We often hear the phrase, "layers, layers, and more layers". The reality, as I have written before, is that not all layers are created equal and some do more harm than good. An example of this is a policy without enforcement. A policy is only as good as your ability to enforce it. This is really no different than today's mandate of masks. The idea is that we wear a mask not because we are sick but because we may not know that we are sick.
Are you familiar with the concept Zero Trust?
In Cybersecurity, Zero Trust does not mean we don't trust users but that we do not assume trust. It is similar to "trust but verify", at every point where a risk can be mitigated we do what is reasonable to mitigate it. From a convenience standpoint, it is simply not convenient, there are no two ways about it. All else being equal, security is less convenient than insecurity. That statement is true until shit hits the fan.
"when shit hits the fan, I'm the guy that cleans the fan"
I have been using a catchphrase I coined when asked what my responsibilities are I say "when shit hits the fan, I'm the guy that cleans the fan". This actually runs deeper. When shit hits the fan, the priority is cleaning the proverbial fan first, because that is what is spreading the mess. Only then can we move on to cleaning the mess that already exists.
When we compare Covid to security, we need to make some base assumptions. For my example, Covid is analogous to the exploit, being used by nature rather than an attacker. The respective governments are analogous to the corporations defending from an attack. The epidemiologists are the security executives. The hospital staff are the incident response teams. Virus researchers are security researchers. Lockdowns of a specific country, city, state are the proverbial IP blacklisting. Closing the borders to all travel inbound and outbound is IP whitelisting. Social distancing is like a password, often the only line of defense. Lastly, masks are MFA (multi-factor authentication) and we are all expected to use them.
Malware is a tool. It doesn't have an inherent desire to cause us harm
Seeing Covid as the attacker is easy, but actually, it's more analogous to malware. The attacker has a goal and uses tools to accomplish it. Malware is a tool. It doesn't have an inherent desire to cause us harm, similarly, Covid is just a mindless thing that can be used to exploit our vulnerabilities. In this case, the vulnerability exists in the cells of our lungs and nasal passages.
To enter the cell the virus uses a spike protein, the spike protein is designed to fit into a particular slot. As with all attack vectors the virus must either bypass authentication or forge it. This is how computer exploits work, a mistake in computer code creates a vulnerability. Once exploited, this allows an attacker to do something that the system was not intended to do. Once inside the cell, the virus does what a hacker would use malware to do. Take control of the systems and turn the system against itself. Ultimately making more malware and spreading it to the contacts of the infected.
A good incident response must start with identifying and closing the attack vector
While all of this is happening, hospital staff are fighting to bring the infection under control, hence the incident response, but they are missing a critical piece. In IT security, a good incident response must start with identifying and closing the attack vector. In this case, rather than performing a global incident response, the hospital staff are forced to perform a "per person" incident response which takes infinitely more time and resources. This would be akin to treating a ransomware attack at a large company by reinstalling one PC at a time. Even if you found the point of origin and closed that gateway you still can't rebuild hundreds of machines manually.
To prevent the staff from being overwhelmed, the government, in our example the corporations, declare a lockdown to prevent the spread. But in an effort to not stop legitimate business activity they take a blacklisting approach or blocking traffic from known compromised sources rather than whitelisting, which would only allow traffic from verified clean sources.
The epidemiologists are gathering statistics and using prior knowledge to predict the best path forward and advising the government on how to create the policies. These are the proverbial CISOs, Chief Information Security Officers, strategic men and women whose job is to limit organizational risk while balancing that with the need for work to continue. As such, epidemiologists have suggested masks, and the governments albeit slowly and reluctantly, have passed these mandates.
If social distancing is like the password, then masks are like MFA.
If social distancing is like the password, then masks are like MFA. When social distancing fails to provide protection, the masks are supposed to limit exposure. They provide a certain degree of protection in addition to what our natural bodily defenses provide and they are designed to limit the spread of infection if one occurs. Ultimately, masks are not a panacea and their effective rate is not 100%, just like MFA. And just like not all forms of MFA are equally effective, not all masks are equally effective. This is why some people refuse to wear them altogether. A similar argument to what we face when deploying MFA. In essence, the mask idea is based on the idea that something is better than nothing, similar to the security concept of buying time through layers.
In addition to masks there has been a big push for social distancing, the concept of keeping enough distance between you and another person to prevent the spread of the virus. In reality however, few of us live alone, even fewer of us can avoid leaving the house altogether which means at some point human interaction occurs. An analogy, albeit not a perfect one, is limiting your communication only to trusted sources, a security concept known as a web of trust.
This web of trust is among the most flawed of security ideas. Based on the idea that only a trusted individual can authorize a trusted device and sometimes vice versa, the only thing required for the whole web to fail is a single compromised user or endpoint. The web of trust is a very human idea, it's the flow that we logically carry out every day, you allow your babysitter to enter your house unchecked because you trust that this person has your, and your baby's best interests at heart. We trust them to be safe, wear their mask, wash their hands, clean their phones, avoid high-risk activity and so on, and maybe they do. But your babysitter has her own web of trust, her kids, her neighbors, her hairdresser, people whose understanding of and acceptance of risk may be slightly different from your babysitter, but substantially different from your own. So what happens during Covid is what happens everyday to hundreds of companies worldwide, someone's account is compromised because they didn't have MFA enabled, in our analogy they weren't wearing their mask, the attacker then uses this account to spam all of their contacts, propagating the malware to all of those who all have MFA or wear their masks, but because they were inside this web of trust they were compromised nonetheless.
the only thing required for the whole web to fail is a single compromised user or endpoint
The fundamental problem is the idea of accepting that we can each be the problem. This idea of zero trust must apply to everyone, even the most risk-averse of us. In our analogy, this would assume that they don't know if they were sick, but behave as if they are to err on the safe side. Just like if they were a computer joining your network, would they know they are clean? Or would they just not know that they were infected? Do those two statements give you the same level of assurance?
This is where testing comes in, testing is the proverbial virustotal.com. When you receive a file that's suspicious, what do you do? You scan it or test it to make sure it's not infected. But you don't have the ability to scan every file, therefore your risk can never truly be zero. Testing allows us to slow the spread of Covid and of malware but alone it doesn't fix the problem.
Unlike a web of trust, this concept relies on a continuous checking to ensure that these devices are still clean
The solution must go deeper. The idea of blacklisting sources of "significant spread" is highly flawed. Not just with Covid but with malware in general, by the time significant spread has been detected it can't be contained or slowed, it must be cleaned. But how do we prevent this infection from spreading? One approach is to create a whitelisting policy. A policy that permits travel or the sharing of data between two sources, both of whom have been verified clean. This is inconvenient but safe and nearly foolproof. Unlike a web of trust, this concept relies on continuous checking to ensure that these devices are still clean. One example where this can be deployed is the territory of American Samoa, a small US territory consisting of several islands. Their governor closed the borders early in the pandemic, without allowing for any exceptions, medical or otherwise, this strategy has worked. To date, they have not had a single case. The idea is that they will resume travel when it is safe to do so, most likely with restrictions to where and how, but on the scale of convenience and security they have elected security and saved countless lives and resources in the process. With a population of about 56k people, this is more of a case study than a scalable approach for the world but a study that proves that if you are ready to make sacrifices you can provide security, but if you focus on half measures you will waste time, effort, and ultimately are still largely at risk.