"Security Lessons from CoVID-19" by Rob Slade

so the next um sticker that we'll have here that will bring us a presentation um which is the title is security blessings from 19 is rob's life thank you ralph rob sled is an information security consultant a researcher and instructor is author of the robert slade's guide to computer viruses software forensics the dictionary of information security and is also culture of viruses real will resilience and his reviewer of several thousands of technical books and other uh articles in the area and it is recognizing the experts in the in the field in the community intervals and malware flows uh i i could spend 30 minutes talking about raw presenting him so i suggest people to go to the linkedin

or wikipedia page and see uh the great background he has in this in this area so robert it's your time now thank you well thank you and oh if only i can get the right uh screen up here and you should enable the present with the presentation mode yeah okay okay um well uh thank you uh porto for uh allowing me to to speak to you today uh good morning from vancouver i know that you guys are all waiting for dinner but it's morning here in vancouver um thank you xena for mentioning citizen labs as a canadian i appreciate it um this uh started life as uh well uh going back many many many many years you can tell from my weight

here i i have white hair not only because i do security but because i'm extremely old and uh in my ill spent youth i did um uh work in uh hospitals uh as a first aid attendant uh did other uh medical stuff so i have a medical background as well as a security background so when the virus hit uh i was answering questions from colleagues and of course using security examples to explain various things about the the virus situation the pandemic what have you um eventually i collected a bunch of this stuff and uh threw it into this presentation here um unfortunately at that point um i was also helping uh somebody get their book published

and their publisher got interested in me turning this into a book which i have done so i now have like about 12 hours worth of material here uh do not worry i am not going to um present the whole 12 hours i will try to stick to the uh the time limits here um but that's uh sort of where this came from roughly structured into the the 10 the old 10 domains of of the cissp um i this is the only portuguese i know which i learned many many years ago i probably say agua moly with a congolese accent because it was a missionary from the congo who taught it to me and the only other time that i've been

able to use it was when i gave a presentation in brazil and of course the brazilian interpreters uh at that point uh translated it into uh brazilian portuguese for me uh i used it then because i was talking about the history of malware and um of course that particular proverb relates to uh to malware and the fact that um uh constant repetition of attacks uh can eventually uh create a problem for you which again is now relevant to the um uh to the coronavirus situation and and uh so a little interesting side issue there and just to prove that i was in brazil uh this is a catholic um capybara that was in a ditch near the the uh venue where i

was doing the presentation uh so for everybody else um the pandemic was declared on march the 11th that's the first time the world health organization was willing to use that term uh and the infamous basketball game and sports as we knew it came to a grinding halt um or a screeching halt really um but for me it was the the morning of uh well the march the 10th uh in the morning they're here in vancouver um march is a very important month for security we have cansec west uh biggest conference security conference in vancouver uh b-sides vancouver comes right after that um we had our vancouver security sig meeting i had two speaking engagements you know at coffee time in in on that

morning by dinner time gone everything gone so nothing uh so you know things can change for you very quickly here oh one one other thing i am from uh canada and british columbia and one of the things i supposed to say in this presentation is that i know that i'm speaking from something of a position of privilege uh i know you can't see all the the little details down here but this um even though i took it a while ago was at the time a chart of the infection rates of any jurisdiction over 5 million population and that little tiny blue dot down at the bottom that's british columbia even though we had a fairly early

outbreak um and and we have had uh outbreaks in uh senior citizens homes care homes that sort of thing um which has been very disturbing i'm sure for for everybody um the uh powers that be here in british columbia we've been singularly fortunate um some of the the luck that we had was purely random for example the uh spring break uh this year and the dates of that were set years ago i'm quite sure uh but just happened to fall at the right time so that um people uh like parents were you know ready to keep their kids home from school but had not yet actually left for uh uh travel and and so a lot of the travel related

