Always thought of writing this blog, since the COVID-19 menace started literally scaring all of us. For me today is the 10th day of following social distancing, the need of the hour. The 1st week itself was very hectic from work perspective. Enabling people to work from home SECURELY. Easier said than done. Lots of trade-off. In any case Cyber security practice is essentially dealing with trade-offs.” Every one of us, every day of our lives make security trade-off” very aptly told by Bruce Schneier in his book ““Beyond Fear” in the year 2003.

The principles of control have never changed, it remains almost same both in real world and cyber world too. “Prevention is better than cure” works very efficiently if the dynamism of threats is known. In cyber world, since most of the threats are very dynamic, preventive control is not the only solution. We always have host of controls, preventive, detective, corrective etc. to reasonably combat any threats, we call it layers of-defense. There is nothing like one threat and one control theory, it is always one threat with multiple controls. This itself is a trade-off too for a security practitioner.

COVID 19 like incidents, may be new or unique to the real world but in cyber world we face these on a regular basis. In cyber lingo, COVID 19 is a zero-day threat for which there are no preventive controls like vaccines (anti-virus signatures) etc. as of today. In cyber world zero-day threats are very common. Starting from Heartbleed to poodle to Meltdown and specter and finally different variety of Ransomwares, all were very dangerous surprises, but we managed those well and became stronger. Mind it – our good friend “The Social Media” also created lots of noises that time too. So, what were our broad strategies and how can we imitate that in the real world? Let’s take a sample cyber Incident/ threat use case and try to define appropriate controls for this. Here I go…

“A large global organization, a business conglomerate has discovered zero-day cyber-attacks to its network. The potential of this threat is that if it spreads to the entire network then the entire business will stop, which will result into tremendous business loss, reputation loss, regulatory non-compliances etc. In the worst-case scenario, the company may be out of operation, if the threat/ attack is not controlled.”

So how we will address this problem? From where to start? What should be our broad strategy and objective?? Let’s understand our step-by step approach

 1.Understanding the extent of attack

The first thing to understand, how many systems are already compromised because of this zero-day threat. In cyber world we call it “Compromise assessment” and can be done comparatively more efficiently because of tools like EDR (End point Detection and Response) etc., provided the organization has invested in deploying a proper EDR tool. This step is very important, otherwise the entire strategy may go wrong. In real world, this is achieved by testing individuals having early sign of COVID-19 infection. Today this is really handicapped because of lack of enough testing centers and the lack of awareness among people. Sometimes fear plays a great role too. People are scared to go to the testing Centre

2.Containerizing the threat

Once you are reasonably sure about the extent of infection, then we need to containerize the threat so that it does nor spread to the entire Network. Again, in cyber world it is much more efficient because of technology like Network (Macro) Segmentation, Micro segmentation etc., although you have to manage a very difficult trade-off between business requirement, convenience and security. In cyber world Macro and micro segmentation is the new normal i.e. irrespective of whether there is any cyber attack or not. In Macro segmentation we ensure that threat from one business or function does not spread to other function and in micro segmentation we ensure that threat from one system does not spread to other system. Apart from macro and micro segmentation we also make sure that vulnerable systems are also containerized. Many times we are not very sure, which systems are vulnerable or not?. Therefore the very common strategy is to have special control for End-of-life ( EOL) systems, for which there is no patch or support available from the OEMs. Systems like Windows 8, 2003 etc. are those systems. Very easy to say to upgrade or phase out these systems immediately but reality is different. There are so many dependencies. In the real world we try to achieve these things through Lock-down, Social distancing etc. Lock- down is more like Macro segmentation where we ensure that attack does not spread from one place to another place and “Social distancing” is more like micro segmentation where we ensure that attack does not spread from one person to another person. The aged Populations are like EOL systems whose Immunity systems are not strong enough to fight these threats and hence need to be specially protected. These controls are very important to ensure that the infection remains containerized and does not spread.

 3. Manage the Compromised hosts

Once we identify the compromised host we will broadly have three activities

  • Quarantine the system i.e. making sure that the system does not talk to any other systems.

Quarantining a system for a long time is as difficult in cyber world as in real world. There are lots of trade-offs which needs to be addressed. In the extreme cases we disconnect the system totally from the Network. This is achieved in the real world by force lock down of few people.

  • Remove the infection through various methods.

Removing infection in such cases of zero-day threats/ attacks is very difficult in cyber world too but many times we format the system and built it from the scratches but unfortunately, we cannot do this in the real world.

  • To conduct a forensic analysis to understand, the extent of damage, the source of infection and for how long the infection has been there

Forensic analysis is very important for any such attacks. It will replay the attack and decipher many hidden parameters like, initial source of compromise, extent of damage, the motive of the attack etc. These attacks are very important for giving input/ feedback for future prevention of this attack. In cyber world, there are now very standard forensic tools and techniques available to do this analysis but in real world we have serious limitations. But I think this is doable to some extent by using same techniques like AI and ML etc. Off course the trade- offs between Privacy and security must be managed. The way we currently do a link analysis of an infected person’s movement, contact etc., is nothing short of a forensic analysis. There is definitely a scope to make this more efficien

4.Close Coordination and correlation

In such scenario, most important thing is close coordination among all the steps mentioned above and correlating the events, using new generation technologies like ML and AI etc. to get different dimensions, which can be used as a continuous feed back loop to each layer. Sometimes this step can also be used for future thereat prediction too. In cyber world, we have new generation SIEM (Security Information and event Management) tool, which helps in log analysis and correlation. Regarding the feedback loop, for each layer, although technology and framework like Zero Trust, CARTA, Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) etc are still emerging, not many organizations have implemented this, till now. In case of real world, we seem to have very serious limitations in these coordination and correlation because of non-availability of data and appropriate technology. This is the area where we need substantial improvement.

5.Reinforcing user Awareness

In such kind of scenario, all the users need to follow strict cyber security discipline. Any laxity on this will put us back in the curve and we will be perpetually solving this problem. In cyber world, we issue several awareness communications to the users, for following cyber security disciplines like not clicking links from the unknown sender, never share your passwords. Never fall prey to phishing and vishing attacks etc. Reinforcing the awareness requirement and disincentive for non-compliance is the only way to make this a success. This piece may sound very simple but is THE key to the success of a cyber security Program. Cyber security awareness is not only applicable to the office environment and systems , it is equally important and applicable to every place and every system. In case of real-world scenario, the same disciplines as washing our hand, not going to crowded places etc. which are much publicized by Government authorities, NGOs, Media etc. are very important to be followed strictly otherwise this becomes the weakest link.

6.Learning from this adversity

With proper motivation and planning, we have always managed zero-day threats successfully in cyber world and ironically each such scenarios have made us stronger and more resilient. I’m sure we will successfully fight this COVID 19 out and our learning from this will make also us stronger and more resilient. Some of the general practices we follow will become the style of our life style, working from home will be no more a facility, this will rather facilitate efficient and secure way of working. We will change this adversity into our advantage and a discover a new-normal, which is safe, secure, futuristic and resilient

Stay safe and stay secure

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform