When I was first starting off in my career, I wanted to be a doctor. As life often goes, I got waylaid. Wanting to be a doctor turned in an accounting major and CPA certification, quickly followed by a lifetime career in computer security. I have always joked that being in computer security is like being a doctor, except the patient does not verbally tell you where it hurts.
And you will see a lot of computer security defenders equate computer security and attackers to real-world human maladies. The first computer security book I ever read was Flu-Shot by Ross Greenberg (long out of print). You do not have to think too hard to wonder where the term computer virus came from. We do not say malware infection by coincidence. Many computer AI defenses are often likened to self-healing, auto-immune systems. How long until a computer defense calls itself “White Blood Cell” or am I already late to the computer defense naming game?
But here is one key distinction between computer security problems and human medical problems: There is no herd immunity in the digital world!
With biological infectious diseases and vaccines, there comes a day when the defenses have been distributed so widely and broadly, that the disease, even if it still exists, for all intents and purposes, disappears. When enough people are vaccinated against a infectious disease, even if there is a smaller portion of the population still unvaccinated, the “herd immunity” of the larger vaccinated portion keeps them safe and uninfected. We consider smallpox to be “eradicated”, with many other diseases soon to be eradicated, like measles, mumps and polio.
Today, experts are arguing what percentage of a population needs to be vaccinated or already infected and immune to COVID-19, for COVID-19 effective herd immunity to occur. Is it 70%, 80% or more? Or will it be around forever until every last trace of it is gone?
Unfortunately, herd immunity does not work in the digital world, at least not yet. You can patch everything in your environment, but if you miss one patch, a hacker may be able to break in. So, defenders must be very judicious and consistent about patching all critical patches, especially for software that can be accessed from the Internet. Consistency is a defender’s friend. Inconsistency is the hacker’s friend.
It is an issue for aggregate protection as well. To continue to use patching as an example, all coding needs patching at some future point and time…at least until the software support runs out. It is well known in the patching world that some portion of vulnerable customers will never patch. The percentage who do not patch something changes by patch, but it is always non-zero.
If you are ever in charge of creating and delivering a patch, the successful distribution goes something like this: About 50% of your customers will apply the patch in the first month. You have early adopters who aggressively look for and will push patches within the first day(s). A large percentage of people will apply it in the first week. And a very solid percentage, approaching a majority, will apply it within a month. After the first month, the rate of patching for the remaining vulnerable population goes way down fast. It is as if you are either aware of the patches and want to aggressively patch or you are simply not.
After the first month, the bulk of the remaining vulnerable customers will patch within a year. But some percentage…it may be minor, or it may be as large as a quarter of your customers, will never patch, ever. In fact, if they do not patch within the first few months, the odds that a vulnerable customer will ever patch goes way, way down. After a year goes by, it is just a continuous super small trickle-percentage of patchers.
When I was at one large software company, we did a study to see why so many customers did not patch, ever! There were a myriad of excuses, but it came down to the fact that most of unpatched users were not IT people and were not even aware they needed to patch. I have talked to many dozens of people over the last three years who do not even know what the term “patching” means. Many of those had above average intelligence. I am talking doctors, lawyers, FBI agents and city managers. And yeah, you can call them stupid or native, but they are not. Patching just is not something they were exposed to in a way that it was to you and I.
Many of the non-patchers were people where the involved software and technology was just one very small part of their world and they did not even know much about it. For example, someone owning and running a small grocery store. They bought a cheap cash register solution and basically had no idea it was running on Microsoft Windows, much less thought they needed to patch it. Who needs to patch a cash register? Maybe they had someone who originally handled all that for them. But somewhere along the way, the only knowledgeable person who even knew things had to be patched no longer worked for them or maybe they let their support contract expire during a rough period of declining business. Either way, the years go by and they have no clue they need to patch.
I am not talking obscure, out of touch, strange people. I am talking about real, ordinary people. How many people do you know who probably do not have a clue that they need to be updating their Internet or Wi-Fi routers? Web cams? DVRs? TVs? It is nearly everyone I know. They plug something in, get it working, and forget it. I am not even sure if I have everything patched and up to date. Do not come and audit me.
That is why it is important for all software development companies to try their best to use security development lifecycle (SDL) techniques to minimize bugs for the lifetime of their products. And make all products auto-patching without user intervention. Because every bug is a bug that some percentage of well-meaning customers will not know about and will not patch…EVER!
I am constantly surprised at how many Code Red-infected or MS-Blaster-exploited computers are still out there. These are malware programs from two decades ago…their underlying vulnerable software hosts have long since expired and are unsupported. But they keep chugging along…under desks, under counters and covered in dust in the corners of Data Processing centers. And there is no herd immunity. If there is one copy of the roving malware program out there on the Internet, it will find those connected, vulnerable, servers and exploit them. One copy turns into a million infections really quick.
Patching issues are always a race against the clock. Patching issues make me big fan of cloud-based software, where the vendor can apply the patch and everyone is immediately protected.
It is the same with social engineering and phishing. You need to try your best to prevent any of your co-workers and employees from becoming susceptible to it. Check out our Comprehensive Anti-Phishing Guide (https://info.knowbe4.com/comprehensive-anti-phishing-guide) e-book. Any employee who can get socially engineered and phished can allow harm to enter into their organization. You must be judicious, frequent, and consistent with your anti-phishing training.
You should provide longer training to an employee when they are hired and annually thereafter. Then at least monthly, you need to provide shorter trainings on popular computer security threats followed by simulated phishing attacks to gauge how well each person understood the training. People who need more training should get more training and simulated phishing tests.
This is not to say that perfect should be the enemy of getting something done. Just because you cannot guarantee that no one will ever make a mistake does not mean you shouldn’t do everything you can to prevent everyone from getting socially engineered and phished. Computer security is about risk reduction, not perfection. Shoot for perfection, but be happy with significant risk reduction. And better and more frequently training your co-workers and employees will absolutely, significantly, reduce risk. Just as teaching someone how to drive safer does not prevent all accidents, but it does reduce the percentage of accidents and save millions of lives.
Despite every possible technical control, the human "mutates" and avoids fixes. And the bad guys are always coming up with new strains and new angles of attack. There is no herd immunity in digital defenses, but by following sound, comprehensive, defense-in-depth mitigations, you can reduce risk in your organization and make it less likely that you’ll end up with a bad infection.