Finding The Hidden InfoSec Story

A Lesson In Virus Control From Typhoid Mary

From 1900-1915 Mary Mallon aka Typhoid Mary worked as a cook in several households of wealthy New York families contaminating and actively spreading Typhoid Fever. The deadly results of her work as a cook resulted in the infection of many of the household servants and family members and the deaths of an estimated 50 people before she was permanently quarantined in 1915. Mary Mallon was the first person in the United States to be identified as an asymptomatic carrier of the often fatal disease Typhoid Fever. An asymptomatic carrier is a human carrier that does not express symptoms of the disease; yet still continues to disseminate the associated bacteria and spread contagion. In Mary Mallon’s case this was exacerbated through her role as a cook and her insistence that she rarely washed her hands and that there was no need to. In addition Ms. Mallon insisted throughout her life that she did not carry the typhoid disease; even though it was evidenced circumstantially as early as 1906 and through scientific means in 2007.

Mary Mallon was first investigated in 1906 by Mr. George Soper who was hired by one of Ms. Mallon’s employers; his investigation uncovered a string of Typhoid outbreaks in the households she worked between 1900-1906. Ms. Mallon refused to be tested for the disease and wasn’t formally investigated by the New York City Public Health Department until Dr. Sarah Josephine Baker placed Ms. Mallon in a formal quarantine in 1907 and validated the conclusions that Mr. Soper had come to through formal medical tests. Ms. Mallon was released on her own cognizance in 1910 based on her agreement that she would change occupations and no longer work as a cook. Ms. Mallon promptly changed her name and went back to work as a cook for an additional five years until she was permanently quarantined in 1915 where she remained until her death in 1938.

In today’s Information Security environment one of the biggest threats to the security of corporate assets is that of malware. Malware comes in an infinite number of forms and is often impossible to detect even with advanced technologies including anti-virus and malware detection technologies. Not unlike Typhoid Mary, people with their work or personal PC’s and mobile devices are often completely oblivious that they are carriers of these malware infestations unless they have had an outbreak causing disruption to the device, loss of data or potential compromise of personal accounts (e.g. Financial/Email/Social Networking/Cloud Computing). These people could easily be compared to the asymptomatic nature of Typhoid Mary and her insistence that she was not a carrier of the typhoid disease. With the evolution of modern computing Information Security has evolved to include publicly available tools like anti-virus, anti-malware and anti-spyware to help detect a potential malware outbreaks; but even with these tools the bad guys (like bacteria) often outsmart or find a way to disguise themselves so that they can’t be found. To even further analyze the hidden nature of malware; there are many varieties of malware that aren’t activated until certain scenarios occur thus making it even more difficult to detect.

Taking lessons from Typhoid Mary – we as the Information Security community need to work within our corporate environments to help reduce this threat. Let’s look closely at the pattern that Typhoid Mary followed throughout her prolific career in spreading Typhoid Fever; getting employed by a family as a cook, preparing meals and spreading the contagion. While somewhat untargeted in nature her contagion was focused on wealthy families, since they could afford household cooks. This type of untargeted attack not only caused other household servants to become sick but also the core family and in many cases the matriarch or patriarch of the family themselves. Comparing this to infections of malware in the corporate environment – untargeted or targeted – the results could impact an organizations most important members including the executive team. (as compared to the patriarch/matriarch of the family) The results can be devastating to a firm as the infections may result in events as serious as service disruption or loss of confidential data which could ultimately impact the firm’s financial health.

In many cases the somewhat simplistic and often very circumstantial preventive and investigative tactics leveraged in the early 1900s are similar to many techniques still used today. As a cook or household servant was hired, references would be checked, personal health and hygiene would be checked, training on best practices would be provided and ongoing monitoring for rules being broken would occur.

If you think about those basic controls it’s not unlike what we do now in 2013 – but we leverage some additional technology to assist in this process of identifying accidental or malicious people or malware outbreaks in our corporate environments. Most Information Security programs include basic controls around employee and contractor background checks, education of users, creation of policies/standards, limitation of non-corporate assets on corporate networks, as well technology controls including anti-virus/anti-malware, web proxy filtering solutions and mobile device management solutions to reduce potential malware attacks. Many firms fall short in some of the more proactive controls including device health check of PC/mobile devices prior to gaining access to the network, quarantining devices that don’t meet basic standards as well as devices that may have active infections and breaking of SSL internally and externally to look for malware infections.

The other more reactive area where many firms fall short is around security event monitoring; leveraging correlation of events across enterprise tools including, infrastructure devices, Data Loss Prevention tools, perimeter malware detection, proxy servers, etc designed to quickly identify a potential malware outbreak before it turns into a full blown breach.

In the early 1900’s we did not have the platform of technology solutions that we do today so we relied heavily on humans to detect and contain events like a Typhoid Fever outbreak; but even with the investigative skills of Mr. Soper and Dr. Baker, human frailty or obstinance often got in the way. In the case of Typhoid Mary allowing her out of quarantine based on her word that she would not return to working as a cook was a fatal mistake that resulted in the unnecessary deaths of additional people. If basic background checks, education of staff on hand-washing, earlier engagement of public health or private investigators, the mandatory quarantine of Ms. Mallon, or even the cleansing of the disease which was done in the 1900’s by removing the gallbladder, had been done Ms Mallon might never have earned her unfortunate moniker. Even with all of the controls that we have in 2013 to prevent malware events – we need to stay diligent and be one step ahead of the next ‘Typhoid Mary’ in our corporate environments.

Author: Keith Wilson

Share This Post On