There’s a reason why a computer virus is called a “virus,” as they have many similarities to medical viruses. Notably, as medical viruses can have a severe impact on your personal health, a computer virus can severely impact the health of your business. In today’s digital world, a computer virus, a “wormable” remote code execution vulnerability designed to persistently replicate and spread to infect programs and files, can begin causing damage in minutes. Sound familiar? According to the CDC, the virus that causes COVID-19 spreads very easily and sustainably, meaning it spreads from person-to-person without stopping.
With COVID-19 top of mind and making headlines across the globe, CISOs should now take the time to make observations about viruses outside of the technology industry and see how they apply to cybersecurity strategies. So, what exactly can security teams learn from studying medical viruses to ensure the health of a business’ systems and applications? Here are three key considerations.
The more comprehensive testing you receive, the more insight you will get on your health and the quicker you can address any issues. When it comes to medical viruses, a doctor’s visit can include different layers of testing. If you’re not feeling well a doctor can perform a variety of exams to pinpoint the issue at hand: physical observations, evaluating symptoms, swabs, blood tests. Coincidentally, with security and vulnerability testing, the diagnosis can depend on the depth of the exam.
Remediation is not possible without first discovering the potential gaps in your system. Or, if you have already experienced a breach, discovery is critical for analyzing how a virus or cyber attacker got there in the first place to ensure it does not happen again. There are multiple types of security testing: tool-based scanning, manual penetration tests and secure code review are some of the most popular. Each layer provides additional insights and increases the scope of coverage. For example, a penetration test can identify vulnerabilities, but code review can dig even deeper to locate errors in software code, the foundation of a secure application. Both tests done together will produce a more robust report. As with a medical exam, multiple tests will give you more thorough diagnosis on your health risks.
Many viruses can hide symptoms and be contagious for long periods of time before causing any visible damage — a computer virus operates similarly. Virally distributing malware can keep symptoms hidden until the exploit payload is executed, causing damage to computer systems. Similarly, COVID-19 symptoms can occur up to 14 days after exposure (not to mention recent studies indicate that there are a significant number of people who have COVID-19 without showing any symptoms).
In the cybersecurity world, these 14 days of asymptomatic infection would be classified as “dwell time,” or the number of days an attacker is present in a network before they are detected. According to the 2020 M-Trends Report from FireEye, Inc., the 2019 median dwell time was 56 days — down 22 days from 2018. While businesses are detecting and removing cyber attackers faster, the opportunity to reduce dwell time is evergreen. As it is important to have proactive scanning and testing measures in place to identify vulnerabilities attackers can exploit to deploy and spread computer viruses, health experts suggest it is critical to broaden COVID-19 testing measures to isolate positive cases and prevent infection.
While a person’s health is strengthened through ongoing personalized care and risk reduction, the health of a computer system also depends on program maturity to prevent vulnerabilities. Cybersecurity maturity is a relatively simple concept when you compare it to human health. When evaluating the health of a person, healthcare professionals recognize that each person has unique needs based on such factors as their age, lifestyle and gender. Based on the data available about what similar individuals are doing to stay healthy, doctors can effectively adjust their approach and medical advice.
This mentality should translate to cybersecurity for viruses and other common vulnerabilities. Understanding the current level of maturity, tracking progress and developing a data-driven plan to evolve your security program is key to the success of any business’ security efforts. For application security, the core criteria for maturity includes coverage, compliance, remediation and risk prevention. In other words, the more mature a business is, the better suited it is for risk prevention. And take heed — the more a person pays attention to preventative health measures throughout their life, the better suited they are to fight off health issues as they age.
A final observation: Public health experts continue to caution that COVID-19 is evolving and security experts continue to caution that cyber attacks continue to evolve. Security experts have been given the opportunity to observe and learn from the medical community during the pandemic. By looking at medical viruses, security experts can explore the impact of key strategies to avoid breaches, such as malware attacks (computer viruses, worms, trojans).
Evaluating the breadth and depth of testing efforts, reducing dwell time and understanding and tracking program maturity that can help boost your overall security posture and health of your business.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review, vulnerability remediation among others.