zsmith.co

Modeling cybersafety on biosafety

Revision 2
© 2019 by Zack Smith. All rights reserved.

Concept

If you've read the book The Hot Zone, or watched the TV series based on it, or otherwise have some understanding of infectious diseases, their spread, and analysis of them, you know that harardous pathogens like Ebola, Marburg, Lassa and so on have to be dealt with very carefully in labs specially designed to ensure proper containment and public safety, and specially developed procedures must be used.

There are four levels of biohazard containment called BSL1 through 4. Also P1 to P4, where P means protection or pathogen. 4 is the strictest.

I assert that handling of software pathogens can be organized using a similar pattern. Herein I propose a simple equivalency between the four levels of biosafety and four proposed levels of cybersafety.

Essentially my idea comes down to this:

  1. Each computer is like a biosafety lab.
  2. Each program or data source (including files and websites) may contain software pathogens.
  3. Every potential pathogen has to be assessed and proper measures must be taken. Many will be prove harmless. But to assume all are safe is unwise.

Biosafety levels ↔ Cybersafety levels

Here are my proposed computing equivalents of Biosafety levels. The basic idea is that each level adds more protections.

Software pathogens are assumed to be both out on the Web and inside the computer e.g. in the form of downloaded software and browser plugins.

A computer can be a laptop, desktop, server, phone, tablet, smart watch, IoT device, or single-board computer. Computers are everywhere.

Biosafety level 1 (BSL1)

  • Hand-washing with warm water before and after work.
  • No eating or drinking.
  • Decontamination of infectious material before disposal.
  • Personal protection gear is only used for infectious agents.
  • The lab door is lockable but the lab is not isolated.

Cybersafety level 1 (CSL1)

Safe practices for your main account.

  • Private browsing in incognito mode.
  • No plugins except those that protect against drive-by website based and advertisement-borne attacks e.g.
    • UBlock Origin
    • Adblock Plus.
  • Prevent accidental inflow of pathogens:
    • Disable website-provided fonts in browsers (fonts are an attack vector).
    • Disable automatic loading of images in mail application (they are used to track location and images are an attack vector).
    • Disable Javascript in browsers when visiting websites that do not heavily rely on it.
    • Disable automatic playing of videos.
    • No insertion of unknown media, e.g. CDs found on the street, into drives permitted.
  • Firewall enabled.
  • If the computer is a phone, keep in in Airplane mode most of the time.
  • Disable unnecessary neworking e.g. Bluetooth and NFC.
  • Hard drive encrypted.

Biosafety level 2 (BSL2)

  • The lab is closed off when work is going on.
  • Personal protection gear is required.
  • Extreme caution when dealing with sharp infected items.
  • Special procedures when pathogen may be aerosolized or splashing may occur.

Cybersafety level 2 (CSL2)

Improved safety by moving to a separate account.

  • Run risky software (the browser, the plugins, a downloaded application) in a separate account to prevent access to personal files in your main account.
  • Make sure your home directory does not contain sensitive files or their permissions are set to private i.e. 0600 for data and 0700 for directories.
  • Assume you are running spyware or larcenyware (data theft) and turn off the Internet if it is not needed.
  • Do any web-browsing using a VPN or using Tor Browser to prevent monetization of your web traffic and location information.
  • After running the potentially pathogenic software, remove all temporary files that it has created (caches, configurations, logs).
  • Power down Wifi router when not needed.
  • Disconnect Ethernet cable when not needed.

Biosafety level 3 (BSL3)

  • Personnel receive appropriate immunizations.
  • All work is done inside a biological safety cabinet.
  • Protection gear must include a solid frontal barrier that is discarded/cleaned after each use.

Cybersafety level 3 (CSL3)

Better safety in a virtualized or emulated computer.

  • Run any risky or vulnerable software inside of a virtual machine (VM), whether it be:
    1. a virtualization (VirtualBox, VMWare, Parallels)
    2. an emulated PC (Qemu, Bochs).
    3. a container on a server.
  • Run a new copy of the VM each time i.e. copy the vdi file from a known-pure one for each session.
  • Disable unused VM devices e.g. Bluetooth, NFC, Wifi, Ethernet, Firewire, floppy disk driver.
  • If virtualized, choose an OS that is not typicaly targeted i.e. not Windows or Android.
  • If emulating, choose an architecture that is not typically attacked i.e. not x86.

Biosafety level 4 (BSL4)

  • Bioagents are considered highly infectious and fatal.
  • Labs are either cabinet-based or positive pressure suit based.
  • Labels have airlocks to keep aerosolized pathogens in.
  • All biological material leaving a cabinet must be autoclaved (high pressure, high temperature).
  • Cabinets are designed for easy cleaning.
  • No sharp edges anywhere.
  • A chemical shower must be used for decontamination upon exiting the lab.

Cybersafety level 4 (CSL4)

Best safety by isolating activity on an isolated computer.

Modality 1: Internet is used

  • Running the software in a single-purpose laptop computer (e.g. banking-only) that is physically inaccessible when not in use.
  • After each use, wipe the hard drive and re-image it with a known-pure OS image. (This is done in academic computing labs.)

Modality 2: Internet is not used

  • Physical isolation of the device i.e. air gapped
  • Software updates via official DVD-ROM or similar
  • No use of USB flash drives
  • No use of accessories that have sketchy origins

Addendum

Note, I am using the term cybersafety because the other alternative that occurred to me, infosafety, might be taken to refer only to the user data on a computer, not the OS, applications, firmware, or hardware.