{"id":29574,"date":"2019-10-08T16:00:58","date_gmt":"2019-10-08T16:00:58","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=89964"},"modified":"2019-10-08T16:00:58","modified_gmt":"2019-10-08T16:00:58","slug":"how-to-avoid-getting-caught-in-a-groundhog-day-loop-of-security-issues","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-avoid-getting-caught-in-a-groundhog-day-loop-of-security-issues\/","title":{"rendered":"How to avoid getting caught in a \u201cGroundhog Day\u201d loop of security issues"},"content":{"rendered":"
<\/div>\n

It\u2019s Cyber Security Awareness Month and it made me think about one of my favorite movies, called Groundhog Day<\/em>. Have you ever seen it? Bill Murray is the cynical weatherman, Phil Connors, who gets stuck in an endless loop where he repeats the same day over and over again until he \u201cparticipates in his own rescue\u201d by becoming a better person.<\/p>\n

Sometimes it can feel like we\u2019re caught in our own repetitious loops in cybersecurity\u2014I even did a keynote at RSA APJ<\/a> on this very topic a few years ago. The good news is that we can get out of the loop. By learning lessons from the past and bringing them forward and applying them to today\u2019s technologies, outcomes can be changed\u2014with \u201cchange\u201d being the operative word.<\/p>\n

If companies continue to do things the same way\u2014in insecure ways\u2014attackers will come along and BOOM you\u2019re in trouble. You may resolve that breach, but that won\u2019t help in the long run. Unless the source of the problem is determined and changed, just like Phil Connors, you\u2019ll wake up one day and BOOM\u2014you\u2019re attacked again.<\/p>\n

How security experts can help organizations protect against cybercrime<\/h3>\n

We can learn from past mistakes.<\/strong> And to prove it, I\u2019d like to cite a heartening statistic. Ransomware encounters decreased by 60 percent between March 2017 and December 2018<\/a>. While attackers don\u2019t share the specifics about their choice of approach, when one approach isn\u2019t working, they move to another. After all, it\u2019s a business\u2014in fact it\u2019s a successful (and criminal) business\u2014bringing in nearly $200 billion in profits each year.1<\/sup> We do know that ransomware has less of chance of spreading on fully patched and well-segmented networks and companies are less likely to pay ransoms when they have up-to-date, clean backups to restore from. In other words, it\u2019s very likely that robust cybersecurity hygiene is an important contributor to the decrease in ransomware encounters. (See Lesson 1:<\/strong> Practice good cybersecurity hygiene<\/strong> below.)<\/p>\n

The bad news of course is that attackers began to shift their efforts to crimes like cryptocurrency mining, which hijacks victims\u2019 computing resources to make digital money for the attackers.1<\/sup> But that\u2019s because cybercriminals are opportunists and they\u2019re always searching for the weakest link.<\/p>\n

One of the best ways to thwart cybercrime is to involve security experts before deploying new products and\/or services.<\/strong> A decade ago, this wasn\u2019t typically done in many organizations. But with the rise of security awareness as part of the overall corporate risk posture, we\u2019re seeing security involved early on in deployments of modern architectures, container deployments, digital transformations, and DevOps.<\/p>\n

When security experts connect the wisdom of the past\u2014such as the importance of protecting data in transit with encryption\u2014to the technology rollouts of today, they can help organizations anticipate what could go wrong. This helps you bake controls and processes into your products and services before deployment. The people who have already learned the lessons you need to know can help so you don\u2019t wake up to the same problems every (well, almost) day. When security experts carry those lessons forward, they can help end your Groundhog Day.<\/p>\n

In addition, involving security experts early on doesn\u2019t have to slow things down. They can actually help speed things up and prevent backtracking later in the product development cycle to fix problems missed the first time around.<\/p>\n

Security can help anticipate problems and produce solutions before they occur.<\/strong> When Wi-Fi networking was first being deployed in the late 1990s, communications were protected with Wired Equivalent Privacy (WEP). But WEP suffered from significant design problems<\/a> such as the initialization vector (IV) being part of the RC4 encryption key that were already known issues in the cryptographic community. The result was a lot of WEP crackers<\/a> and the rapid development of the stronger Wi-Fi Protected Access<\/a> (WPA) set of protocols. If designers had worked with crypto experts, who already had designed a solution free of known issues, time, money, and privacy could have been saved.<\/p>\n

Traditional technology thinks about \u201cuse\u201d cases. Security thinks about \u201cmisuse\u201d cases. Product people focus on the business and social benefits of a solution. Security people think about the risks and vulnerabilities by asking these questions:<\/p>\n