Cybersecurity—Eliminating Vulnerabilities and Weaknesses at the Source: A Comparison with Malaria … and Ebola

It has always bothered me that infosec professionals spend so much of their time chasing around after threats and vulnerabilities, many of which could have been avoided if only suitable requirements, design and hygiene had been observed at the outset. While this might seem like a simple concept, it appears to fall mostly on deaf ears and to have eluded the profession over the past several decades.

It might be useful, therefore, to use analogies to drive home the point. And one that I came across a few months ago was that of mosquitoes and malaria. In a June 7, 2014 Opinion article in the Sunday Review section of The New York Times with the title “How to Beat Malaria, Once and for All,” François H. Nosten writes that, rather than spending millions of dollars fighting the disease, we need to recognize that control strategies have failed and that we must figure out how to eliminate the parasite that causes malaria altogether. The article can be found at

So it is with cybersecurity. Prevention strategies have generally failed to eliminate vulnerabilities and protect against attacks. A more effective approach is needed and that requires eliminating the “parasite” in the population as a whole.

What does this means for computer systems and networks, particularly those that are web-facing? In simple terms it means that security has to be built in and that vulnerabilities and weaknesses must be avoided, that is, vulnerabilities must not be introduced in the first place, and the rules have to be applied to ALL systems and networks, not merely a subset. This requires a universal set of policies, standards and procedures that must be strictly enforced. No exceptions. No half measures.

So how could such a program be realized?

In the first place, we need to accept that implementing such requirements is a long-term effort. No-one would willingly stop everything and ratchet back their impending systems. It is unreasonable to expect such a rule to be effected. Further, it is infeasible to upgrade existing operational systems. This is not Y2K. The fixes are not simple and would cost many times the hundreds of billions of dollars that Y2K cost. No, the best we can hope for is to enforce the rules on new systems. Of course, this is far from ideal, but may well be workable … that is if we can come up with a viable set of standards to which everyone must adhere, which itself is a huge effort.

On this basis we must accept that this is a multi-year, if not multi-decade, project. But we have to take the first steps, otherwise there is no hope of reaching the goal of secure systems for all.

While the above discussion centers on a comparison between eradicating malaria and securing information systems, there are similar conclusions that can be drawn from the current outbreak of Ebola. We are already hearing that it will take years to overcome Ebola in West Africa. While there is hope that control strategies for Ebola will work for countries other than those that have been devastated by epidemic, the ultimate goal needs to be to eradicate the virus at the source, which is why we see so much interest in trying to fathom how “patient zero” became infected. The September 28, 2014 article by Holly Yan and Lynda Kinkade of CNN with the title “Ebola: Who is patient zero? Disease traced back to 2-year-old in Guinea” locates the first person thought to have contracted the virus, but the actual source of transmission from (likely) animal to human is not known … see Until and unless we can positively identify the sources and eliminate or treat them, we can only look forward to recurring outbreaks of the disease. If we could trace the source of Ebola to a particular creature, or group of animals, then we would have a hope of preventing the spread as with mosquitoes and malaria. But even then, we need to destroy the Ebola “parasite” as Nosten suggests for malaria.

With cybersecurity, we must confront and destroy numerous “parasites” if we are to ever have a hope of eliminating cyber threats and exploits. Our hope in coming up with a “silver bullet” is just that … a hope. Let’s be realistic and attack the source.

One Comment

  1. Barry Adelman Nov 25, 2014 at 10:24 pm | Permalink

    Warren, Cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.

Post a Comment

Your email is never published nor shared. Required fields are marked *