11:00 PM
Dug Song
Dug Song
Connect Directly
E-Mail vvv

What Flu Season Can Teach Us About Fighting Cyberattacks

Cybersecurity doesn't have to be an arms race towards complexity if we put people front and center of the solution.

Every winter there is an outbreak of flu. The virus evolves rapidly and mutates. Annually the flu causes three to five million cases of severe illness and the death toll can reach half a million people. Serious pandemics like the Asian Flu, Hong Kong Flu, and Spanish Flu each claimed more than a million lives. In 2009, the Swine Flu pandemic outbreak began in Veracruz, Mexico. Swine Flu infected an estimated 10 million to 200 million people. But the outbreak was controlled and the fatality rate of 18,500 (0.03%) was far less than experts feared at first.

Despite the dramatic toll that influenza takes, it has been well controlled by a few basic best practices. Good health and hygiene practices including frequent hand washing, covering coughs and sneezes, and avoiding close contact with sick people to reduce the transmission of the flu virus. According to the Centers for Disease Control, hand washing is the single most important thing we can do to keep from getting sick and spreading illness to others. Vaccination has also helped reduce the risk of getting the flu by up to 90%.

While cybersecurity breaches don’t kill people, the costs can be very high. But unlike public health emergencies, breach responses tend to be isolated, uncoordinated, and unfortunately not very effective; our industry regularly overlooks effective, common-sense approaches and fundamental preventative security controls. For example, the U.S. Inspector General’s Office warned the Office of Personnel Management the year before its massive breach to implement elementary preventive measures. The OPM failed to heed those warnings and got hacked.

Promoting best security practices is a lot like promoting healthy hygiene. The more people we can recruit to adopt basic, effective security practices, the safer we will all be. There's no reason we can't combat malware as effectively as we respond to biological viruses.

We have to change our ways.

The estimated annual cost of influenza in the U.S. ranges up to $87 billion, according to the National Institutes of Health. Cybercriminals last year stole six times more from the global economy than the U.S. spent fighting the flu. McAfee estimates annual global losses to cybercrime approached half a billion dollars in 2014 (0.69% of U.S. GDP) with more than 200,000 jobs lost in the United States. In the battle against cybercrime, we continue to fall behind.

Our fundamental challenge is asymmetry. As every hacker knows, any system or company is only as secure as its weakest link. Organizations need to protect every device, server, application, system, credential, and user. But a hacker only needs to steal just one user ID and password to get in. The way to improve cybersecurity is to take this traditional weakness and turn it against the enemy by drafting users into the solution. Instead of being a point of vulnerability, users become our front line defense by focusing on the fundamentals of good security hygiene -- the digital equivalent of washing your hands or covering your mouth when you cough. If we all incorporated these four simple practices into our daily lives, we’d shut down most cyberattacks:

  • Update the devices and software you use frequently. Vendors constantly patch bugs in their products. If you don't have a policy to run the latest versions of software releases on your servers, laptops, and smartphones, you're leaving known vulnerabilities open to hackers.
  • The most popular password in the world remains 123456. Stop trying to memorize lengthy passwords. Use a password manager like LastPass that automates the generation of complex passwords.
  • Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
  • Use common sense with your email. Never open email attachments or click on links from a sender you don’t know and trust

Share these suggestions with your work colleagues, friends, and family. Cybersecurity doesn't have to be an arms race towards complexity. Like fighting the spread of a deadly flu, it’s much better if we put people front and center as part of the solution.

Prior to co-founding Duo Security where he serves as CEO, Dug Song spent seven years as founding chief security architect at Arbor Networks, developers of network software that protects 80 percent of the world's Internet service providers. Before Arbor, Song built the first ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/9/2015 | 1:15:21 PM
Good Practices
These are good practices that need to be followed much more than they currently are especially when it comes to password complexity. However, this is only small faction of things to consider when fighting cyber attacks. I'm completely for Occam's Razor but sometimes it is difficult to simplify such a granular topic.
User Rank: Apprentice
11/9/2015 | 10:15:57 AM
Login and passwords for websites you will never visit again.
In my opinion too many websites want the user to have an account.   Yes they can resell the information the gather and have a revenue stream.   Im my case if the site is one that I do not think I will every visit gain then I do one of two thrings.  1.  Use fictious information ([email protected])  .   2.  Use somestandard login and passwords so I can remember it.    The latter practice is what causes problems.   If you only had a half dozen accounts then remembering would not be a chose but with literally hundres of accounts then the human mind demands simplification. 


I want websites to allow me to do business withotu an account,   I am willing enter my name, address and phonenumber each time in trade for the mercahnt not storing anything.

Finanlly as far a two factor authenification it may be technically secure but I do not need another device or application that I need to protect.    If I lose my cell phone that I would have to spend days reconstructing accounts.   That is too high a price.   The cheaper price is not having accounts,




Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.