Why is a computer virus called a "virus"? Computers get sick and need to be quarantined and disinfected. These terms sound a lot like terms we apply to humans who are ill. In this episode, I explore how malware mimics a pandemic with Gabrielle Hempel.
I'm your host, Katelyn Ilkani, and I have a master's in public health and a master's in cyber security, which gives me a unique perspective on this discussion.
Gabrielle is both a genetic scientist and cloud security engineer, and she will break down malware and pandemic terminology for us and give us her thoughts on steps organizations can take to better prepare for malware.
You're listening to Security Economy. Let's hear from Gabrielle.
Gabrielle, thanks for joining me on Security Economy.
Thank you for having me.
Absolutely. I'm so excited to talk about the topic today around similarities between pandemics and malware. But before we jump in, I'd love it if you could tell us more about yourself.
I had an unconventional career path into security.
I went to the University of Cincinnati where I studied neuroscience and psychology.
Once I graduated there, I got a job in pharmaceutical regulation. I worked on regulatory compliance with FDA studies, drug development, and things like that.
In that role, I lead a couple of specialized committees doing phase one research, which is human subject focused. I've done research with pharmaceuticals, infectious diseases, and then emergency research, as well.
I moved into information security in 2018 after getting interested in medical device security. I kept getting reports that medical devices were vulnerable.
I started researching medical device security and decided I was super interested in information security and cyber security.
I'm starting next week as a cloud security engineer and before that I was a cyber security analyst. My areas of research are generally medical device security, and then any interesting ways that I can cross over some of the scientific stuff that I know with information security.
Well, let's do some of that in the show today. Let's talk about how pandemics work. We're living through a pandemic now with this novel Coronavirus, and I want to that everyone's familiar with this terminology before we get too far into the show.
I think people get pandemic and epidemic confused a lot.
A pandemic is when you have basically what is a widespread epidemic. It spreads across a wide region and that can be multiple countries or multiple continents; it's at the discretion of The World Health Organization.
The most important thing with a pandemic is that the disease has to be infectious.
And that's another thing, you would think that cancer would be pandemic because it takes so many lives, and kills so many people, but it's technically not because you can't catch cancer from someone else.
Obviously, when we have a pandemic, we want to contain and mitigate it.
And we've seen that in the news everywhere; everyone is talking about flattening the curve. Essentially, you're wanting to draw out the peak of the curve, so you're not overwhelming the health care resources.
So, delay the outbreak peak essentially. And then there's also the use of quarantine and self isolation, which we're very familiar with at this point, and personal protective equipment as well.
Why does a pandemic remind you of malware?
Malware is kind of a catch all for a lot of different types of attacks, and the one that would be most similar to what we see in a pandemic is a virus.
There are a lot of similarities between the two. They basically have the same phases. There's usually a dormant phase where the virus program on your computer sits idle; it waits for something. The files can just kind of chill on your system until something happens or you open a program or something along those lines.
A virus kind of does the same thing biologically. It'll enter someone's body, and it doesn't always do something right away. Sometimes they have periods of latency, and suddenly, things start to pop up.
Next, with both of them, there's a propagation phase, which is basically when something kicks off the virus on the computer and causes it to do something, whether that's harmful or not harmful.
It's similar in a human body. That's when you start to have the virus replicate, and it essentially needs to attach onto a host.
When you have a human biological virus, it essentially finds its way in and attaches to one of your cells. It injects its genetic material into that cell, and then the cell starts to multiply with that material, and that's how you get the virus spreading through your body.
Computers are very much the same way, you have one computer on a whole network that gets infected.
Obviously, the virus can't go anywhere without connectivity. Suddenly, you're getting it spread from computer to computer, person to person, company to company.
We know that with a pandemic, we are trying to stop it with social distancing and personal protective equipment, like masks. What is the corollary to stopping malware?
It's really kind of similar in an odd way.
We plan based on common attack vectors. We actually have analysts that look at different malware attacks.
What's happening most often? What viruses are hitting people most often and big companies and causing the most chaos?
We build our protective measures based on that, which is kind of interesting. Think of it as like our flu shot every year; they're picking the strains that they think are most likely to hit that year, and hope that they guessed right.
We look at what types of attacks are out there, and the first line of defense is to protect against known attacks.
We also need to do a lot of education.
With the coronavirus spread, we're telling people to wash their hands a lot, stay a certain distance away from other people, wear masks, etc.
Computer viruses are kind of similar in that we need to educate people on protective measures more, and I think that's kind of where a big hang up is with a lot of companies.
