Cybersecurity is cyber health
The main thing is health. There will be health – there will be everything.
Part 1. Seven stages and factors of cyber diseases
Cyber health and information security of systems and organizations are similar to human health and medicine. Why do computer systems of organizations “get sick“? In the information systems (applications, websites, networks and organizations in general), we can distinguish the same stages and factors of diseases as in the human body:
- “Poor heredity”. Software or configurations may include or use unreliable obsolete components. This is an example of technical security vulnerability. Vulnerability is understood as an internal flaw of a software product, an information system or an entire organization. Unlike vulnerability, threat is a factor external to the system. For example, computer viruses, hackers, offended employees, competitors or a power surge that can destroy information
- “Failure to practice hygiene”, “promiscuous sex”, etc. lead to infection. Similarly, the indiscriminate use of unreliable websites, software products, components, technologies, can lead to infection or create a security “hole”.
- “Infection”. Just as inside the body, where thousands of different microbes always reside without causing harm to humans, there are always technical vulnerabilities in the systems. Those vulnerabilities do not lead to security incidents for the time being. When several external (environment) and internal (immunity) conditions are combined, the infection begins to develop. Similarly, when external and internal circumstances (certain security threats and vulnerabilities) are combined, a security incident occurs and causes some damage. Just as a person may die from a disease, an organization may cease to exist as a result of, for example, leakage or theft of critical information.
- “Lack of vaccinations”. Software developers, system administrators, and information security specialists tend to have some experience with technical vulnerabilities, security threats, and cyber attacks, but this experience may not cover many specific vulnerabilities and threats. The lack of proper prevention of these specific negative factors is a prerequisite for a “disease” – a security incident.
- “Unbalanced nutrition”. The “digestion” of any organization is its business processes and technological processes. Therefore, as an analogy, one can imagine insufficient organizational security: disorder in the documentation, responsibility, inventory, change management, etc. That leads to all sorts of losses and security incidents. On the other hand, excessive bureaucratization, documentation, and authorization are harmful to business, because they inhibit it. Therefore, optimal balance is just as important here as in nutrition. “Harmful nutrition” is a bad process organization.
- “Weakening of the organism due to difficult working conditions”. The organization’s staff is so busy with routine operations that they sacrifice safety-related activities. These activities, as well as a healthy lifestyle, usually do not bring quick tangible results, and therefore are often underestimated.
- “Chronic and acute pathology”. Security incidents, like illnesses, can be long and latent, or quick and painful. Damage from incidents may not be noticeable, but at the same time, it can accumulate over time, undermining the overall health of the system or organization. Vulnerabilities and minor incidents can accumulate to break through at the thinnest point, at the most inopportune moment.
Such analogies make it possible to look at the problems of cybersecurity from a new point of view, to systematize in a new way the negative factors of information security in order not to miss anything and to reconsider the priorities of protection.
It is also worth noting that the stages and factors of diseases described above apply not only to the technical components of information systems but also to human ones. If we conventionally consider employees of an organization as a component of its information system, then their psychological vulnerabilities (negligence, talkativeness, boasting, fear, exposure to influence, etc.) must also be assessed. These human vulnerabilities are also often the cause of security incidents. Sociotechnical security is a separate universe. A lot of fascinating books have been written about social engineering, that is, penetration into an organization or theft of its secrets through psychological influence on its employees.
Part 2. Seven symptoms of cyber disease and diagnostic situations
How do you understand that your organization or startup needs to be diagnosed? How not to miss the right moments? How to recognize the earliest symptoms? Using again the accepted analogy and the factors listed above, we can note the following situations that require security diagnostics:
- “Pregnant”. Authors of ideas, software architects and developers should not wait until they become “pregnant” with the development plans for their products but should put security in them before their “conception”. Conducting a technical security assessment of a product at the stages of PoC (Proof of Concept), MVP (Minimum Viable Product) or beta-version is the same as a fetal ultrasound at weeks 13, 22 and 33 of gestation. Must have.
- “Newborns and children”. The low security of your brainchild can undermine its success just as a child’s poor health can damage their life or even take it away. How often to bring the child to the diagnosis, parents decide to the best of his competence, anxiety or carelessness. However, there are also external requirements, without the fulfillment of which it would not be possible to send the child to kindergarten, school, etc. And here is a separate item about that.
- “External requirements”. Just as in some cases (insurance, certain jobs, etc.) we are required to have health check-ups, vaccinations or medical certificates, there are requirements of state bodies, regulators and partners that prescribe regular security audits. They include technical assessment and penetration testing. In the USA, EU and other countries, for important industries (energy, payment systems, health care again), these requirements are enshrined in law.