outbreaks and that sort of thing we managed to keep under control so anyways uh interesting points uh okay before we get into the domains of course the the cia triad confidentiality integrity and availability and oh by the way i noticed that uh somebody is recording this so um you know you're being recorded here in terms of confidentiality but uh also in terms of confidentiality contact tracing a very important factor in in managing everything here but it's a really amazing issue in terms of confidentiality because our security our physical and medical security here is at odds with uh issues of privacy uh and we'll we'll get into that a little bit later on in terms of integrity there

are huge amounts of misinformation and disinformation deliberate disinformation now some of this stuff is just an error uh early on the the covet dashboard that uh johns hopkins university put up um canada disappeared from the dashboard um which uh you know probably nobody else noticed for for those of us who lived there was a little bit uh disconcerting and uh there are also issues you watch the news about the the virus and the pandemic this is you know it's weird you you will uh have endless reports and and of course you know a certain president of a certain large country which um has the worst record in the world right now uh has said that most people will

experience only mild symptoms and get over it very quickly that is actually true but then you have all kinds of reports of people saying it's the worst entrance illness i've ever had that is also true and unfortunately the plural of anecdote is not data um we get these reports in the in the media and how do you determine you know what to believe in there and you need to trust the the statistics the mathematics involved in it um you can't you know really get a good handle on it just looking at news reports oh by the way for those of you who are have your thumbnails on on the right side of the screen may have a

bit of difficulty seeing this but uh this was a really interesting thing going back to the the spanish flu uh pandemic um and and this was a device that actually uh supposedly produced ozone and you you would breathe in ozone and it would clear the germs out of your uh throat and nasal passages and breathing passages and that sort of thing i doubt that it produced much ozone um and so it probably wasn't very effective and it's probably a good thing that it didn't produce uh much ozone because ozone is in fact poisonous in in large volumes so uh just an interesting thing that i came across now of course there is there's misinformation um

and disinformation they come from from different sources i mean there's a lot of ignorance you know this virus has been around for less than a year actually you know some indications that yes it has been around longer um some historical research that people have done may be fine detecting uh certainly something similar a long time back but in terms of an actual disease in humans um it's a very short time and and we're still learning all kinds of things about it we we don't know because we don't know there's a lot of fear and and fear uh tends to push misinformation um when we are afraid um we aren't very good we we get stressed we

do not make good decisions so you know keep that in mind in security overall as well as with regard to the virus there's also um contention in terms of the experts you know some experts will say uh you know masks are important some people experts will say masks are not particularly important um and so who do you who do you trust um out of the the contention of even expert ideas and then again there are those who are just trying to create outright fraud there are always fraudulent sites um uh people supposedly setting up fake charities um uh you well i'm sure that all of you have have seen uh spam phishing spam various frauds coming into your email

uh playing on issues about the the virus and the pandemic and i've i've noted a huge surge in things like um attacks on on my netflix account you know people saying that that my next netflix account is going to run out unless i go to this website and and give them my credit card number um which doesn't particularly work with me because i don't have a netflix account but that's okay but lots of attacks on on things like email so you know people who are at home who may be in lockdown situations um are going to be fearful of losing those points of contact and and so they're going to be susceptible to those frauds

and then there are just a right of attacks there in the nation state attacks and of course recently the attacks out of russia particularly but also from from other places um directly attacking institutions that are involved in in vaccine research for example so all kinds of of security issues there and availability toilet paper really i mean honestly goodness you know i i i bow to no one in in my admiration for this stuff but really um i have no idea why there was this huge huge run on toilet paper now getting into the domains uh security management starting off with security theater and you've seen these kinds of images on the uh news media and and people um

misting or fogging in in large open areas trying to deal with the virus i have no idea what is in that that device um because there is nothing you can spray into open areas that would deal with the virus that would you know kill the virus and wouldn't kill you uh basically you know any anything that you spray or fog around in large open areas in this kind of way um isn't it if it was going to be effective against the virus it would be very very bad for human health so all of this stuff really is security theater people uh governments particularly need to be seen to be doing something even if it's not effective and and you

