Washing Your Hands Online: Applying COVID-19 Lessons to Cybersecurity
It is the best time to understand Personal and Security Hygiene at once.
“Cutting out bad habits is far more effective than cutting out organs.”
— Herbert M. Shelton
One year ago, in Hong Kong, we heard about an unknown virus causing viral infections in Wuhan, China. As we experienced in 2003 with the SARS, people in Hong Kong started buying detergent, disinfectants, and masks in early 2020, which was also my first time to learn about all the specifications of medical masks.
I can now tell you the difference between VFE, BFE, AMSL, 3-layers, and N95… Hong Kongers were forced to become experts on medical masks. Yet, we are still struggling every day and trying not to get sick.
As individuals are a part of a society, we must remind ourselves that staying in good personal hygiene is what we should keep maintaining. A healthy lifestyle (have enough sleep, maintain good nutrition, etc.) and handwashing can prevent us from getting infected. And for the love of all, stay home if you feel ill not to infect others. Just as we are practicing good personal, we should be practicing good security hygiene.
Here’s The Security Silver Bullet Scenario
A state-sponsored hacker group uses a zero-day exploit to breach the environment. This foothold lets them run a brunch of previously unknown, file-less attacks. The security team does not know it is happening.
Fortunately, their evil plan is defeated by a next-generation, AI-powered, and automated security tool that detected and prevented it within nanoseconds! Sound too good to be true? Sadly, isn't possible; even if you have the most advanced technology assistance.
While silver bullets shine radiantly, unfortunately, they work mostly against werewolves, not real-life cybersecurity incidents. As I always say, security is about a perfect mindset in which security professionals are required to consider the situation from different perspectives (PPT, PDC…) — attackers will always take the easiest path to breach your cyber defenses.
We should promote and implement a comparable model globally, making basic cyber hygiene the norm for cybersecurity. Keeping good cyber hygiene is the best measure to help stay safe online.
Cyber Hygiene vs. Personal Hygiene
How can we do better with hygiene?
People are now more aware of the principle of prevention and control of diseases, such as patient-zero, quarantine, and screening tests. So that is why there is no better time to explain the analogy of it — Cyber Hygiene.
It may be difficult for people to imagine washing hands and taking showers to stay safe online. The term is a metaphor, as we defined malicious software as a “virus” and the malfunctioning machine as “patient” a long time ago.
Suppose you consider the analogy of personal hygiene. In that case, Cyber Hygiene is about equipping yourself to think proactively about your cybersecurity (Security Mindset), similar to what you are doing every day to prevent the COVID-19, to reduce the risks of cyber threats and online security events.
As a human, we all know, getting sick is inevitable. As a security professional, our primary goal is not to make sure everything is running as expected but to make sure the unexpected or unknown are minimized or mitigated.
Cyber Hygiene addresses uncomplicated actions that everyone can practice to help reduce cybersecurity risks. It is about day-to-day activities on prevention. By that, let’s walk through a basic concept.
Leavell and Clark’s Levels of Prevention
I would begin by explaining the similarity between Medical Hygiene and Cyber Hygiene. First, here is the concept of public health — Leavell and Clark’s Three Levels of Prevention:
- Primary Prevention — Seeks to prevent a disease or condition at a pre-pathologic state; to stop something from ever happening.
- Secondary Prevention — Seeks to identify specific illnesses or conditions early with prompt intervention to prevent disability.
- Tertiary Prevention — Occurs after a disease or disability has occurred and the recovery process has begun.
Next, below is the methodology I mentioned previously as PDC — Prevent, Detect, Correct in IR Triage:
- BEFORE — Preventive controls are designed to keep attacks from occurring in the first place. Controls may be automated, manual, or hybrid.
- DURING — Detective controls are designed to detect attacks that may have occurred.
- AFTER — On the other hand, correct controls are designed to correct attacks that have been detected.
As you can see, they are analogous by nature. Therefore, I am sure by learning one of them, and we can equip these concepts in both the digital and physical environments. Prevention, by all means, should be the focus as it keeps attacks from occurring in the first place.
How to wash your hand online?
Washing your phone with running water would not help you to secure your email account. To prevent diseases, we need to know how they are transmitted first. Let’s think about cybersecurity as an analogy of personal healthcare.
What you do good in daily healthcare routines should also move into your cyber self. In this case, washing your hands can be interpreted as the action of logging out of your account and shut down the machines after using it. Let’s walk through the factors one by one.
1# Keeping out the virus — Minimize the attack vector
Similar to the WHO recommendation of wearing masks in public areas. Please wash your hands more frequently may give you a minute or two of discomfort, but it also dramatically reduces the chances of a virus getting into your body.
This kind of measure is fundamental to every security policy. In cybersecurity, we also have measures to minimize the chance of “infections,” such as:
- Do not use Public WiFi without or weak authentication.
- Never share your password or re-use the default password.
- Log out or shut down the computer when not in-use
- Install Firewall and Anti-malware Applications
Continuing awareness education should ensure these best practices are followed, and as the threat landscape changes, content, and approaches are adjusted, i.e., new applications, new technologies, and new users…
It should be understood that Security landscapes are always advance. Like The Transformers, although Optimus Prime is still there to fight the new enemies, he always has new weapons or a new look.
What you just did flawlessly will be outdated one day. A periodic update and review should be put into consideration at all times. Therefore, an open, creative, and flexible mindset are nonnegotiable.
To wash hand online = Minimizing attack vector by a fundamental-first strategy.
2# Illness Screening — Regular Health-check
Some diseases are only vulnerable to particular gene expression. That is why DNA tests could screen out native gene defects before the development of illness. Regular health checks can help us to spots the early symptoms and do the treatment.
Countries are launching Covid tests in high-risk areas. The objective is the same as regular scanning of computers against known vulnerabilities — to keep the security visibility as wide as possible to locate and fix the weak spots before a security event.
No one wants to get sick, but we need to know it before we can act. When cancer is diagnosed at an early stage, treatment is often more likely to be effective. For example, 9 out of 10 people survive bowel cancer when diagnosed early.
It is the same for the idea of “shift-left” in cybersecurity. “Shift-left” security is moving security to the earliest possible stage in the development process. Scanning the source code for problems is great for reducing not only security risks but also cost.
To find potential health problems, do regular health-check = Regular Vulnerabilities Scanning+Shift-left
3# Stay healthy — Software updates and patches
Keeping the body fit also helps to strengthen the immune system. By doing that, the chances of virus infection are much lower. The chances of survival of a healthy individual are much higher.
But how to stay healthy in a digital world? How to put your computer into the gym? You can do it by doing software updates and patching. On the one hand, we need to check if there is any weakness in the system. On the other hand, patch it once it is available is also essential.
Sadly, we all know no system is perfect. What if the hacker is already in? Anything we can do the same as our immune cells to fight back or reduce the impact? Yes, for sure, there are things that we can do. For starters, data could be protected by encryption.
For example, the data loss can be minimized if the USB drive you lost on the bus is encrypted. Also, check the HTTPS certification status of websites, especially with input, e.g., online banking and company mail, to minimize interception risk on public networks.
The best way to return systems and devices to normal after a successful ransomware attack is to restore a clean backup. This is why data backups are crucial to counter aggressive ransomware attacks. Back up the critical devices, emails, and other data regularly. And keep backups in multiple physical locations if possible.
With limited time and resources during the incident handling window, a more comprehensive, systematic approach is essential during event verification. Adopting a streamlined, well-tested, and predefined Incident Response process could also shorten the response time and reduce impact.
To keep fit = Security updates and patches
To get well soon = Encryption + Backup + IR process
Final Words: Bringing up the awareness of the importance of cybersecurity hygiene goes a long way.
Until you get the security basics right, all the fancy and most advanced technology in the world cannot protect us from cyber-attacks. We keep washing our hands over the fear of the deadly viral pandemic. Yet, we fail to do basic things to our “cyber self,” like security updates and strong passwords.
We are still struggling to make people and companies do the fundamental to protect themselves from cyber threats. People continue using one password for multiple logins, clicking the “lottery email,” and forgetting data backups. All of these turn out to be individual incidents and create a massive burden for the security team.
This fundamentals-first strategy is no surprise to experienced security professionals. Meanwhile, we relied heavily on advanced threat detection tools, AI-assisted SOC indicating the usefulness of those techniques, but do not help remove the cybersecurity risks.
Good Cybersecurity hygiene — keeping the attack vector minimal, continuing education, maximizing visibility to the system, and patching — should be the real “Silver Bullet” that can dramatically reduce the risk of the weakness link in the picture (the people pillar).
Thank you for reading — happy reading and maintaining good (personal and cyber) hygiene.