Cybersecurity Lessons from the Pandemic: Protection

To paraphrase an old saying: “One person’s prevention is another person’s protection.” This may well apply to the wearing of masks during the pandemic, the efficacy of which is still being hotly debated by some. Having gone through various iterations, the argument for wearing masks has been mainly to prevent those who are infected with COVID-19 from spreading the disease to others. At the same time, there are discussions about how effective various types of mask might be for protecting the wearer from catching the disease from airborne viruses and from touching one’s face. There are also recommendations not to wear the type of industrial-use N95 mask that has a valve built into it, since, while protecting the wearer, infected air might be exhaled through the valve, so that it only offers protection to the wearer. In the my recent BlogInfoSec column on prevention, I mentioned negative pressure rooms that are used in hospitals to prevent diseases from spreading. There are also positive pressure rooms that are designed to protect those within them from external viruses and bacteria, much like the aforementioned N95 mask with a valve.

In other words, prevention is more societal, whereas protection is personal. That is to say, protection is what should save you if avoidance and prevention haven’t worked. It is to be considered a last resort in some cases. Vaccines protect you since they generate antibodies that fight potential infections. Monoclonal antibodies help a person recover after they have already been infected. And other therapies reduce the impact of an infection.

Another analogy is car driver and passenger safety. Seat belts prevent you from hitting the dash or backs of seats in a frontal crash. Air bags, however, not only prevent your hitting objects in front of you, but also protect you by cushioning any impact—and they are automatically deployed into the bargain.

But, are there lessons to be learned from the pandemic for cybersecurity? One lesson is that, if protective measures are not available or are minimally effective, then you have to go with prevention, and vice versa. Aside from the standard protective methods, such as antivirus software, used to protect systems against certain known cyberattacks, and behavior-monitoring systems that seek out anomalies, there are several other approaches that might help. You might use deception or obfuscation, which are more akin to avoidance, and tamperproofing, which holds a fair amount of promise if properly implemented (which is not trivial). I mention tamperproofing in my book “Engineering Safe and Secure Software Systems” (Artech House, 2012) as it is an underutilized means of protecting against attacks against applications that might not otherwise have been detected.

By differentiating among avoidance, deterrence, prevention and protection, one is better able to win the fight against malware and other forms of cyberattack. It is not an either-or situation. Defense-in-depth suggests using as many forms of protection as may be feasible and cost-effective.

When one accepts that preventing cyberattacks reaching your systems can only go so far, one must resort to protective measures. Building a hard outer shell might seem to be the best answer, but once the shell is broken the soft innards become highly vulnerable. There are substantial benefits from fooling attackers, both disease viruses and cyberattacks. We need to better understand attackers of all forms and present to them surfaces that not only stop them from launching an attack but also deceive them into thinking they are successful when in fact they are not. Deception, obfuscation, and tamperproofing offer worthwhile opportunities for deflecting or quashing prospective attacks. The challenge is to implement these approaches while, at the same time, maintaining usability for authorized users.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*