know we see security theater in many many areas uh social engineering though i mean security theater is a part of social engineering and and we tend to think of social engineering in terms of attacks um you know the bad guys are using social engineering against us uh yes that's that's important but we need to use it ourselves as we can um and uh there was this uh meme if they had just called it the stay at home challenge and posted it on facebook the virus would have been gone by now you know so there's a sort of a social engineering way to do it uh risk management in in security management here um in in terms of the masks

um i i don't want to say don't wear a mask i mean you know it is there are many um situations where wearing a mask is a good idea but uh the the pushing of the masks is really interesting because there really isn't any evidence that masks are a particularly effective you know there's much much more effective ways you know washing your hands at social distancing all of these things are much more effective than than masks are so masks has become a hugely divisive issue uh and and maybe it's sort of security self theater uh if you will but we'll we'll come back to masks yeah if i have time um so risk factors here

uh i am old i am male i am fat i have diabetes i have high blood blood pressure all of those are you know high risk factors for getting so if any random co2 virus comes along i'm toast but you know there are different risk factors here um emergency management is for emergencies um a lot of people i've seen a lot of reports again in the news media and other you know people complaining saying you know oh uh you know the government isn't doing enough for this they you know uh we were saved from a cruise ship but the you know the government didn't put us up in a four-hour star hotel when they quarantined us you

know all these kinds of things emergency management is for emergencies this is an emergency this is a disaster um you know have a a bit of patience maybe for for some of these minor issues um anyways gain insecurity management uh cost benefit analysis what um what is it going to cost to help us to fix this thing you know isolation is the way to kill the virus but of course it also kills the economy too and and economic uh problems do in fact have major medical consequences and so we want to uh have a balance and we need to do that cost benefit analysis as we need to do in any area of security management so

uh yeah uh and again i one of the things that i keep on seeing in the media is uh and particularly when you see a press conference and and uh reporters are always always always asking uh this variation on the same question about different events or whatever how vicious are you going to get with people who break distancing rules and the thing is again going back to social engineering you catch more flies with honey than vinegar and i will be talking about uh bonnie henry our our provincial health officer here in bc um she has been absolutely wonderful about um repeating the fact that we are talking about education when dealing with the virus and and

insecurity education works an awful lot better than mandating you have to follow our policies you have to follow our rules so um you know keep those types of things in mind so uh moving on to access control layers um of access control and and the the different types of of tests there the the tests that are you know where they stick a swab in your nose um that's looking for rna of the virus and and we'll come back to that and when we get into application security but um then there are the serology tests um which are looking for the antibodies that your body produces and and it's interesting the different types of information that these

different types of tests will provide you and and the different questions that they're going to answer so uh different layers in uh our things and and uh issues of error rates we always have error rates in in all of our security controls uh you know false negatives and we we tend to think uh you know here uh false negative not being able to identify viruses is the worst case scenario but we also have false positives and actually false positives in a pandemic situation here with uh relatively low levels of of incidence which is what we're faced with um is actually a lot worse because um i don't know of actually any of the tests that

are out there rna or serology that have um less than a false pause one percent false positive rate as a matter of fact uh one percent false positive rate would be very very good most of them are like you know 10 and 20 uh false positives and you're faced with one percent incidence uh which is actually higher than any place except the united states right now um then you've got a 50 50 chance of being right in terms of being told you know no you are uh you are infected with this virus and so if a lot of people are being falsely told that you are infected with the virus then a lot of people are being

quarantined not allowed to go to work whatever and and that has more damage overall than issues of the the false negatives and and people going out into into the world and infecting other people so uh interesting uh raids there security architecture um intra i don't know who started the phrase bend the curve not the rules um i first heard it from our our health minister here in bc but i'm sure that uh it was repeating it from somebody else really interesting point um a lot of people looking at that issue of bending the curve um said that what what's the point in bending the curve because the same number of people are eventually going to get it you're just spreading it

