage in the pursuit of a high reward. Low tolerance is associated with a steadier approach, often a smaller gain and lower loss.
When it comes to cybersecurity, balancing the need to conduct business with protecting the enterprise informs risk tolerance. The industry, type of assets in the enterprise, and available budget are all factors that play into cyber risk tolerance. The important thing is to understand what your risk tolerance is, what areas are critical to protect, and what areas may have less scrutiny. With limited budgets, people, and time, risk tolerance provides a means for protecting what is most important to your enterprise.
What do the responses to the pandemic teach us about cybersecurity? The threats of a cyberattack and breach remain as real and prevalent as ever. How we respond to those risks will be determined by how well we’ve identified and analyzed them. Is an outdated operating system or application in our environment highly vulnerable to exploitation? Upgrading or removing the system eliminates the risk. Maybe that isn’t an option for some reason, so what can we do to limit the likelihood or impact of the risk (mitigation)? Just as nations determine what approach they are going to take to COVID-19, so must an organization consider the costs and benefits of dealing with cyber risk.
At TechRadar, we've featured the best business VPN (opens in new tab).