gomabonshop

The new coronavirus (COVID-19) is unable to grasp the infection status and route due to the failure of the initial movement in Japan, so it is only possible to focus on suppressing the infection cluster and responding to the onset person. The debate about quarantine and inspection hasn't converged, but what happens when we apply this situation to cybersecurity? There are considerable differences between real viruses and computer viruses, but there are many commonalities in terms of risk management.

Freelance writer Shinji Nakao

What do you see when you think about coronavirus problems from a cybersecurity perspective?
Looking back on the new coronavirus problem with risk management
First of all, I'm not an expert on infectious diseases, epidemics, and (realistic) viruses. This paper does not provide 100% effective information and analysis for actual countermeasures and countermeasures against new coronaviruses.

From the perspective of risk management and incident response, this is merely a presentation of various problem events occurring this time, the common points of responses, their interpretation, reference information for their own judgment, and their ideas. Simply put, if the current situation of the new domestic coronavirus is likened to a cyber attack or security incident, what kind of situation and what kind of technology or process the countermeasures and countermeasures will take will be considered.

The main idea is to analyze risk management and cyber security from the new corona virus problem rather than analyzing public health and the current new corona virus countermeasures from the perspective of risk management and cyber security.

If we compare the current situation to an IT system incident,
What is the current situation surrounding the new coronavirus like an IT system and its cyber incident?

This malware has the ability to spread the infection through the network (Himamatsu infection). It is also known that malware is highly effective against old PCs and operating systems, but new systems are less susceptible to damage. Especially, if security updates (alcohol disinfection, hand washing, gargling, masks, etc.) are performed properly, it has been confirmed that the infection is prevented to a certain degree.

However, infection is limited to the same LAN segment (dense contact) connected by a switch. There are many Internet (overseas) connections (airports and ports). Each LAN has a connection port, and although the firewall and demilitarized zone (DMZ) settings (quarantine level) have cleared the minimum, they are not uniform. As a result, the damage to the whole is small, but the infectivity is strong and the local damage is large.

Due to unknown malware, there are problems of false detection and oversight due to the accuracy of the inspection method (PCR accuracy / specificity), and problems of resources (time / budget / personnel / law), so forced inspection of all devices is impossible. Moreover, the system cannot be stopped, and there is no choice but to detect and recover malware in the operating environment. No effective vaccine software has been developed.

▽ Immediate response is to reduce the infection speed by degrading the system (event cancellation, remote work etc.) and focus on preventing infection explosion. If the disease does not occur, it will not affect the system, so the detection and removal of malware will be a strategy of conducting detailed inspections of the signs and isolating them from the system.

Thinking in the initial response to an incident
In IT systems, it is difficult to identify malware infections, and even if there is no effective vaccine software, it can be restored by reinstalling or replacing the system, so it cannot be said as a virus that infects humans. However, if there is a broad understanding of risk management and incident response, there should be knowledge that can be applied or referenced.

I can't talk in the same line, but there must be common knowledge

(Photo / Getty Images)

First, how do you think about dealing with unprecedented situations? In risk management, the introduction of BCP, DR, and crisis management concepts, as well as the ability to recover and resilience are currently being questioned. Today's unprecedented incident response manuals and minimum decisions are common sense. .

The most important thing in the incident response procedure is the “first action”. The escalation procedure, the mechanism by which the first report of an incident is correctly raised. Then, the decision and decision making of the priority work in the field information, that is, the triage work, determines the results of all the work and the measures thereafter.

In the case of the new coronavirus, there seems to be controversy over when to consider the first report in Japan, but let's assume that it is the time when the first infected person is confirmed in Japan. The first infected were not Japanese, but returned from China.

Infected people from countries where epidemics (epidemics) are becoming apparent, for example, are in a state where malware intrusion has been confirmed from firewall and EDR logs. By the way, if the infected person can be detected by the customs medical checkup and body temperature measurement, it can be said that the filtering function of the firewall stopped it, that is, the measures at the waterfront were successful.