I’ve been working at Tripwire for over two decades, and I’ve acquired a fair bit of swag over those years: branded jackets, hats, shoes, a watch, and of course a drawer full of t-shirts. One thing I never would have predicted owning was a Tripwire-branded face mask to protect me from a global pandemic. Over the past year, I’ve worn that face mask more than any of my other swag.
Of course, none of my other swag protected me and others from a highly contagious, deadly virus.
So, the company I work for, which provides software to protect organizations in the digital world, is now providing personal protective equipment (PPE) to me to protect people in the physical world.
This past year and half has been a visceral, public, and clear lesson in risk management and response. We first attempted to assess and understand the risks of COVID-19 – its scope, and its impact. Then, we tried to formulate a response at regional, national, local, and personal levels. As our knowledge and understanding grew, so did our responses and our ability to assess and address the risk.
When I was recording a recent podcast about the 2021 Verizon Data Breach Investigation Report (DBIR), the conversation got me thinking about how our responses to the pandemic can inform our responses to cyber risk. What can we learn from our pandemic successes and mistakes to reduce the likelihood of a breach?
As someone who has spent a long time in the cybersecurity space, it was easy to apply that language to what was happening around us. Experts saw an outbreak of a deadly virus and began assessing the risk and threat modelling using the available data. Others began advancing their detective controls in order to find and track the danger, and nations began formulating their preventive controls.
The response looks a lot like defense-in-depth, a collection of controls layered together to reduce vulnerability and protect against potential harm. Despite the effort, there was still a breach, which means we have lessons to learn in pandemic response and those lessons can inform our cyber defense as well.
Risk Assessments
On January 21, 2020, the World Health Organization (WHO) issued its first situation report for COVID-19. That report along with the others that followed are available on the WHO website. Provided daily until August 2020 when the updates moved to a weekly cadence, these reports summarized key events, details of the emerging situation in terms of number of confirmed cases and locations, and the severity of the cases ranging from asymptomatic to death. In addition to tracking the cases, the reports provided information about the preparedness and response of the WHO and the affected countries. The first report listed four countries with confirmed cases and responses: China, Japan, South Korea (ROK), and Thailand. The number of confirmed cases was 282.
At the time of the first summary, the WHO was assessing the transmission rate, the health impacts, the prevention mechanisms, and their own disease management infrastructure. The last bullet point of that report summary is instructive:
WHO is working with our networks of researchers and other experts to coordinate global work on surveillance, epidemiology, modelling, diagnostics, clinical care and treatment, and other ways to identify, manage the disease and limit onward transmission. WHO has issued interim guidance for countries, updated to take into account the current situation.
Even in its earliest stages, the WHO recognized the threat and began assessing the risk to formulate a response. Looking through the list of actions, one could translate each into an approach to a digital threat rather than a physical one. Surveillance, epidemiology, and diagnostics could be categorized as monitoring and detection. Limiting transmission requires preventive controls and infection (breach) requires containment and remediation or restoration.
Ideally, a risk assessment occurs prior to a breach, and as an emerging threat is recognized, evaluating an entity’s susceptibility to the threat is critical for reducing or eliminating the exploitability of system vulnerabilities. Nations receiving WHO guidance were doing their own assessments to prepare their responses and, like a cyber threat, the assessments and conclusions were varied – as were the outcomes.
While it is impossible to eliminate or mitigate every possible threat, regular, thorough, and systematic risk assessments can go a long way to harm reduction. As with the COVID-19 response, correctly assessing the threat and responding accordingly increases the success rate of harm reduction. However, addressing the threat is only one of many options when deciding what actions to take for any given risk. The complexity of tackling an emerging pandemic is as challenging as defending against the digital attacks that continue to threaten enterprises today. Over a decade of Verizon DBIRs have shown that we still have a significant way to go in preventing breaches of our cyber infrastructure.
With over a year of dealing with the pandemic, what can we learn from it regarding risk assessment that will help us shore up our electronic walls and interior defenses? There are three areas that teach lessons that we can use to improve our information security: threat modelling and analysis, vulnerability assessment, and risk responses.
Threat modeling and analysis
Discovering weaknesses before they are exploited and exploring ways in which harm may come to a system aids us in developing defenses and responses to that harm. Adam Shostack in his book Threat Modeling describes this process as, “...the use of abstractions to aid in thinking about risks.” In other words, this involves creating a model of assets or systems that can be harmed and then considering the types of damage and how they might happen.