They don't necessarily educate people the way that they need to, and 9 times out of 10, a virus spreading is caused by human error. For example, when someone opens a malicious file, or enters their credentials somewhere they shouldn't.
It usually takes someone's action to spread a virus.
Gabrielle, what do you think about the types of education that are available today?
As far as malware, I think it's lacking.
The cyber security education out there is really, really good. There's a lot of different learning platforms for the people that want to be in the field, but I think we're kind of missing that step where you can educate your average person, who is not an information security specialist.
There's people that work in other fields that don't speak all the tech language, and you want to make it digestible for them. I think that's really somewhere where we're lacking.
A lot of companies are starting to build their own programs, sending out fake phishing emails to see who clicks on links, and stuff like that.
Are we seeing new types of malware?
You just mentioned phishing; are we seeing different phishing attacks or new types of malware that are trying to take advantage of the fear and uncertainty of the pandemic?
Absolutely. It has been insane.
We've been tracking this over the last couple weeks, I guess at this point. When it started becoming a big thing, and ramping up here in the US, we started to see a lot of people trying to take advantage of the fear.
Lots of phishing campaigns are using COVID-19 topics, and a lot of these are in legitimate looking emails with Excel or Word documents that look legit.
They're hard to detect.
There's also phishing campaigns specifically that are pushing fake CDC messages, which is really scary. It basically comes through and it says, "Hey, we've got confirmed cases at your location, click here."
I mean, your average person's gonna be like, "Oh, I need to click on this" and "What's going on," and I would even be tempted.
There are some [emails] that take you to a fake Microsoft 365 site login that looks super convincing, and the landing page says, "Click here and enter your credentials to download company guidelines about the Coronavirus."
Oh my gosh, I'm sure a ton of people have clicked on that and put in their credentials.
It's super convincing; it just looks so real. I would totally click on that.
Even some of the COVID map sites, there have been some people that found malicious code, chilling behind the map.
There are some sites that were designed to look good, and share information on the front end, but maybe not be so kind on the backend.
You have to be careful, making sure that you're looking at a legitimate resource.
Yes, and don't click on anything or enter your credentials. You shouldn't.
I usually tell people to make sure to check the email address, not the name, but the actual address of the sender before you click. Try to remember to do that.
Yeah, or you can hover over the link too and see like where it takes you. If it takes you to the Microsoft site, or if it's taking you somewhere completely different, there are different key indicators like that.
Even more though, they're taking advantage of phone and SMS, too.
There's been some SMS phishing too. I haven't heard about it in the US yet, but I heard someone from the UK got a big text message from NHS, and then someone from Canada told me that they got a spoofed call from a public health line.
It actually looked like the public health number was the number that was calling them, but it wasn't. Super crazy, it's been pandemonium.
I feel like emotionally, people can't handle much more, right? They are already feeling so stressed. They're really not used to having to be home all the time.
A lot of people are dealing with not being able to pay their rent and food insecurity. And then you put this on top of it.
Yeah, and I think at this point, we're kind of desperate for all the information we can get. We want to see these articles that say, "Oh, this is happening here," and I think in order to feel like we have a little bit more control over the situation, that's what we're trying to do.
We're saying, "Okay, I want to know exactly what's happening in my area," "how many cases are in my city," and that's really the fear that they're playing on with these malware.
How is the security community responding to these things? How are they mobilizing?
It's been really, really cool to see.
There's so many people doing so many different job functions that not everyone has something in common. And it's been so cool.
I posted asking for examples of some of this malware a couple weeks ago, and I had so many different replies from so many people saying, "Hey, I saw this," and "I saw this," and "We're trying to stop this," and "We're educating our company on this."
They're really largely responding with education and making these threats known. Telling as many people as they can about them, putting them on social media and just hoping that people don't get taken advantage of.
We also had a few groups form, which has been really cool. I'm part of one of them.
It's the cybER, a cyber emergency response team for COVID based attacks. There's a lot of different skill sets on the team, and people from all over.
There's people from the UK, different parts of Europe, and Australia, and they have all these different skill sets.
If something were to happen on a large scale, so say, a really, really big cyber attack got launched on an international company or some kind of international entity, they would want people with these skill sets to work on it. We're kind of on call and ready as we need to be.
I know there's been a lot of talk. People are afraid that the phishing and malware is going to get out of control, and it's going to turn into big cyber attacks with people taking advantage of the hospitals being overwhelmed and the infrastructure being overwhelmed.
That really scares me. Our hospitals are already getting so strained with taking in new COVID patients. What happens if there's a big cyber attack at the same time and their computer systems go down?
