Part 1. Seven stages and factors of cyber diseases
the information security assessment is similar to health diagnostics
Cyber health is similar to human health, and information security to medicine. Why do computer systems “get sick“? In information systems (applications, websites, networks, and organizations in general), we can observe the same causes and stages of the disease as in the human body:
“Bad genes”. Software or configurations may include or use unreliable, obsolete components. This is an example of technical security vulnerability. Vulnerability is an internal flaw of a software product, an information system, or an entire organization. Unlike vulnerability, the threat is a factor external to the system. For example, computer viruses, hackers, offended employees, competitors, or a power surge that can destroy information.
“Failure to practice hygiene”, “promiscuous sex”, etc. can lead to infection. Similarly, non-compliance with cyber hygiene – indiscriminate use of unreliable websites, software products, components, technologies – can lead to infection or create a security hole.
“Infection”. Just as inside the body, where thousands of different microbes always reside without causing harm to humans, there are always technical vulnerabilities in computer systems. These vulnerabilities do not immediately lead to security incidents. When several external (environment) and internal (immunity) factors are combined, the infection begins to develop. Similarly, when external and internal circumstances (certain security threats and vulnerabilities) are combined, a security incident occurs and causes damage. Just as a person may die from a disease, an organization may collapse as a result of, for example, leakage or theft of critical information.
“Lack of vaccinations”. Software developers, system administrators, and information security specialists tend to have some experience with technical vulnerabilities, security threats, and cyber attacks, but this experience may not cover many specific vulnerabilities and threats. A lack of proper prevention in these areas is prone to contracting a “disease”, i.e. a security incident.
“Unbalanced nutrition”. The “diet” of an organization is its business processes and technological processes. Let’s consider insufficient organizational security: disorder in the documentation, responsibility, inventory, change management, etc. This leads to all sorts of losses and security incidents. On the other hand, excessive bureaucratization, documentation, and authorization will inhibit business. Therefore, a balance is just as important here as in nutrition. “Harmful nutrition” is a bad process organization.
“The body weakening due to stressful conditions”. If the staff are overworked, they can often neglect security procedures. As with a healthy lifestyle, the effects of safety precautions can’t be seen immediately and, therefore, are often underestimated.
“Chronic and acute diseases”. Security incidents, like illnesses, can be long and latent, or quick and painful. Damage from incidents may not be noticeable at first but can accumulate over time, undermining the overall health of the system or organization. Vulnerabilities and minor incidents, once accumulated, can breakthrough at the weakest point, at the most inopportune moment.
Such analogies make it possible to look at the cybersecurity problems from a new perspective. This will help you to reassess the importance of cybersecurity.
The causes and stages of “diseases” described above not only apply to the technical components of information systems but also to the staff. If we conventionally consider employees of an organization as a component of its information system, then their psychological vulnerabilities (negligence, talkativeness, boasting, fear, exposure to influence, etc.) must also be assessed. These human vulnerabilities are also often the cause of security incidents. Sociotechnical security is a separate universe. A lot of fascinating books have been written about social engineering, that is, penetration into an organization or theft of its secrets through psychological influence on its employees.
Part 2. Seven symptoms of the cyber disease and diagnostic situations
start diagnosticsHow do you understand that your organization or startup needs to be diagnosed? How not to miss the right moments? How to recognize the earliest symptoms? Using again the accepted analogy and the factors listed above, we can note the following situations that require cyber diagnostics:
“Pregnant”. Authors of ideas, software architects and developers should not wait until they become “pregnant” with the development plans for their products but should put security in them before their “conception”. Conducting a technical security assessment of a product at the stages of PoC (Proof of Concept), MVP (Minimum Viable Product) or beta-version is the same as a fetal ultrasound at weeks 13, 22 and 33 of gestation. Must have.
“Newborns and children”. The low security of your brainchild can undermine its success just as a child’s poor health can damage their life or even take it away. How often to bring the child to the diagnosis, parents decide to the best of his competence, anxiety, or carelessness. However, there are also external requirements, without the fulfillment of which it would not be possible to send the child to kindergarten, school, etc. And here is a separate item about that.
“External requirements”. Just as in some cases (insurance, certain jobs, etc.) we are required to have health check-ups, vaccinations or medical certificates, there are requirements of state bodies, regulators, and partners that prescribe regular security audits. They include technical assessment and penetration testing. In the USA, EU, and other countries, for important industries (energy, payment systems, health care again), these requirements are enshrined in law.