- “Epidemic”. Just as in the case of a virus epidemic in some areas, there are heightened threats of certain types of cyberattacks in certain industries or types of organizations. For example, almost all modern international conflicts, disputes and rivalries (Israel and Palestine, North Korea and the USA, China and the USA, the USA and Russia, the United Kingdom and Russia, Ukraine and Russia, etc.) invariably use cyber warfare. If your users are in one of these countries, or your product is in some way connected with such conflicts, there is an increased risk of your involvement in the cyberwar. Unlike traditional wars, cyberwars occur covertly, but at the same time, the parties inflict billions of damage to each other. Similar wars, albeit on a smaller scale, occur in highly competitive national and international product markets.
- “Relapse”. If you have often suffered from some kind of mild illness or at least once of a severe one, you will pay attention to the diagnostics of these particular diseases. Similarly, if you previously encountered security incidents caused by certain vulnerabilities (weak passwords, lack of backups, etc.) or threats (website hacking, social network account hacking, laptop theft, etc.), then you will pay attention and monitor exactly these negative factors. Although there is a general rule that “you can’t step into the same river twice”, a satirical poet adds that it’s perfectly possible to “step into one shit many times”. And the next point is about this.
- “Prevention”. Just as it is useful to observe what your parents, friends, acquaintances and the environment have been ill with, and take precautions, it is useful to keep track of what security problems other organizations face. It is always more beneficial to learn from the mistakes of others than from your ones. Just as an educated and wise person undergoes regular medical examinations, swallows vitamins in the winter or makes vaccinations before traveling to Africa, you need to take security measures and diagnose technical vulnerabilities at the right moments. For example, when a project for a new system is being created; when a major change in network infrastructure is planned; when an employee who had administrator access is dismissed; when you understand that the negligence of staff has increased; when small security problems accumulate (before they develop into large ones); when IPO, ICO, mergers and acquisitions are planned. For security, it is extremely important not to miss such moments.
- “Psychological help”. Finally, security, like health, is not only a state but also a feeling. In other words, besides objective security, there is its subjective component. Quite naturally, when you are not sure of your physical or emotional health, you undergo a medical diagnosis or go to a psychotherapist. Similarly, when you are unsure of your systems or personnel, you conduct an audit or penetration testing to detect technical and sociotechnical vulnerabilities.
Part 3. Cyber Hygiene and Diagnostics
For the prevention of cyber infections and cyber injuries, it is very important to observe cyber hygiene: use legal software, download it from reliable sources, not follow unreliable links, create long complex passwords and so on. The more of these rules, the harder they are to comply with, and they reduce the convenience of work. Then security systems come to help.
Modern famous antiviruses Norton Symantec, McAfee, Kaspersky, etc. are like a set of vitamins, antibiotics, syringes, blood pressure monitors and mouth dressings. The set is quite wide, but not universal. Especially when it comes to secure software development. Using the analogy “manufacturers of MRI, ultrasound and x-ray machines”. This is a segment of specialized deep diagnostics. In this segment, we and such companies as Qualys, Acunetix, Tenable, Rapid7, IBM, Veracode, etc. work.
Even the best equipment in the hands of non-professionals is a “bucket of bolts”. We are professionals in diagnosing and defining methods of treating systems, as well as in “healthy lifestyle” for systems and organizations:
- To find the most important areas of your security that need improvement, we simulate the actions of hackers and other intruders. Learn more about penetration testing and get a free consultation.
- “Smart” security is built at the earliest stages of creating information systems and organizations: at the stages of development, selection, purchase, and implementation of systems, entering into contracts with partners, hiring employees, choosing offices, describing operations and other situations, in which errors can weaken the system, infrastructure or the whole organization. Therefore, we not only determine the presence of “diseases and weaknesses” in the systems before they are infected or attacked but also eliminate the earliest prerequisites for the occurrence of such drawbacks and weaknesses. Such proactive prevention is achieved through the implementation of information security management systems and their certification for compliance with ISO 27001, PCI DSS and other standards, as well as through the secure software development life cycle (SDLC).
In addition to the diagnostic service, we also produce “diagnostic systems” that we provide to our users for free. Unfortunately, people are often more inclined to look for simple and universal automatic diagnostics, and the same universal “cure for all ills”, than to turn to professionals for an accurate diagnosis, and even more so than to lead a healthy lifestyle. This is true regarding the health of both systems and humans. Therefore, the goal of our free services is to attract the attention of “patients” to show the complexity of security problems and to dispel the myth that there is some simple panacea for all security problems.
Contact us for professional diagnostics and treatment of your systems, networks, personnel and whole organization. Do it today, because an unpleasant surprise can happen at any time. Make a choice:
Follow us on the social networks:
Who we are, what we do and what we offer.
About penetration tests.