In the case of COVID-19, the most important thing to protect is people’s safety. The boundaries are defined by the locations where those people are, which could be the person themselves, buildings, transportation infrastructure, or political geographic borders. For this model, we know the threat is a coronavirus, and while at the time it was a novel virus, we knew something about coronaviruses. Using that knowledge, scientists could create scenarios based on assumed transmission rate and vectors, population mobility, and any defenses in place. If the model is well designed, new data can inform impact, spread, and how successful defenses or responses to the threat are. A model is just a way to help us think about risk, however, and if it doesn’t go beyond a thought exercise, it has little value for preventing damage.
In any threat model, physical safety is the top concern, and increasingly, cybersecurity is needed to protect physical assets as well as digital ones. Cyber-attacks have shut down fuel pipelines and almost poisoned a city’s water supply. Industrial cyber security is grabbing headlines now, and critical infrastructure must continue to advance its cybersecurity posture. Threat modeling that once focused on the physical plant must now also include potential attacks leveraging operational and information technology and consider the supply chains for digital technology and vendors.
Most cyber attacks do not directly impact people’s physical safety. That does not lessen the financial or privacy concerns or the disruption to business that a breach can cause. As with a potential or emerging pandemic or securing physical infrastructure, the process of understanding assets, boundaries, and attack vectors informs defenses and responses to threats. Regular threat modeling exercises, especially when change is introduced into a system, can create a process whereby cyber defenses continually improve and risk is reduced on an ongoing basis.
Vulnerability Assessment
Defenses are put in place to mitigate damage. “Vulnerability” is another word for weakness, and identifying weaknesses informs what defenses will be successful against potential threats. One often-repeated misconception is exposed in the question, “Are we vulnerable?” This question locks in a binary when a more useful question is, “How vulnerable are we?” The latter framing goes beyond whether a weakness exists (It almost always does.) to whether a weakness can be exploited as well as how easy it is for that exploit to cause harm.
Looking at COVID-19, a threat assessment occurs at multiple levels. The immediate assessment begins at the individual level. Who is most susceptible to contract the virus? Who will be most impacted? What are the transmission vectors? Early on, there was recognition that certain populations such as older and immuno-compromised people tended to be impacted more severely than others. A year on, we have a body of evidence such as from the Mayo Clinic that we can use to identify these vulnerabilities as well as ways to manage those weaknesses.
Applying this example to the digital realm, the assessment process starts with identifying the vulnerabilities. Rather than age or a specific malady, we look at applications or software and their versions, ports and protocols, or configuration settings. Those are tested against known exploits for susceptibility and impact. Using a vulnerability management tool to automate this process makes it easy to assess risk by identifying which assets have known weaknesses and the potential impact of an attacker capitalizing on those weaknesses. A thorough assessment takes this a step further and applies a difficulty or likelihood of exploitation. For instance, if an attacker needs physical access to a machine to take advantage of a weakness, that may inform whether it is considered a higher or lower risk depending on where that machine is located and who has access to it.
This same approach can move beyond the individual or endpoint, as well. New Zealand has been able to successfully deal with the pandemic because leaders quickly identified vulnerabilities – ports of entry and large gatherings – and addressed them. In this case, a small attack surface – an island nation with few ingress points and relatively small population – has allowed for a swift and effective defense. While this has not eliminated COVID-19 from the island, it has allowed for successful control of the risk.
The lesson here is one of both complexity and response. A complex IT environment will increase the difficulty of assessing and managing vulnerabilities. The larger the attack surface – the number of ingress and egress points, applications, endpoints, and connections – the harder it is to assess vulnerability. In an environment like this, it is critical to prioritize response based on risk, as it will be impossible to address every vulnerability that arises. Likewise, responding to areas of high risk quickly and completely means reducing the impact of an attacker as much as possible. New Zealand determined the impact of COVID-19 was severe enough to employ a full elimination strategy. Recognizing the potential impact of a weakness should guide the response whether it’s all-hands-on-deck patching or deprioritizing a response to spend time, effort, and money on more valuable work.
