What the Covid-19 Crisis Teaches Us About Information Security25th of May 2020
Opinion, Joseph MacMillan, Information Security Consultant
As an InfoSec professional, I have noticed a few interesting phenomena and reactions to the Covid-19 pandemic from an individual, organisational, and governmental level, which can be compared to the everyday life of the InfoSec world. These reflections highlight how the Covid-19 pandemic is similar to a company network, and how it’s different.
The first thing which came to mind was that we as CISOs and Information Security Architects have much more power to control the situation in our organisations than governments do trying to address a pandemic, because you can rule computers with much more authority than individuals, which leads to great power to protect your estate. But before I get into that, let’s start off with the somewhat bizarre phenomenon of panic-buying toilet paper, and how it is similar to a common (bad) practice in the world of information security:
The toilet paper phenomenon
Panic-buying toilet paper has been a social phenomenon arising from the Covid-19 pandemic. The FOMO (fear of missing out) around not having the right supplies if the worst happens seems to have led to people saying: “Better to have toilet paper and not need it, than to need toilet paper and not have it.”.
Many cybersecurity hardware and software products offer the same assurance as toilet paper. They’re useful for a very specific task, but overall, they’re not going to stop every possible threat (so, stop panic-buying them!).
Some of the products are patches for bad practice, but can’t be relied on to catch everything, and others simply don’t work. Cybersecurity products can only augment your optimised information security strategy in order to make you more efficient in preventing a breach, or a loss of availability. Best-practice still calls for defence-in-depth, preventing a reliance on a single tool being up-to-date and able to mitigate every threat from exploitation.
How we can learn about network segmentation from social distancing
Under Covid-19, many governments implemented Social Distancing measures in order to ”flatten the curve” and slow the spread of the virus. Despite issuing clear guidelines for people to stay home, some still used public transport for non-essential travelplayed in parks or went to grocery stores. These activities are the equivalent of a largely unsegmented network.
Within your own network, you are able to be a dictator, preventing any sort of activity that isn’t known to be crucial to the operations of your business. You can ask yourself: “This IP is communicating to this other IP on this port, this many times a day. Why?”. You have tools which will uncover the activity of unknown or rogue processes in your network. If blocking that activity leads to an outage, you are able to roll-back the changes and make things right again, now with more information.
Some governments issued guidelines such as ‘you are only able to go outside once per day’. This “rule” might slow the spread of COVID-19 slightly, but it’s a tactic which would be simply ineffective in the InfoSec world – because it is impossible to enforce as long as people have the freedom to disobey it and do not feel the immediate consequences of doing so.
Just-in-Time access control locks down inbound traffic to network devices by creating firewall rules. You select the ports to which inbound traffic will be locked down and access to these ports are controlled by the just-in-time automation. When a user requests access to a service, the network automation setup checks that the user has Role-based Access Control permissions for that service. Once the request is approved, the firewall is automatically configured to allow inbound traffic to the selected ports from the requester’s source IP addresses, for the amount of time that was specified. After the time has expired, the firewall rules are reverted to their previous states. We can enforce this and audit the effectiveness of this solution – here, we are in full control, unlike governments, who have to rely on their populations “doing the right thing”.
I have found myself liking the situation of working remotely during Covid-19. I don’t get distracted by chit-chat, and I’m able to get all of my work done during the working hours of the day. But how can we reflect that to our network estate?
We should investigate our network logs and find noise or “chit-chat” that is not useful for the operation of the business. This includes various communications which are extremely outdated but still in-use, and thus still a threat vector in organisations, such as LLMNR or NetBIOS over TCP/IP. All of this activity should be blocked at the network level, and the processes that are blocked and not affecting anything should be killed, saving processing capacity and reducing noise on your network.
Parallelism is the idea of doing more than one thing at once or splitting a large task across many different devices in order to complete faster or more efficiently. Similar to my ability to have three different chats and work on what I’m working on while remotely-working instead of being pinned down to one specific face-to-face interaction in the office, your servers and network have much more potential than they are currently being used for.
In the cloud world, this leads to a great opportunity of being able to auto-scale your servers to reduce your operational expenses. If your server isn’t “busy” at the moment, scale it down to the smallest possible size, which costs less money. That newfound budget could then be put towards an effective improvement in your Information Security.
To summarise, information security professionals are able to exert much more strict and authoritarian measures over their networks than governments can over their populations.
This power can be invisible, and not even noticed by people inside the organisation which are operating normally. Employees can be prevented from negatively affecting your business and allowing information breaches or ransomware to spread – whether they have malicious intentions or are simply not following best practices.
We’re able to optimise and reduce noise through our understandings of how the network is meant to behave.
And finally, we should improve our ability to determine if a service is worth the money, or if it’s just toilet paper.