When "Real Life" Viruses Attack
Updated: Apr 13, 2020
Today is day 2 of public schools in our region being cancelled due to the Covid-19 virus and all its unknowns. I cannot help but make the analogy between this physical human virus and a cyber-computer virus.
Covid-19 has "taken down" our social, human network. Because this is a new virus, our immune systems have not evolved to detect and protect from it yet. Because of its rapid and unknown spread trajectory, we all must keep apart, whether we are infected or not, in order to protect the larger societal good. We cannot yet tell who might be a carrier, who has this virus, and who has no virus.
If we look at how a new computer virus spreads through the globally-connected Internet, we see parallels on how the human virus spreads through the globally-connected human network. If we examine how computer networks contain, eradicate, and prevent widespread viruses, we might gain some insight into how to respond to this virus.
In the cyber world, we dedicate Incident Response teams to handle a crisis situation. Before the real crisis hits, these people try to model all the types of incidents that could potentially lead to a huge disruption. Then they come up with a set of procedures and the required infrastructure needed to address each scenario. Finally, they go through tabletop exercises to test and refine their procedures. These teams are made up of people with different expertise and skills - they are not all from the IT staff.
The introduction of a new computer virus is one of the most typical cyber threat scenarios. While we cannot predict the signature of every new virus, we can set up control measures to prevent or slow down the spread of a new virus. As first lines of defense, we usually have anti-virus software installed on every endpoint in a network. These anti-viruses act much like a person's immune system. Unfortunately, these anti-viruses cannot always ward off the "signature" or pattern of a new virus.
That is why we have larger systems that run at different borders of the network that are meant to intelligently detect anomalies and prevent them from entering that particular area of the network. These systems, called Intrusion Detection/Prevention Systems (IDS or IDPS), constantly monitor the network, and send alerts to the Incident Response team members. The team then takes the appropriate action as needed. Often, the action is to simply disconnect and isolate the network segment from the network to avoid spread.
Because of proper planning, redundant backup systems already exist. The functions of "quarantined" part of the network can be replicated to the backup systems. The IDS keeps track all of its findings to a central server so this information can be shared across systems. That way, both affected and unaffected systems are up-to-date on the latest virus threats persisting through the network.
These IDSs are much like how a neighborhood, county, region, state, etc. keeps its pulse on the overall health of its citizens, and takes immediate action to contain a potential epidemic to the smallest region possible. The authorities quarantine a small segment of the population, and assign a healthier part of the population to temporarily absorb their roles (as best possible). Then the authorities share their findings with all the other authorities.
The new virus that still lives on the quarantined systems is analyzed for its distinct signatures and patterns, how it spreads, where it originated, and this new definition is added to a shared database of known viruses. This new definition, much like a vaccine, is distributed to all the anti-virus software running on all the endpoints and to the IDSs running on the network.
So what happens when one of these steps is missed and the network becomes overrun with the virus? At what point does the organization declare a disaster? This is one of the most difficult scenarios to simulate and thus handle. This is when the organization finds out just how resilient they are, and the Incident Response Team decides whether or not they need to enact their Disaster Recovery plan.
The job of Disaster Recovery planning is a large undertaking. The plan must include backup/recovery procedures, a prioritization of systems and jobs, a "failover" network infrastructure on which to restore, a communication protocol, how to actually get in contact with people. Hopefully an organization does not ever have to enact their DR plan in real life, but if they do, hopefully it has been thoroughly tested and those in charge can enact it and adapt to changes smartly and quickly.
In a human virus outbreak, we often have unexpected emotional responses. We cannot just be powered down. We are not computers. But we have hope, and we must hope that our governments can work together, and that they have a "DR" plan to enact smartly, and quickly. We must learn to adapt to the mandates the authorities ask of us as they enact their DR Plan. Then when this new virus subsides, we must evaluate what we could have done better in order to prevent another pandemic in the future. We must "update" our virus signature patterns whether that is through a vaccine or behavioral change or both. Resilience is key.