Cyber Security and Herd Immunity
Improved hygiene and large-scale vaccination programmes have been shown effective in preventing the transmission of infections. In addition to conferring direct protection to immunised individuals, vaccination programmes also protect susceptible individuals who cannot be immunised. Herd immunity describes a situation where high levels of immunity exist within a population, and this effectively becomes a barrier to infection and curtails the spread of an infectious disease. The value of herd immunity is that it protects individuals with underlying health conditions and/or weakened immune systems, for whom vaccination is not an option.
Biological infections and their transmission are remarkably similar to their IT cousins. System patches in an IT environment are analogous to vaccines in clinical medicine, with patched systems being the equivalent of immunised individuals. Akin to individuals with weakened immune systems, there are also IT systems that cannot be patched or otherwise ‘immunised’. There are many such systems – for example, some diagnostic equipment in the healthcare sector, or legacy systems in transport or financial services – where patching is simply not possible.
Networked connectivity is increasingly a requirement, even for specialist and legacy systems that were not designed with connectivity in mind. Servicing these systems – and maintaining a stable connection to the wider network – is not a trivial task. Patching or applying software updates may disrupt the connectivity required for normal operations. This is a dilemma for the organisation: continue to run potentially insecure systems or risk inoperability. Given the importance of these systems and the potential disruption, if they are rendered non-operational, decision makers typically select functionality over security.
Although it may not be easy, or might indeed be impossible to patch these systems, the IT equivalent of clinicians are not powerless. The same strategies used by healthcare can also be applied to protect ‘unvaccinated’ systems and technologies against cyber attacks. Practising good cyber hygiene, raising awareness among employees, and embedding security reviews within operational processes all helps to improve security.
The following recommendations can help to protect systems and devices not amenable to patching:
1. Implement layered defence.
This forces malicious code to bypass multiple controls (e.g. malware defence, secure configuration, audit logs) before they can reach potentially vulnerable systems, and should be a standard approach in any connected operational environment. Should a particular layer fail, other ‘safety nets’ can be used to safeguard the system.
2. Protect the devices and networks adjacent to and communicating with the affected systems.
This helps to reduce the infection rate and limit the damage. Unpatchable systems can be protected by the IT equivalent of herd immunity, by making sure systems that interact with them are patched and protected to curtail the spread of malicious code. This effectively forms a ‘ring of steel’ around the vulnerable systems.
3. Actively monitor critical systems that cannot be patched.
As with biological patients, these specialist systems will need more active monitoring. In healthcare, this means more frequent visits to the doctors; in IT, this involves more extensive logs and audits, and anomaly detection.
4. Plan ahead!
Prepare and test your response plans for use when an infection or data breach is detected. In a highly connected world, it is becoming increasingly unrealistic to be ‘infection-free’; the goalposts have moved from preventing an attack to being able to respond to an attack. The key is to be able to detect and respond promptly and confidently, to limit transmission of the infection and control damage.
Even for the vulnerable ‘souls’, as in medicine, security practitioners are not powerless. Legacy and specialist systems will always exist and will always present security challenges. Herd immunity is a useful concept that has a role to play in cybersecurity, as it does in the physical world around us – helping to protect vulnerable individuals from infection.
Dr Wendy Ng, CISSP, CCNP; 29th October 2018