It’s a weird time to be alive. Millions of people globally are living under government lockdowns, as we collectively endure the COVID-19 pandemic. COVID-19 has brought to light some fundamental truths about humanity, including our deep-seated need for social interactions. It has also highlighted how reliant we are on critical infrastructure like our healthcare systems and internet connections, both of which are currently strained.
One of the most fascinating by-products of the COVID-19 pandemic for me personally, however, is how it has suddenly brought science and public health back to the fore of conversation. We are all washing our hands more, practicing social distancing, and acutely aware of how our choices may impact other people. Those of us in white-collar professions, including the technology field, are also now working from home in order to practice safe social distancing, which has created a host of significant cybersecurity vulnerabilities.
I graduated with my Masters in Public Health from UC-Berkeley in 2011, and I love understanding the spread of disease and the impact of interventions like vaccines (and more mundane things like trash cans!). In 2014 I entered the field of cybersecurity via IBM, which then led me to complete a Masters in Cybersecurity from Brown University in 2018. These two degrees seem very different from one another, but the two fields have clear parallels. Much of our language in cybersecurity is borrowed from healthcare. A computer gets “infected” with a “virus” that spreads across endpoints. Sound familiar? You just replace computer with “human” and endpoints with “population,” and you essentially have a pandemic.
As the world has adjusted to living under the threat of COVID-19, I began thinking about how similar a pandemic is to malware. Can understanding COVID-19 help us understand malware or vice versa? Let’s explore this together and see if the analogy holds. To do this, we will break down how the COVID-19 pandemic works first, along with the mitigation efforts, and then explore the parallels to malware and cybersecurity.
What is a pandemic?
According to the CDC, “A pandemic is a global outbreak of disease. Pandemics happen when a new virus emerges to infect people and can spread between people sustainably. Because there is little to no pre-existing immunity against the new virus, it spreads worldwide.”
Enter COVID-19
COVID-19 is the name of the disease caused by the novel coronavirus, SARS-COV-2. SARS-COV-2 spreads from person to person, through droplets or aerosols, by entering the nose, mouth, or eyes. Aerosol spread is particularly infectious, because it means that an asymptomatic person can spread the disease just by talking, and the virus particles can live in the air up to three hours. When you become infected by SARS-COV-2, you have COVID-19 (the disease state), even if you are asymptomatic.
Stopping the spread
As COVID-19 spread around the world, “hot-spots” developed in China, then Italy and other parts of Europe, followed by New York City. Social distancing became a primary means of mitigating the spread. Countries like South Korea and New Zealand implemented vast testing protocols early and began contact tracing, so that huge parts of society did not have to shut down for long periods of time.
Time to contrast the COVID-19 pandemic with malware.
What is malware?
Malware is an abbreviation of “malicious code.” NIST defines malware as “hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.” A virus, worm, Trojan horse, or other code-based entity that infects a host is malware. Spyware is also an example of malware.
How does malware operate?
Malware can be installed on an endpoint by inserting an infected USB stick into the machine or by clicking on a malicious link. Once on an endpoint, malware may move laterally across a network, infecting other endpoints. Some malware is designed to wait silently on a machine, effectively doing nothing until a trigger point is reached. Other malware is designed to immediately wreak havoc. Some of the most harmful malware attacks have been perpetrated by zero-day exploits, which we will explore later in this post.
Stopping the spread
One mitigation tactic for malware is air-gapping (think social distancing). Kim Zetter describes an air-gapped computer as one “that is neither connected to the internet nor connected to other systems that are connected to the internet” Other mitigation tactics include anti-virus software and intrusion prevention systems (IPS) (think vaccines).
Is COVID-19 a Zero-Day Attack?
In many ways, the novel coronavirus (SARS-COV-2) causing COVID-19 is the worst type of malware – one used in a zero-day attack. Let’s explore the parallels.
Example one
SARS-COV-2: A novel coronavirus that humans have never been exposed to before. Therefore, we have no immunity to the virus, which means we have no “herd-immunity” to stop the spread.
Vs.
Zero-Day Vulnerability: Created when a software vulnerability is unknown to the developers. Therefore, no patch exists for the vulnerability, leaving the software open to exploitation without detection.
Example two
SARS-COV-2: Can infect a host and spread from person to person while the host remains asymptomatic. No vaccine exists for SARS-COV-2, as the virus just evolved to spread in humans.
Vs.
Zero-Day Attack: An unknown software vulnerability is exploited by attackers releasing malware. The malware goes undetected, because it has never been seen by anti-virus software or an IPS.
If we put this idea into an historical example, the similarities become even clearer. Let’s take a famous example, the Stuxnet worm, and see if the parallel to the COVID-19 pandemic applies.
Here is how the Encyclopedia Britannica describes Stuxnet. “Stuxnet, a computer worm, discovered in June 2010, that was specifically written to take over certain programmable industrial control systems and cause the equipment run by those systems to malfunction, all the while feeding false data to the systems monitors indicating the equipment to be running as intended.”
Now, here is that same paragraph, with SARS-COV-2 replacing Stuxnet. “SARS-COV-2, a novel coronavirus, discovered in China in late 2019, that specifically evolved to inject its genetic material into cells in our nasal passages, lungs, and intestines, in order to reassign those cells with the task of making millions of copies of itself and cause the host cells to die, releasing those copies of the virus into our bodies, all the while spreading from person to person while the infected person is running as intended (asymptomatic).”
What do you think? Do you agree with my analogy that COVID-19 and malware are similar? I’d love to hear your thoughts on Twitter or LinkedIn. You can find me on Twitter @cyberkatelyn and on LinkedIn at https://www.linkedin.com/in/katelynilkani/. I can also be found working at scopedive.com.