Cybersecurity is cyber health
The main thing is health. If there is health, there is everything.
Part 1. Seven stages and factors of cyber diseases
Cyber health is similar to human health, and information security to medicine. Why do computer systems “get sick“? In information systems (applications, websites, networks and organizations in general), we can observe the same causes and stages of disease as in the human body:
- “Bad genes”. Software or configurations may include or use unreliable, obsolete components. This is an example of technical security vulnerability. Vulnerability is an internal flaw of a software product, an information system or an entire organization. Unlike vulnerability, threat is a factor external to the system. For example, computer viruses, hackers, offended employees, competitors or a power surge that can destroy information.
- “Failure to practice hygiene”, “promiscuous sex”, etc. can lead to infection. Similarly, non-compliance with cyber hygiene – indiscriminate use of unreliable websites, software products, components, technologies – can lead to infection or create a security hole.
- “Infection”. Just as inside the body, where thousands of different microbes always reside without causing harm to humans, there are always technical vulnerabilities in computer systems. These vulnerabilities do not immediately lead to security incidents. When several external (environment) and internal (immunity) factors are combined, the infection begins to develop. Similarly, when external and internal circumstances (certain security threats and vulnerabilities) are combined, a security incident occurs and causes damage. Just as a person may die from a disease, an organization may collapse as a result of, for example, leakage or theft of critical information.
- “Lack of vaccinations”. Software developers, system administrators, and information security specialists tend to have some experience with technical vulnerabilities, security threats, and cyber attacks, but this experience may not cover many specific vulnerabilities and threats. A lack of proper prevention in these areas is prone to contracting a “disease”, i.e. a security incident.
- “Unbalanced nutrition”. The “diet” of an organization is its business processes and technological processes. Let's consider insufficient organizational security: disorder in the documentation, responsibility, inventory, change management, etc. This leads to all sorts of losses and security incidents. On the other hand, excessive bureaucratization, documentation, and authorization will inhibit business. Therefore, a balance is just as important here as in nutrition. “Harmful nutrition” is a bad process organization.
- “The body weakening due to stressful conditions”. If the staff are overworked, they can often neglect security procedures. As with a healthy lifestyle, the effects of safety precautions can't be seen immediately and, therefore, are often underestimated.
- “Chronic and acute diseases”. Security incidents, like illnesses, can be long and latent, or quick and painful. Damage from incidents may not be noticeable at first but can accumulate over time, undermining the overall health of the system or organization. Vulnerabilities and minor incidents, once accumulated, can break through at the weakest point, at the most inopportune moment.
Such analogies make it possible to look at the cybersecurity problems from a new perspective. This will help you to reassess the importance of cybersecurity.
The causes and stages of "diseases" described above not only apply to the technical components of information systems but also to the staff. If we conventionally consider employees of an organization as a component of its information system, then their psychological vulnerabilities (negligence, talkativeness, boasting, fear, gullibility, etc.) must also be assessed. These human vulnerabilities are also often the cause of security incidents. Sociotechnical security is a totally different field. A lot of fascinating books have been written about social engineering, and in particular, penetration into an organization or theft of its secrets through psychological influence on its employees.
Part 2. Seven "symptoms" of cyber "disease" and diagnostic approaches
How do you know that your organization or startup need to have a check-up? How do you not miss the moment? How do you recognize the earliest symptoms? Using the analogy above, we can note the following situations that require cyberdiagnostics:
- “Pregnancy”. Authors of ideas, software architects and developers should be following security guidelines prior to and during the “conception” of their software product. It may be too late when they are already “pregnant”. Conducting a technical security assessment of a product at the PoC (Proof of Concept), MVP (Minimum Viable Product) or beta-version stage is as necessary as a fetal ultrasound at weeks 13, 22 and 33 of gestation.
- “Newborns and children”. Your brainchild's lack of security can undermine its future success just as a child's poor health can threaten their life. How often parents bring their child to the doctor, depends on their experience, anxiety or carelessness. However, there are also external requirements, which regulate the check-ups.
- “External requirements”. In some cases (admittance to kindergarten or school, insurance, certain jobs, etc.) we are required to have health check-ups, vaccinations or medical certificates. Similarly, there are requirements of state bodies, regulators and partners that prescribe regular security audits. They include technical assessment and penetration testing. In the USA, EU and other countries, for important industries (energy, payment systems, health care again), these requirements are enshrined in law.
