The parallels of pandemic response and IoT security
While adjusting to life under a pandemic, we’ve become familiar with a host of medical and safety terminology that either didn’t exist before or was of little interest to anyone not in the medical or scientific community. Phrases like social distancing, contact tracing, and super-spreader have now become part of the common lexicon. They matter to us because we want to be safe and we want to keep our loved ones and friends safe, too.
But I’ve noticed something during this time of concern: a lot of the things we’re being asked to do in response to this disease have parallels to the advice we give to organizations for keeping their data and IT infrastructure safe. It’s not that surprising, really. We’ve become used to the idea that computers can be infected by “viruses” and familiar with the concept of good digital hygiene.
As we grow more familiar with the terminology and practice of health safety during the pandemic, the clearer those parallels become. As both medical experts and cybersecurity professionals work to inform the public of what precautions they should take to protect themselves from viruses and to stop their infections from spreading, the advice comes down to three steps: test and detect, containment, and immunization.
Test and detect
When protecting any at-risk community, it is important to know what you are looking for, what the symptoms and indicators of compromise are, and how to test for the presence of threats.
For increasingly complex networks, continuous monitoring and risk assessments are required. We need to understand every packet, bit, flow, application, interaction on the network as well as device and user interactions. That requires visibility not only into every device but every single device communication at the flow level and every single logon/logoff activity of every single user. Through vigilant monitoring and baselining of behavior, we can better understand at-risk devices and behavior and act quickly to limit or prevent infection.
Because complete isolation is not practical for most networks, network segments, and devices, perimeter controls are needed to limit who and what can get inside the network. Proper digital hygiene must be observed to reduce risk moment-to-moment, and all must take care to avoid coming in contact with asymptomatic super spreaders. In such cases, it can be easy to get caught off-guard when the assumption is that things are going well and that taking a certain risk for the sake of convenience is acceptable. That behavior increases the risk of coming into contact with someone or something who is not only asymptomatic, but especially virulent.
In a network environment, super spreaders may be devices that don’t get proper attention because it is easy to forget they are connected. Printers are a notorious example because, although connected to the network, they are regarded as isolated appliances. Printers and other connected office equipment often have weak (or no) passwords, open ports, and hold sensitive information in internal temporary storage. They are frequently used by staff, and are popular targets for malicious actors.
The results of careless management of such devices can be costly. While the recent breach of Verkada cameras was a result of admin passwords exposed on the Internet, video surveillance cameras are another example of a potential super spreader device as they typically come with weak default passwords.
Contain
Because people and networks operate in environments that have risk, infection is still possible even when stringent precautions are taken. When, though testing or obvious symptoms, infection has been detected, it is vital that the individual, system, or device be isolated as quickly as possible to prevent the spread of disease. Contact tracing must then be done to see who else might have been exposed. Ongoing testing is used to determine potential spread and to allow for the incubation period to pass.
In the same way, if a strain of malware manages to compromise a device, it must be quarantined through a process of automated remediation, either by shutting off its switch ports or by blacklisting its MAC address at their wireless controllers.
By understanding operational relationships and network topology, if the malware has spread, all those devices that have communication sessions with the infected devices can be quickly identified, examined using flow level analytics (contact tracing), and then be quarantined if tests are positive for infection.
Immunize
In healthcare environments where medical staff are working to respond to those affected by the pandemic and administering vaccinations, IT staff are responding to various attacks that have increased during a time of chaos and vulnerability. Just as there are front-line and essential workers who must put themselves in harm’s way to do their jobs, many connected devices are required for an organization to function properly. Precautions must be taken, but they cannot be removed from service and so they must be fortified against infection.
For the sophisticated, network-connected medical devices that are the backbone of modern medicine, that means discovering and profiling each device in the network, conducting segmenting based on risk level and function, and then monitoring for suspicious behavior and other indicators of compromise.
In this time of personal caution, we should learn to be mindful of conducting ourselves safely in order to minimize our exposure to the coronavirus that causes COVID-19. We should also be vigilant in how we operate in a hyper-connected world where malware infections can result in a major calamity for healthcare and other organizations.
As our networks grow more complex and difficult to secure and manage, it is vital that we plan the expansion of our networks in such a way that we can minimize threats through better design and segmentation techniques. We have the tools and knowledge, and therefore no excuse for failing to do so.