Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/6/2015
11:00 PM
Dug Song
Dug Song
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

What Flu Season Can Teach Us About Fighting Cyberattacks

Cybersecurity doesn't have to be an arms race towards complexity if we put people front and center of the solution.

Every winter there is an outbreak of flu. The virus evolves rapidly and mutates. Annually the flu causes three to five million cases of severe illness and the death toll can reach half a million people. Serious pandemics like the Asian Flu, Hong Kong Flu, and Spanish Flu each claimed more than a million lives. In 2009, the Swine Flu pandemic outbreak began in Veracruz, Mexico. Swine Flu infected an estimated 10 million to 200 million people. But the outbreak was controlled and the fatality rate of 18,500 (0.03%) was far less than experts feared at first.

Despite the dramatic toll that influenza takes, it has been well controlled by a few basic best practices. Good health and hygiene practices including frequent hand washing, covering coughs and sneezes, and avoiding close contact with sick people to reduce the transmission of the flu virus. According to the Centers for Disease Control, hand washing is the single most important thing we can do to keep from getting sick and spreading illness to others. Vaccination has also helped reduce the risk of getting the flu by up to 90%.

While cybersecurity breaches don’t kill people, the costs can be very high. But unlike public health emergencies, breach responses tend to be isolated, uncoordinated, and unfortunately not very effective; our industry regularly overlooks effective, common-sense approaches and fundamental preventative security controls. For example, the U.S. Inspector General’s Office warned the Office of Personnel Management the year before its massive breach to implement elementary preventive measures. The OPM failed to heed those warnings and got hacked.

Promoting best security practices is a lot like promoting healthy hygiene. The more people we can recruit to adopt basic, effective security practices, the safer we will all be. There's no reason we can't combat malware as effectively as we respond to biological viruses.

We have to change our ways.

The estimated annual cost of influenza in the U.S. ranges up to $87 billion, according to the National Institutes of Health. Cybercriminals last year stole six times more from the global economy than the U.S. spent fighting the flu. McAfee estimates annual global losses to cybercrime approached half a billion dollars in 2014 (0.69% of U.S. GDP) with more than 200,000 jobs lost in the United States. In the battle against cybercrime, we continue to fall behind.

Our fundamental challenge is asymmetry. As every hacker knows, any system or company is only as secure as its weakest link. Organizations need to protect every device, server, application, system, credential, and user. But a hacker only needs to steal just one user ID and password to get in. The way to improve cybersecurity is to take this traditional weakness and turn it against the enemy by drafting users into the solution. Instead of being a point of vulnerability, users become our front line defense by focusing on the fundamentals of good security hygiene -- the digital equivalent of washing your hands or covering your mouth when you cough. If we all incorporated these four simple practices into our daily lives, we’d shut down most cyberattacks:

  • Update the devices and software you use frequently. Vendors constantly patch bugs in their products. If you don't have a policy to run the latest versions of software releases on your servers, laptops, and smartphones, you're leaving known vulnerabilities open to hackers.
  • The most popular password in the world remains 123456. Stop trying to memorize lengthy passwords. Use a password manager like LastPass that automates the generation of complex passwords.
  • Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
  • Use common sense with your email. Never open email attachments or click on links from a sender you don’t know and trust

Share these suggestions with your work colleagues, friends, and family. Cybersecurity doesn't have to be an arms race towards complexity. Like fighting the spread of a deadly flu, it’s much better if we put people front and center as part of the solution.

Prior to co-founding Duo Security where he serves as CEO, Dug Song spent seven years as founding chief security architect at Arbor Networks, developers of network software that protects 80 percent of the world's Internet service providers. Before Arbor, Song built the first ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/9/2015 | 1:15:21 PM
Good Practices
These are good practices that need to be followed much more than they currently are especially when it comes to password complexity. However, this is only small faction of things to consider when fighting cyber attacks. I'm completely for Occam's Razor but sometimes it is difficult to simplify such a granular topic.
ANON1251724318124
50%
50%
ANON1251724318124,
User Rank: Apprentice
11/9/2015 | 10:15:57 AM
Login and passwords for websites you will never visit again.
In my opinion too many websites want the user to have an account.   Yes they can resell the information the gather and have a revenue stream.   Im my case if the site is one that I do not think I will every visit gain then I do one of two thrings.  1.  Use fictious information ([email protected])  .   2.  Use somestandard login and passwords so I can remember it.    The latter practice is what causes problems.   If you only had a half dozen accounts then remembering would not be a chose but with literally hundres of accounts then the human mind demands simplification. 

 

I want websites to allow me to do business withotu an account,   I am willing enter my name, address and phonenumber each time in trade for the mercahnt not storing anything.

Finanlly as far a two factor authenification it may be technically secure but I do not need another device or application that I need to protect.    If I lose my cell phone that I would have to spend days reconstructing accounts.   That is too high a price.   The cheaper price is not having accounts,

 

 

 

 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).