Finding The Hidden InfoSec Story

Global Security – Lessons from the Industry


Photo Credit: CDC Global Health via Compfight cc

The Analogies Project contains dozens of stories and discussions in which the security industry (and our corporate colleagues) can learn from real-life lessons and experiences – but in the response to the current ebola outbreak and its tragic ongoing consequences for the people of West Africa, there are plenty of lessons that the security industry can give to politicians and to the public.

1) Boundary controls don’t work on their own

Closing borders and even mandatory screening of incoming travellers cannot adequately mitigate the risk of people bringing the Ebola virus into a country. Ignoring the fact that false positives (hauling people with a cold or flu into quarantine) will cause cost, delays and media outrage, false negatives (not identifying Ebola cases) undermine all confidence in the system. No detection system can have a zero-rate of false positives, and a decent proportion of our time and energy has to be spent on planning for the time when our (network or border) defences inevitably fail.

Even with a perfect system in place that covers everyone travelling from West Africa, it’s unlikely that neighbouring countries (or countries with looser travel controls) will have the same defences in place. It’s a situation that big companies have to face on a daily basis when they look at supply chain risks, and it is one the Western world can’t ignore.

Isolation also hurts everyone; our economy is global, and cutting off half of a continent from all travel (and presumably, once the panic escalates further, all sort of goods shipment) removes national income in affected countries which could otherwise be spent combating the disease.

2) Populist panic undermines incident response

Having an incident response plan (and a mature approach to forensic readiness) is part of modern corporate hygiene – giving in to panic when you’re managing a security incident can lead to key steps being missed, other points of compromise not being mitigated, or digital evidence being modified or handled in a way which prevents it being used in court. It’s vital that security professionals are given the authority to stand up against senior pressure in such situations and ensure that the full process is allowed to proceed without interruption.

Likewise, when government reactions to urgent situations appear to be dictated more by media-induced panic than common sense, it’s unlikely that the result of their actions will be overwhelmingly successful.

3) Effective response is dependent upon early detection (and early detection is dependent upon good reporting)

Our ability to detect and investigate suspicious network behaviour is often patchy at best, but in cases where intruders are detected early in the “kill chain”, an organisation’s response can be far more informed and effective. We’re reliant on getting good information out of our SIEM systems, and a flood of reported events where 99% are false positives (and could be filtered) costs time and resources that  could be better spent on investigating the remaining 1%.

In the case of national emergencies and pandemics, the same is true – it’s much harder to isolate and treat infected members of the public when your emergency services have to spend time dealing with panicked reports of wildly differing symptoms, or when the public’s first response may be unhelpful or counter-productive.

4) Training and awareness is cheap, and good training and awareness is effective

When we’re wanting to change people’s behaviour and avoid them resorting to instinct when dealing with threats, we need to feed them the right information in the right format. It’s a challenge which the wider security industry has struggled with in the past (Heartbleed was a great example of things being done the right way – and is notable as an exception), and which we need to get right.

In order to help the public reliably tell the difference between equinophobia and Ebola (and to know how to react properly to both – including suitable selection of transport if they need a hospital!), there needs to be a calm, measured and informative message conveyed by national governments.

All of the points above support effective awareness campaigns – demonising travellers from West Africa will be wildly unproductive and could lead to unfortunate consequences, and giving in to media rhetoric can lead to public panic and overwhelm the emergency services and medical infrastructure with false positive reports.

5) The root cause of incidents needs to be addressed

Re-imaging a PC, applying patches or reporting a data breach can’t  be the final step in an incident management process – despite the meaning behind the old saying, “closing the stable door after the horse has bolted” is still worth doing if you have more than one horse. Unless you identify and address the root cause of a security incidents, whether that’s inadequate patching, staff clicking on malicious links or a SQL injection vulnerability on your website, it’s overwhelmingly likely that the incident will happen again.

In advanced intrusions, it’s likely that the attacker will have established a foothold on multiple systems or workstations to avoid losing access to your network once you close out the vulnerability they originally exploited. Failure to address the root cause undermines the value of everything that you’ve done to that point.

Nation-state supply chains

Everyone can draw their own conclusions about the root cause of the current Ebola outbreak – but let’s look back at the analogy of other countries being part of a global, interconnected supply chain. As a modern company in a global economy, you have two choices when dealing with supply chain risks – you either work with the supplier to improve their security standards (perhaps certifying to a known, trusted international standard such as ISO27001), or you find another company to supply the same service in a more secure environment.

Unfortunately, that second choice is not an option for national governments when dealing with each other. The only choice that remains for governments in the long-term is to make sure that there’s a common global level of readiness for responding to pandemics (and to other events which can have international ramifications – including economic failures) which is as robust as the Western world has to offer.

Author: David Rimmer

Share This Post On