- “Epidemic”. Just as there can be an epidemic of a certain virus in some areas, certain types of cyber-attacks are more prominent in certain industries or organizations. For example, almost all modern international conflicts, disputes and rivalries (Israel and Palestine, North Korea and the USA, China and the USA, etc.) invariably use cyber warfare. If your users are in one of these countries, or your product is in some way connected with such conflicts, there is an increased risk of your involvement in the cyberwar. Unlike traditional warfare, cyber warfare is carried out covertly, but can still inflict billions in damage. Similar wars, albeit on a smaller scale, occur in highly competitive national and international markets.
- “Relapse”. If you have ever suffered from a chronic or acute condition, you will pay attention to the symptoms and recommendations concerning this particular disease. Similarly, if you have ever encountered security incidents caused by certain vulnerabilities (weak passwords, lack of backups, etc.) or threats (website hacking, social network account hacking, laptop theft, etc.), then you will pay attention to these particular threats. Although Heraclitus said “no man ever steps into the same river twice”, a satirical poet adds that it’s perfectly possible to “step into one shit many times”. And here prevention can help you.
- “Prevention”. Just as it is beneficial to know what infections are going around amongst your family, friends and community, and take precautions, it is useful to keep track of what security problems other organizations are facing. It is always better to learn from others' mistakes than your own. Just as an educated person undergoes regular medical examinations, takes vitamins in the winter or gets vaccinations before traveling to Africa, you need to take security measures and diagnose technical vulnerabilities at the right moment. For example, when a project for a new system is being created; when a major change in network infrastructure is planned; when an employee who had administrator access is dismissed; when you discover that the staff are becoming negligent has increased; when small security problems accumulate (before they develop into large ones); when IPO, ICO, mergers and acquisitions are planned. For security, it is extremely important not to miss such moments. In information security, there is a good practice of "security hardening", when security measures are taken even before there are any symptoms, which is analogues to cold water therapy or similar healthy lifestyle techniques.
- “Psychological help”. Finally, security, like health, is not only a state but also a feeling. In other words, being completely secure includes feeling secure. Quite naturally, when you are not sure of your physical or emotional health, you go to see a doctor or a therapist. Similarly, when you are unsure of your systems or personnel, you conduct an audit or penetration testing to detect technical and sociotechnical vulnerabilities.
Part 3. Cyber Hygiene and Diagnostics
To prevent cyber "infections" and cyber "injuries", it is very important to observe cyber hygiene by using legal software, downloading it from reliable sources, not following unreliable links, creating long complex passwords and so on. The more rules there are, the harder it is to comply with them, and work becomes less convenient. Here security systems come to the rescue.
Famous modern antivirus software, such as ESET, McAfee, Kaspersky, etc. are like multivitamin pills, antibiotics, syringes, blood pressure monitors, and surgical masks. They offer a wide range of tools but can't protect you from everything. This is especially true when it comes to secure software development. You may also require an “MRI”, “ultrasound”, and “X-ray”. This is the field of advanced diagnostic tools, unlike generic antivirus solutions. And that's where H-X Technologies comes in, together with such companies as Qualys, Acunetix, Tenable, Rapid7, IBM, Veracode, etc.
Even the best equipment in the hands of non-professionals is a “bucket of bolts”. We are professionals in diagnosing and finding the right “treatment” methods, as well as advising on “a healthy lifestyle” for systems and organizations.
- To find the most vulnerable areas of your security, we simulate the actions of hackers and other intruders. Learn more about penetration testing and get a free consultation.
- “Smart” security is built at the earliest stages of creating information systems and organizations, such as: development, selection, purchase and implementation of systems, entering into contracts with partners, hiring employees, choosing offices, writing policies and procedures. Errors in these stages can weaken the system, infrastructure or even the whole organization. Therefore, not only do we determine the presence of “diseases and frailties” in systems before they are infected or attacked but also eliminate the root causes of such problems. We achieve such proactive prevention by implementing information security management systems and certifying them with ISO 27001, PCI DSS and other standards, as well as through the secure software development life cycle (SDLC).
In addition to the diagnostic service, we also produce diagnostic systems, which we provide to our users for free. Unfortunately, people are often more inclined to look for simple and universal diagnostics, the proverbial “cure-all”, rather than turning to professionals for an accurate diagnosis, let alone leading a healthy lifestyle. This is true regarding the health of both systems and humans. Therefore, the goal of our free services is to attract the attention of “patients” to show the complexity of security problems and to dispel the myth that there is some simple panacea for all security problems.
Contact us for professional diagnostics and treatment of your systems, networks, personnel and organization. Do it today, because an unpleasant surprise can happen at any time.
Follow us on the social networks:
Who we are, what we do and what we offer.
About penetration tests.