out but uh when you know this is time-based security an excellent example of time-based security and i i highly recommend wynch warthow's book on time-based security which uh addresses uh something along those lines boy i'm definitely not gonna get through all these slides what the heck uh functional versus assurance requirements interesting here um uh fast food restaurants always have um hygiene issues and and they're talking about uh people um dealing with uh food and and they've got to wash their hands and that sort of thing but um there's two uh types of of requirements in security there's functional that's the hygiene requirement and there's assurance that's do we know that our functional control is actually working

and uh looking at gloves um versus hand washing hand washing is effective in terms of the actual hygiene functional requirement but we don't have the assurance requirement we can't tell if somebody's worn you know wash their hands but if they wear gloves we can actually see that so we also have the assurance requirement there very interesting uh issue there uh oh and defense and death and layered defense having layers of of defense you know we know that any any given issue is not going to do the the travel checks for example um uh the temperature checks the temperature checks aren't very good they um you know really they've they've got less than an 80 success rate and so you know people are

going to get through that we need to have some other kind of of check to backstop them um and of course in any situation just you know can't say don't ever say it can't get any worse because unfortunately uh here in canada and nova scotia faced with the pandemic um in april they then had the worst mass shooting in canadian history then they had a forest fire then they had a helicopter crash then they had a pilot die from our national uh flight team um yes it can almost get worse so um think simple ideas this this was a really this is an idea that's so simple it's it sounds silly um this guy who who made

um equipment for restaurants um he realized that most people in restaurants were wearing ball caps baseball caps build casts and so he came up with this idea for a face shield which everybody else was making you know really fancy versions of face shields he made this really simple idea of a face shield that clips onto a baseball cap so everybody that he's selling to in the restaurant industry now can get this cheap version of a face shield and you know a face shield is is in some situations as good as a face and possibly even better so you know if it works you know it's a silly idea it looks silly but if it works it's not silly so

think of the simple ideas oh business continuity planning um the best thing it's always hard to get uh companies to to go into business continuity planning um the best way to get uh management to buy into a business continuity plan is to have the building across the street burned down well there's a lot of buildings across a lot of streets burning down so during the pandemic use it as a reason for business continuity planning and there's there's so many issues here capital risk financial margin market changes succession planning supply chains you know so so many issues unfortunately in in business continuity plan oh and and leadership um leadership is vitally important in business continuity planning and

fortunately right now we have an excellent excellent comprehensive example of how not to lead during a disaster and all you have to do is is look at that example and whatever he's doing don't do it so uh that's uh one of the other issues in in business continuity planning is um the difference between recovery and restoration and of course the the pandemic demonstrated you can stop fast and and recover the most important issues first but when you're doing the restoration you restart slow restore the most important issues last you know make sure that you were planning that you were testing that you were being careful as you restart in terms of your your business continuity restoration

ah and you know if you want some extra toilet paper here um so uh yeah do we need a break in terms of all this disaster going on if you're a new single stranded d rna virus looking to survive in this big bad universe not rule number one is surely not to pick a fight with the only double-strand dna-based organism that can sequence your genome and has eradicated more species than any other living thing that's us you know uh we probably are going to get through this oh and the the german government is advising people to stock up on sausage and cheese it may be a worst case scenario so physical security um keep your

distance and this is uh you'll notice that i well maybe you'll notice it's tiny little sign there but it says talking about maintaining social distance but it's on an asphalt spreader and i was you know i mean i know that uh it's a mandated worksafe bc uh sticker that they you know they're talking about keeping people apart from each other but how you know why do i need to be told to be two meters away from nashville spreader um this mask won't protect you from covet 19 but it'll sure help with the social distancing

