Robert Slade - Cybersecurity Lessons from CoVID-19

First edition published 2021
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 334872742

and by CRC Press
2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access

Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

ISBN: 978-0-367-68269-9 (hbk)
ISBN: 978-1-003-13667-5 (ebk)

Typeset in Times
by SPi Global, India

To Gloria

Robert Slade worked his way through university in a hospital and later as an industrial first aid attendant. Later he found out he was a teacher, and, as an information security maven, he taught on six continents. Along the way, he also wrote books on computer viruses, software forensics, and security terminology. (Robert Slades Guide to Computer Viruses, 1995, 1996, Springer-Verlag; Viruses Revealed, 2001, Osborne McGraw-Hill: Software Forensics, 2004, McGraw-Hill; and Dictionary of Information Security, 2006, Syngress). Hed much rather be spending time with his grandchildren than writing another book. It is next to impossible to get him to take bio writing seriously, but more information than anyone would want to know about him is available on Twitter @rslade.

Since much of this book will deal with disasters and horrors and since all of you will have numerous examples of how people behaved badly during the pandemic, let me start on a positive note.

A young man from Thailand met his girlfriend in Singapore. Singapore, early on, became a CoVID-19 hotspot. The Thai family lives in Bangkok, which also reported CoVID-19 cases, although the numbers at the time werent as high as Singapores.

When they heard about the panic-buying and health equipment like masks and hand sanitizers being out of stock, they managed to get their hands on a variety of masks to send over. They threw in a bottle of hand sanitizer. They paid 860 Thai baht for international express shipping just so their friends could get the package as soon as possible. That roughly converts to a whopping US$30, which probably cost more than the masks and the sanitizer.

Disasters bring out the worst in people, but they also bring out the best.

Here is the first lesson about security. This is a fundamental point about security that I try to emphasize to my students all the time. People are, at one and the same time, both your greatest security weakness and your greatest security strength. People get tired, make errors, get fooled, and make bad decisions. Machines dont (if programmed properly, which hardly ever happens). But people can also figure out that someone who is following all the rules might still be trying to pull a fast one. Machines cant.

I am seeing the CoVID-19 pandemic from a position of privilege. My job didnt suddenly disappear, and my finances wont either unless the entire world economy collapses. (If it does, you arent going to be reading this book, now are you?) In addition, I live in Canada, which has a decent medical system if I need it. (On the other hand, I am old, male, and fat and have diabetes and high blood pressure, all major risk factors for worst-case outcomes if I do get infected, so if any stray SARS-CoV-2 virus lands on me, Im toast.)

Toilet paper? I had some, partly since Im an emergency volunteer and its part of the stock I tend to keep around as the household disaster kit, but mostly because Im cheap and hate to buy it at full price, so I tend to buy a lot when its on sale. (It doesnt go bad.) Haircut? I learnedlong, long agothat I am not handsome enough to get any of those jobs where initial appearance is vital, like salesman, con man, news anchor, politician, or celebrity supermodel. I keep my hair fairly short, but my preferred hairstyle is best described as low maintenance.

I live in British Columbia (BC), which is a beautiful place to have to ride out a crisis if you cant travel, and it is supremely fortunate in the government that we have in office at this particular time, our provincial Health Minister, Adrian Dix, and our Chief Medical Health Officer, Dr. Bonnie Henry. (We were oddly, and randomly, lucky in that the dates of the school spring break, set possibly years in advance, just happened to fall at the right time so that parents were prepared to have the kids out of school but had not yet left for vacations and travel that could have been devastating.) On a regular basis, we have an official update (which is generally referred to as The Dr. Bonnie Show co-starring Adrian Dix and [ASL interpreter] Nigel Howard). (You will, in the course of this book, hear more about Dr. Bonnie.) The material presented is clear, honest, factual, informative, as comprehensive as possible given the gaping holes in our knowledge about the virus, and, oddly, quite reassuring. In addition, the decisions and orders that have been taken have kept BC safer than just about any other jurisdiction of its size or larger. (I can, on the other hand, quite honestly say, given the vagaries of geographic outbreaks, that as of March 22, 2020, 90% of the CoVID-related deaths that had occurred in BC and 50% of those in Canada had occurred within three blocks of me. Its possible I am a dangerous person to know.)

Many people date the pandemic from March 11. This is, after all, the date on which the World Health Organization was first willing to use the word pandemic. It is also the date of the infamous basketball game that basically ended sports as we know it. For me, though, the date was March 10. March is a big month for the security community in Vancouver. At coffee time on the morning of March 10, I had two conferences and two presentations lined up. By dinner time, it was all gone.

I recently saw a headline that asked, Have you lost your purpose since CoVID-19? I realize that many people would: most people either are defined (by society) or define themselves by the job they hold. Ive been self-employed or making my own jobs for three decades. And most of my colleagues are in jobs where they can, and are helping others to, work from home. Were busier than ever. I dont have enough hours in the day.

Mental health turns out to have been a much bigger issue during this pandemic than I would have expected. I recently attended a (virtual) meeting with some of the leaders in the security world, and the first few minutes were filled with stories of having to deal with stress, having to take time off, needing to force people to take time off, and other such issues. So I guess one of the next security lessons is that you have to take care of yourself. Which is easy to say but possibly difficult to do. When you are under stress, you make bad assessments. And one of the assessments that may be in error is how stressed you are and therefore how bad the decisions youre making are. This is related to the impairment of how well you can determine yourself to be impaired if you are impaired and also the DunningKruger effect. But taking care of yourself does lead us to a couple of other points.