“Epidemic”. Just as in the case of a virus epidemic in some areas, there are heightened threats of certain types of cyberattacks in certain industries or types of organizations. For example, almost all modern international conflicts, disputes and rivalries (Israel and Palestine, North Korea and the USA, China and the USA, the USA and Russia, the United Kingdom and Russia, Ukraine and Russia, etc.) invariably use cyber warfare. If your users are in one of these countries, or your product is in some way connected with such conflicts, there is an increased risk of your involvement in the cyberwar. Unlike traditional wars, cyberwars occur covertly, but at the same time, the parties inflict billions of damage to each other. Similar wars, albeit on a smaller scale, occur in highly competitive national and international product markets.
“Relapse”. If you have often suffered from some kind of mild illness or at least once of a severe one, you will pay attention to the diagnostics of these particular diseases. Similarly, if you previously encountered security incidents caused by certain vulnerabilities (weak passwords, lack of backups, etc.) or threats (website hacking, social network account hacking, laptop theft, etc.), then you will pay attention and monitor exactly these negative factors. Although there is a general rule that “you can’t step into the same river twice”, a satirical poet adds that it’s perfectly possible to “step into one shit many times”. And the next point is about this.
“Prevention”. Just as it is useful to observe what your parents, friends, acquaintances, and the environment have been ill with, and take precautions, it is useful to keep track of what security problems other organizations face. It is always more beneficial to learn from the mistakes of others than from your ones. Just as an educated and wise person undergoes regular medical examinations, swallows vitamins in the winter, or makes vaccinations before traveling to Africa, you need to take security measures and diagnose technical vulnerabilities at the right moments. For example, when a project for a new system is being created; when a major change in network infrastructure is planned; when an employee who had administrator access is dismissed; when you understand that the negligence of staff has increased; when small security problems accumulate (before they develop into large ones); when IPO, ICO, mergers and acquisitions are planned. For security, it is extremely important not to miss such moments. In information security, there is a good term “security hardening”, which is analogue to water quenching for health.
“Psychological help”. Finally, security, like health, is not only a state but also a feeling. In other words, besides objective security, there is its subjective component. Quite naturally, when you are not sure of your physical or emotional health, you undergo a medical diagnosis or go to a psychotherapist. Similarly, when you are unsure of your systems or personnel, you conduct an audit or penetration testing to detect technical and sociotechnical vulnerabilities.
Part 3. Cyber Hygiene and Diagnostics
For the prevention of cyber infections and cyber injuries, it is very important to observe cyber hygiene: use legal software, download it from reliable sources, not follow unreliable links, create long complex passwords and so on. The more of these rules, the harder they are to comply with, and they reduce the convenience of work. Then security systems come to help.
Modern famous antiviruses Norton Symantec, McAfee, Kaspersky, etc. are like a set of vitamins, antibiotics, syringes, blood pressure monitors, and mouth dressings. The set is quite wide, but not universal. Especially when it comes to secure software development. Using the analogy “manufacturers of MRI, ultrasound and x-ray machines”. This is a segment of specialized deep diagnostics. In this segment, we and such companies as Qualys, Acunetix, Tenable, Rapid7, IBM, Veracode, etc. work.
deep diagnostics even the best equipment in the hands of non-professionals is a “bucket of bolts”. We are professionals in diagnosing and defining methods of treating systems, as well as in “healthy lifestyle” for systems and organizations:
To find the most important areas of your security that need improvement, we simulate the actions of hackers and other intruders. Learn more about penetration testing and get a free consultation.
“Smart” security is built at the earliest stages of creating information systems and organizations: at the stages of development, selection, purchase, and implementation of systems, entering into contracts with partners, hiring employees, choosing offices, describing operations and other situations, in which errors can weaken the system, infrastructure or the whole organization. Therefore, we not only determine the presence of “diseases and weaknesses” in the systems before they are infected or attacked but also eliminate the earliest prerequisites for the occurrence of such drawbacks and weaknesses. Such proactive prevention is achieved through the implementation of information security management systems and their certification for compliance with ISO 27001, PCI DSS and other standards, as well as through the secure software development life cycle (SDLC).
In addition to the diagnostic service, we also produce “diagnostic systems” that we provide to our users for free. Unfortunately, people are often more inclined to look for simple and universal automatic diagnostics, and the same universal “cure for all ills”, than to turn to professionals for an accurate diagnosis, and even more so than to lead a healthy lifestyle. This is true regarding the health of both systems and humans. Therefore, the goal of our free services is to attract the attention of “patients” to show the complexity of security problems and to dispel the myth that there is some simple panacea for all security problems.