• The miracle of COVID-19 testing: more tests= more cases. (It works for security too!)

    03 Jul 2020

    I’m no jet fuel genius. Nor am I a statistician. I’m certainly no epidemiologist. I don’t even consider myself to be one of the smartest people in my own field. But I do know enough to realize that when a problem exists (even if it’s yet to be acknowledged), once it’s sought after, it will be uncovered. And once it uncovered, does this newfound knowledge actually change anything? Not necessarily. It provides new insight and information but it doesn’t immediately translate into a “problem”, decisions being made, and so on. The long-term outcome may change…but, then again, maybe not. The situation is the same the moment before and the moment after, regardless.

    What does this have to do with COVID-19 and information security? Actually, everything!

    If all – or even just a subset of – businesses suddenly tested their networks for security vulnerabilities, can you imagine what might happen? I know! A lot of people would realize that their networks aren’t as secure as they thought they were. There are vulnerabilities galore. Missing software updates. Malware infections. Even breaches…

    It has all been undetected to this point. Now the cat’s out of the bag. Still, nothing has changed. They’re just as vulnerable now as they were before the testing.

    If the security vulnerabilities have been on these business networks for quite some time (I can assure you many of them have), whether they were known or unknown, do these businesses now – all of a sudden – have a bigger problem? Not necessarily. A risk is not a risk automatically. It depends on the threats and how they did (can) actually exploit vulnerabilities to call out such risk. With new vulnerabilities uncovered, are businesses any better or worse off than they were before? Not really. The vulnerabilities still exist. The threats are virtually the same. The risk may or may not be perceived differently now that it’s actually acknowledged.

    Still, everything is as it always was.

    It’s no different than walking down the street or driving down the road. Are we vulnerable? You betcha. Do threats exist? Quite likely around every corner. But what’s the likelihood of one of these threats exploiting one of our vulnerabilities resulting in tangible and credible dangers (risks) to our health and well-being? We can look at crime statistics and automobile accident numbers and figure that out. The good news is that we’re still alive to reflect back on all those risky things we did leading up to this point! In reality, we are at risk and we can never be one-hundred percent protected. Yet, we still go about our days, living our lives – walking down the street and driving down the road… In the end, some people get hit…but most people don’t.

    How is this any different from what we are experiencing right now with COVID-19 testing? We have all these results coming in from super-smart bureaucrats who are working in conjunction with the news media and state/local officials to shut things down again because they’ve found out that the same people who have been infected have now been tested and it’s suddenly a problem? Even though the numbers show that the death rate is going down…Even though the testing data being forced upon us are skewed…Even though COVID classifications are now being bastardized

    Run for the hills!

    With the security example, do you cut off your nose to spite your face?

    Do you shut down your business network just because confirmed vulnerabilities exist? Great question to ponder…

    Do you cower in fear because you now have new information and feel compelled to make a decision? Great question to ponder…

    Do you change how you look at IT and its involvement in your business? Perhaps.

    Should you change your ways so that these types of vulnerabilities never appear again? Arguably so.

    Do you wait on a vendor to come up with a solution to help rid your network of these vulnerabilities or keep them from being exploited? Ask Bill Gates.

    …It all really depends on your philosophy. You could be a leader and actually do something about your confirmed weaknesses (installing software updates in terms of security…improving metabolic health in terms of COVID-19). Or you could let business (or nature) run its course and let the chips fall where they may…breach…infection…

    You’re largely in charge of both.

    Starting in late May, every day I passed by a local COVID-19 testing facility, the number of people being tested kept growing and growing – to the point of creating severe traffic jams…it’s happening all over my town. Hmm, perhaps more testing became available around this time…no doctor referral needed? Something changed…big time!

    I can’t help but think that, if over the past 30 days, vulnerability and penetration testing had increased across the board in businesses, we’d have people shouting at the tops of their lungs at just how many networks are vulnerable to exploitation.

    The propagandist media wants me to believe that we’re seeing a “surge” in COVID-19 cases…I’m just not buying it. Again, I think it’s just better information confirming what had been in existence all along. They can’t let their opportunity for a (perceived) crisis go to waste. I think it’ll be around at least until November 4th of this year…

    Be it with information security or COVID-19, so many people are experts – until they’re not. Everyone thinks he or she is capable of analyzing risk, whether or not he or she is actually doing so, and, especially, using the right information. The sad reality that has been brought to the surface of American society with the SARS-CoV-2 virus and COVID-19 disease is that people will go way out of their way to argue for their limitations. It’s an unfortunate side-effect of the reality that people are driven more by fear of loss than the desire to gain. And it doesn’t bode well for the future of this American experiment. 

    As George Bernard Shaw said, “Two percent of the people think; three percent of the people think they think; and ninety-five percent of the people would rather die than think.” 

    Some threats will come and go but all in all the threat level will remain relatively stable with a spike here and here. We’ll never be able to change threats. What we can change is how vulnerable we are – whether it’s metabolic syndrome that impacts 88 percent of Americans or IT/security weakness like the majority of American businesses have… Being fat makes us susceptible to disease just like failing to master the security basics causes businesses to get breached

    The science is there. The numbers are there. Yet, no one can figure any of this stuff out…

    How do you want to run your business and live your life? Lots of things to consider. Many decisions to make. And with those decisions come responsibility and accountability.

    I know the one thing I’ll be focusing on: not believing everything I hear and, most importantly, doing what it takes to preserve my freedom and the future of this country.

    Cheers to an amazing Independence Day for you and yours!