Risk Responses
In January 2020, as WHO was monitoring the outbreak of this new virus, nations were watching, assessing the risk, and determining what their responses would be. Images of makeshift hospitals beds with people suffering from the virus were broadcast on the nightly news. The rapid spread to other regions only increased the urgency. Italy became a focal point as the country was ravaged, and cruise ships were stranded offshore as they were subject to both contagion and quarantine. Even as this is written over a year and half later, countries are still working to bring the virus under control.
When confronting a known or anticipated risk, several considerations factor into the response. Those factors are type of risk, risk tolerance or appetite, likelihood of exploit, and impact of the threat.
Risk type can be categorized in multiple ways such as physical harm to people or property, financial loss, or damage to reputation. When confronting COVID-19, nations rightly look at the physical risk to people but also consider economic and political impacts. Risk is often not one-dimensional, and broader systemic implications beyond the immediate safety of residents all factor into nations’ response to risk.
Risk tolerance is a spectrum that indicates how much risk one is willing to take on. Having a high risk tolerance means one is prepared to take on significant loss or damage in the pursuit of a high reward. This tends to lead to a more volatile loss-to-reward ratio and requires the ability to absorb short-term loss in pursuit of long-term high gain. Low tolerance is associated with a steadier approach, often a smaller gain and lower loss.
With COVID-19, the physical impacts are dire. Looking at how nations, localities, and people respond to the risk, we can evaluate their risk tolerance. What governments and people choose to do tells us how they evaluate both the impact and likelihood of the threat.
When it comes to cybersecurity, balancing the need to conduct business with protecting the enterprise informs risk tolerance. One’s industry, the type of assets in the enterprise, and available budget are all factors that play into cyber risk tolerance. The important thing is to understand what your risk tolerance is, what areas are critical to protect, and what areas may have less scrutiny. With limited budgets, people and time, risk tolerance provides a means for protecting what is most important to your enterprise.
Once risk has been identified and assessed, the impact, likelihood, type, and tolerance will guide a response. The specific responses will be as varied as the threats, but they can be categorized by the acronym META. Risks can be Mitigated, Eliminated, Transferred, or Accepted. Mitigating a risk means putting in place something that will reduce its impact or likelihood. Preventive controls like masks and vaccines don’t get rid of a virus, but they do greatly reduce the likelihood of contracting it or blunt its impact as the body is more able to defend against the damaging effects.
New Zealand attempted an elimination strategy by implementing very strict lockdowns and border closings. In the case of a pandemic, the primary impact to people can’t be transferred, but we’ve seen several nations shift the financial risk from individuals or industries to the governments themselves. We’ve also witnessed examples of accepting the risk – a willingness to forego any strategies to blunt the impact or likelihood of contraction or the spread of the disease. Ignoring the risk is also an option, and while it looks exactly like acceptance, there is a subtle nuance. Accepting a risk is an active choice and assumes some level of assessment, while ignoring a risk foregoes any analysis or recognition of impact or likelihood.
What do the responses to the pandemic teach us about cybersecurity? The threats of a cyberattack and breach remain as real and prevalent as ever. How we respond to those risks will be determined by how well we’ve identified and analyzed them. Is an outdated operating system or application in our environment highly vulnerable to exploitation? Upgrading or removing the system eliminates the risk. Maybe that isn’t an option for some reason, so what can we do to limit the likelihood or impact of the risk (mitigation)? Just as nations determine what approach they are going to take to COVID-19, so must an organization consider the costs and benefits of dealing with cyber risk. An elimination strategy may protect against a serious impact, but it may come at a high financial or velocity cost. Can your company absorb a major ransomware attack? If not, how will it mitigate, eliminate, or transfer that risk?
Lessons Learned
The world has discovered a great deal about how governments, industries, and individuals manage risk. Myriad case studies could be written about what’s worked and what hasn’t, and if we are wise, we will learn from those studies and prevent – or at least decrease the impact of – the next potential pandemic.
From a cybersecurity perspective, developing a risk assessment program that is comprehensive and evaluates risk at frequent intervals is required to quickly identify and address potential harm before it happens. Incorporating a vulnerability management process to find and deal with weaknesses in the environment will add protections against a breach. Finally, having a formalized and standardized approach to risk will allow enterprises to focus their limited time, money, and people on the most critical areas and provide important guidance when it is literally impossible to plug every hole in increasingly complex systems.