The role of herd immunity in cybersecurity //25.09.18
Author: Dr. Wendy Ng, cyber security professional, Deloitte
Improved hygiene and large-scale vaccination programmes have been shown to be effective in preventing the transmission of infections. As well as giving direct protection to the immunised, vaccination programmes also protect susceptible people who can’t be immunised. This is what we refer to as herd immunity, where high levels of immunity exist within a population and the spread of an infectious disease is curtailed. The value of herd immunity is that it protects people with underlying health conditions and/or weakened immune systems – even when vaccination isn’t an option.
Biological infections and their transmission are remarkably similar to their IT cousins. System patches in an IT environment are analogous to vaccines in clinical medicine, with patched systems being the equivalent of immunised individuals. And, just as some people have weakened immune systems, there are also IT systems that cannot be patched or otherwise “immunised”. Many systems (for example, some diagnostic equipment in the healthcare sector or legacy systems in transport or financial services) where patching is simply not possible.
Networked connectivity is increasingly a requirement – even for specialist and legacy systems that were not designed with connectivity in mind. Servicing these systems – and maintaining a stable connection to the wider network – is not a trivial task. Patching or applying software updates may disrupt the connectivity required for normal operations. This is a dilemma for the organisation: continue to run potentially insecure systems, or risk inoperability. Given the importance of these systems, and the potential disruption if they’re rendered non-operational, decision makers typically select functionality over security.
Although it may not be easy, or might indeed be impossible to patch these systems, the IT equivalent of clinicians are not powerless. The same strategies used in the healthcare realm can also be applied to protect “unvaccinated” systems and technologies against cyber attacks. Practicing good cyber hygiene, raising awareness among employees and embedding security reviews within operational processes all helps to improve security.
These recommendations can help to protect systems and devices not amenable to patching:
1. Implement layered defence.
This forces malicious code to bypass multiple controls (for example, malware defence, secure configuration and audit logs) before they can reach potentially vulnerable systems. This should be a standard approach in any connected operational environment. Should a particular layer fail, other safety nets can be used to safeguard the system.
2. Protect the devices and networks adjacent to (and communicating with) the affected systems.
This helps to reduce the infection rate and limit damage. Unpatchable systems can be protected by the IT equivalent of herd immunity, by making sure systems that interact with them are patched and protected to curtail the spread of malicious code. This effectively forms something of a ring of steel around the vulnerable systems.
3. Actively monitor critical systems that can’t be patched.
As with biological patients, these specialist systems will need more active monitoring. In healthcare, this means more frequent visits to the doctors. In the IT world, this involves more extensive logs and audits, as well as anomaly detection.
4. Plan ahead.
Prepare and test your response plans to ready yourself for a potential infection or detection of a data breach. In a highly connected world, it’s becoming increasingly unrealistic to be infection-free and the goalposts have moved from preventing an attack to being able to respond to an attack. The key is to be able to detect and respond promptly and confidently to limit the transmission of the infection.
Security practitioners are not powerless. Legacy and specialist systems will always exist and will always present security challenges. Herd immunity is a useful concept that has a role to play in cybersecurity, as it does in the physical world around us by protecting vulnerable people from infection.