Endpoint

11/6/2015
11:00 PM
Dug Song
Dug Song
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

What Flu Season Can Teach Us About Fighting Cyberattacks

Cybersecurity doesn't have to be an arms race towards complexity if we put people front and center of the solution.

Every winter there is an outbreak of flu. The virus evolves rapidly and mutates. Annually the flu causes three to five million cases of severe illness and the death toll can reach half a million people. Serious pandemics like the Asian Flu, Hong Kong Flu, and Spanish Flu each claimed more than a million lives. In 2009, the Swine Flu pandemic outbreak began in Veracruz, Mexico. Swine Flu infected an estimated 10 million to 200 million people. But the outbreak was controlled and the fatality rate of 18,500 (0.03%) was far less than experts feared at first.

Despite the dramatic toll that influenza takes, it has been well controlled by a few basic best practices. Good health and hygiene practices including frequent hand washing, covering coughs and sneezes, and avoiding close contact with sick people to reduce the transmission of the flu virus. According to the Centers for Disease Control, hand washing is the single most important thing we can do to keep from getting sick and spreading illness to others. Vaccination has also helped reduce the risk of getting the flu by up to 90%.

While cybersecurity breaches don’t kill people, the costs can be very high. But unlike public health emergencies, breach responses tend to be isolated, uncoordinated, and unfortunately not very effective; our industry regularly overlooks effective, common-sense approaches and fundamental preventative security controls. For example, the U.S. Inspector General’s Office warned the Office of Personnel Management the year before its massive breach to implement elementary preventive measures. The OPM failed to heed those warnings and got hacked.

Promoting best security practices is a lot like promoting healthy hygiene. The more people we can recruit to adopt basic, effective security practices, the safer we will all be. There's no reason we can't combat malware as effectively as we respond to biological viruses.

We have to change our ways.

The estimated annual cost of influenza in the U.S. ranges up to $87 billion, according to the National Institutes of Health. Cybercriminals last year stole six times more from the global economy than the U.S. spent fighting the flu. McAfee estimates annual global losses to cybercrime approached half a billion dollars in 2014 (0.69% of U.S. GDP) with more than 200,000 jobs lost in the United States. In the battle against cybercrime, we continue to fall behind.

Our fundamental challenge is asymmetry. As every hacker knows, any system or company is only as secure as its weakest link. Organizations need to protect every device, server, application, system, credential, and user. But a hacker only needs to steal just one user ID and password to get in. The way to improve cybersecurity is to take this traditional weakness and turn it against the enemy by drafting users into the solution. Instead of being a point of vulnerability, users become our front line defense by focusing on the fundamentals of good security hygiene -- the digital equivalent of washing your hands or covering your mouth when you cough. If we all incorporated these four simple practices into our daily lives, we’d shut down most cyberattacks:

  • Update the devices and software you use frequently. Vendors constantly patch bugs in their products. If you don't have a policy to run the latest versions of software releases on your servers, laptops, and smartphones, you're leaving known vulnerabilities open to hackers.
  • The most popular password in the world remains 123456. Stop trying to memorize lengthy passwords. Use a password manager like LastPass that automates the generation of complex passwords.
  • Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
  • Use common sense with your email. Never open email attachments or click on links from a sender you don’t know and trust

Share these suggestions with your work colleagues, friends, and family. Cybersecurity doesn't have to be an arms race towards complexity. Like fighting the spread of a deadly flu, it’s much better if we put people front and center as part of the solution.

Prior to co-founding Duo Security where he serves as CEO, Dug Song spent seven years as founding chief security architect at Arbor Networks, developers of network software that protects 80 percent of the world's Internet service providers. Before Arbor, Song built the first ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/9/2015 | 1:15:21 PM
Good Practices
These are good practices that need to be followed much more than they currently are especially when it comes to password complexity. However, this is only small faction of things to consider when fighting cyber attacks. I'm completely for Occam's Razor but sometimes it is difficult to simplify such a granular topic.
ANON1251724318124
50%
50%
ANON1251724318124,
User Rank: Apprentice
11/9/2015 | 10:15:57 AM
Login and passwords for websites you will never visit again.
In my opinion too many websites want the user to have an account.   Yes they can resell the information the gather and have a revenue stream.   Im my case if the site is one that I do not think I will every visit gain then I do one of two thrings.  1.  Use fictious information ([email protected])  .   2.  Use somestandard login and passwords so I can remember it.    The latter practice is what causes problems.   If you only had a half dozen accounts then remembering would not be a chose but with literally hundres of accounts then the human mind demands simplification. 

 

I want websites to allow me to do business withotu an account,   I am willing enter my name, address and phonenumber each time in trade for the mercahnt not storing anything.

Finanlly as far a two factor authenification it may be technically secure but I do not need another device or application that I need to protect.    If I lose my cell phone that I would have to spend days reconstructing accounts.   That is too high a price.   The cheaper price is not having accounts,

 

 

 

 
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...