Yeah, and especially with things like ransomware; you're familiar with that. You'll have to pay a ransom to get your information back, and you're not even sure you're going to get it back. But that's really your only hope at that point.
And it can take time, even if you pay them, right?
Yes, but hospital systems, and especially the medical system, if someone were to hit it with ransomware, you'd almost be forced to pay the ransom at this point. It would just wreak a lot of havoc and hurt a lot of people with how overloaded everything is.
Really scary to think about because, I think the people who are doing those kinds of crimes may not think that there's any problem with that, right? That's just how they're living their lives.
There's different motives behind the reasons that people do these things, but a lot of them are largely financial. They're not thinking about the human aspect of it.
They're just seeing, "Oh, this infrastructure is strange, let's take advantage of that."
They want money, or there are often times when attacks have been attributed to state actors as well. Then you get into the discussion of if there's a country or a group behind these things, and it gets messy.
That does get messy. One of the classes that I took in my cyber security Master's was around the politics of cyber security and cyber war, and at what point is this an attack, like it's considered to be on the scale of going to war? And that gets very messy, very quickly.
It does. I've heard a lot of really interesting opinions on how the next war might end up being more electronic, on the cyber side of things, and not necessarily boots on the ground.
I can see it happening. The lines are definitely getting more blurred as we have more things that are controlled by computers.
Well, I hope it doesn't happen right now. I don't think many people could handle that on top of everything else.
That's why we’re just trying to keep it from happening.
Well, what do you think regular people can do? We talked about how the security community is mobilizing. Are there things that just ordinary people can start doing?
Honestly, this goes for news about Coronavirus as well, but just investigate your sources. If someone sends you an email saying, "Go here and enter your credentials to see our policy on this," check to see if it's a legitimate site.
Don't put your credentials in anywhere that you're not 100% sure of.
You can even go around the backend and say, "Okay, this wants me to go to Microsoft 365." Go up to your URL space and type in the URL and go there instead of clicking on links. You'll find out fast whether that was legitimate or not.
Also, don't click on things if you're not 100% sure. Take everything that you see with a grain of salt. In times like this, we'd like to believe that everyone wants to come together and have good intentions, that's not the case.
There are people out there that are trying to take advantage of people. Being really cognizant of where your texts and your phone calls and your emails and everything are coming from is a huge, huge factor in this.
What are the top three takeaways you'd want our listeners to leave with?
One of them is that there are a lot of ways that we can draw parallels between malware and pandemics. How we respond to a pandemic and how we could respond to a widespread malware attack are similar.
There's a lot of similarities in terms of the spread of both, the transparency that we need to have in terms of incident response, and having planned actions for when these things happen.
I know we've seen some bumps in the road with our pandemic response because we just haven't had to do this in 100 years. It's been a really long time. So obviously, things have changed a lot since then.
I think a lot of people never really thought about what they would do in a situation like this, and it's kind of the same with malware.
You never think that someone's going to infiltrate your infrastructure until they're there, and you're like, "Oh, what do I do now?" So that's why understanding how viruses spread and how they work, I guess both biologically and electronically, is really important.
Obviously, for our safety right now, biologically, it's important to know how we spread a virus. In terms of malware, we all need to saying to ourselves, "Okay, if this is on my machine, it can get spread to these machines" by proxy or something along those lines.
Understanding some of the different types that are out there, the things that you might see commonly, like phishing.
And then the third one is, just like I said before, approach everything with caution. That's really my big takeaway.
Regardless, if you don't remember anything else from this, just remember that you should take that extra five seconds to examine where your links are coming from, and where your mail is coming from, and stuff like that. It should help you a lot in the long run.
And to your first takeaway, that kind of gets to this idea of, tabletop exercises, right? Actually taking the time if you're working in an organization to think through how you would respond, and making sure that your employees are educated as well on what's going to happen.
A lot of companies are getting much better at getting red teams to do exercises and basically, see if they can infiltrate the infrastructure. But then they just come back with a report, and I don't know that there's a lot of practice done on the response side of things.
I think that would be a really, really good place to start focusing.
What happens when someone suddenly has admin access, and is on your system? What do you do now?
That's where people freeze up, and that's what we've been seeing, recently - a lot of people are kind of panicked.
Well, it's not a good place to be making emotional decisions when you're already in the panic.
No, no, it's not.
I've really enjoyed our discussion today, Gabrielle, thank you so much for being on the show.
Thank you. It was so great talking to you.
And that's a wrap. Thank you for joining us for this episode of Security Economy. Check out our episode lineup at https://battleshipsecurity.com/blog and don't forget to subscribe.