yet anyways uh during the virus crisis if you go out note that you might get coughed on or sneezed on and since disinfecting fabric is much more difficult than cleaning surfaces you should wear older clothing it can be discarded if necessary if you have old torn clothing that will not be missed this is probably best since face master and short supply a scarf worn over the mouth nose and lower part of the face will offer some protection if you are infected and must go up for some reason to aid you in walking uh you should take a staff should you be overcome with respiratory distress and need something to lean on best to have bells hanging from the top

to summon aid if necessary as you go it's best to give some verbal warning to others not to come into close contact since some you may encounter may not be proficient in english is probably a good idea to constantly call out something simple such as unclean unclean anyways uh cars and insurance uh people have been worried about the fact that uh insurance companies aren't giving back car insurance since nobody's driving i've seen you guys driving during the uh pandemic i know why the insurance companies are not giving back any money uh crypto phil zimmerman if he's still around uh would probably agree with my first thought when i i thought about structuring this and i was saying oh

cryptography you know that's one area that we're not going to have to worry about or you know there's no lessons that come out of covid19 i was wrong um the contact tracing apps and and the the protocols uh very interesting work in in terms of that and those standards there um if you are interested in cryptography that's that's something to to look at and study um application security as as we talked about testing before different types of tests give us different information and the toilet paper thing one of the paper mills that makes toilet paper here in bc actually had a malware infection so if you have stockpiled toilet paper you should safely dispose of it because it

may have been infected with a virus now this is i'm probably going to run out of time here so the one the one issue i came to security from malware research that's where i started out and one of the things that i learned from malware research is the bastion model is wrong the uh the bastion model looks at it and says you know we're the good guys we're on the inside the the attackers are all the bad guys they're on the outside if i in my bastion you know and you're in your best and if a bad guy's attacking you it it's not a problem for me because you know it may even be good for me because

as long as he's attacking you he can't be attacking me but when you you study malware you realize no the the bastion model is is wrong it's not helpful we are all in this together as has been said um in some areas um we may not all be in the same boat but we are all in the same storm and helping others um helps you and uh i suppose um given i'm not going to be able to get through uh all of these slides probably i should stop there uh unless you want me to continue on into the q a session okay thank you rob thank you for your presentation you touched some good points

here and when i was assisting your presentation come to my mind several several uh thoughts about how will we live our lives how we correlate the things between our social and daily lives and our professional lives and our interests in this field of cyber security and um particularly touching topics like information and misinformation or disinformation like fake news and of course all of these is now used to influence people and is also also deserves the study here to to to avoid or at least alert people when they are looking to fake news or real news but this is a big problem um like the presentation we have before i i have the same idea here i think we

should have um education uh since the the initial uh times in the school to get more conscious about this these problems and again also some cyber ethical behaviors because otherwise it will be a mess i think and and i also when i when you are presenting i was also thinking that and all of us funds tenderly normally finds more opportunities or alternatives during the emergency periods or emergency times and this could be also used by the economists to slow down or accelerate [Music] the the countries the development in the countries and this a big induced topic here because typically people try to find to figure out solutions to the problems that they face um i don't have any

questions here you touching a very good point and i think everyone is is thinking on on the point so um ralph thank you for your presentation for bringing us this perspectives and open allows our us to open our minds and also see the problems in different perspectives thank you rob i i did think about the uh the red queen situation from from an earlier talk there and and i thought that the uh covid situation is is an excellent example of that you know events uh can overtake you if you're not flexible enough to uh note the the changing environment and and no uh coven 19 has certainly changed all of our environments very very quickly

yeah yeah and also created opportunities for the malicious doctors and yes and then they touched it in that point in terms of social engineering and uh we are working hard to prepare people in terms of awareness for this type of activities social engineering but it's it's takes a long journey to to to get some results and it's a continuous work and it's interesting for that and this pandemic accelerates the needs and it's at least it helps to develop more of these conscious and they'll allow us to work harder to get results

and