The Cisco 2015 Annual Security Report is out and the findings are troubling as always: for every positive finding in the report, it seems, there is a negative finding, neutralizing any gains in the network security struggle.
Chief information security officers say their security postures are strong while also admitting they do not install patches. Spam, which has been on the decline for years, increased by 250 percent from January through November. And while Java, once a favorite exploit platform, gets harder and harder to compromise, attackers have simply moved on to new targets such as Silverlight.
Jason Brvenik, the principal Engineer of Cisco’s Security Business Group, explained that upticks in spam are due in large part to a shift in tactics. Instead of hundreds of thousands of messages coming from a single server, he explained, we are seeing a few messages coming from thousands of accounts. The tactic is known as “snowshoe spam,” because of the way the weight of the spam operation is distributed widely among compromised accounts. He went on to explain that these spam accounts offer their controllers more opportunity to launch phishing attack campaigns as well.
Nine out of 10 security chiefs are expressing confidence in their strategies, but, according to available data and survey results, they are doing a poor job of deploying security updates. Some 75 percent of CISOs surveyed from 1700 companies rated their tools as very or extremely effective. However, fewer than 50 percent of respondents use standard tools such as patch and configuration management to help prevent security breaches and ensure that they are running the latest software versions. To that end, 40 percent of respondents admitted they are not patching and 54 percent have had to manage public scrutiny following a security breach.
Beyond survey results and despite the high-profile nature of Heartbleed, 56 percent of installed OpenSSL versions are more than 50 months old, and therefore remain vulnerable to Heartbleed, according to Cisco. That, they say, is a strong indicator that security teams are not patching. Standard users are no better considering that only 10 percent of Internet Explorer users are working with the most updated version of Microsoft’s browser. Even with browsers that update automatically such as Chrome, Brvenik said, we still aren’t seeing 100 percent patch penetration. Brvenik claimed that Cisco is seeing a higher degree of adoption of detect and quarantine than of patching as a defense.
The @Cisco 2015 Annual #Security report says CISOs are confident despite poor patching practices
Tweet
Clearly, Brvenik told Threatpost, there is a gap between policies and behavior. Problematically, the report illustrates that standard users and even IT teams are often unwitting participants in the security problem.
Java attacks decreased by 34 percent over the year while Silverlight attacks increased by 280 percent. Throughout 2014, Cisco says its threat intelligence research revealed that attackers are shifting their focus from servers and operating systems as more users are downloading from compromised sites leading to the massive increase in Silverlight attacks.
Furthermore, as popular exploit kits like Blackhole become more thoroughly understood by researchers, criminals are relying more heavily on alternative exploit kits that are harder to detect. Similarly, historically insecure Adobe Flash and JavaScript are becoming more secure, so hackers are combining weak points in the two in order to exploit them. Flash malware can now interact with JavaScript to hide malicious activity by sharing an exploit between two different files: one Flash, one JavaScript. This type of blended attack, the report claims, is very hard to detect.
The bottom line, Brvenik suggested, is that attackers are getting more proficient. The boardroom, he went on, has an increasingly important role to play. Security must be considered as a critical component of business success. It’s been proven this year in particular (with prominent and costly breaches at companies like Target, Sony, The Home Depot and others) that security incidents have a direct impact on business operations.
“Security traditionally has been a function of IT,” he said. “It needs to move up the stack into a function of business.”
One of the key points of the Cisco report is that security must support the business, work with existing architecture – and be usable, be transparent and informative, enable visibility and appropriate action and be viewed as a “people problem.”
Technologies can’t require experts to be usable, Brvenik explained.
He went on to explain that users need to see and understand security and not view it as a barrier to productivity. When a user is blocked access to a site they deem relevant to work and they see a vague warning, they are just going to go home and access the site from their home network, Brvenik said. Then if they get compromised at home, the attackers can move laterally onto the to work network. Instead, users should see specific warnings, saying things like, “You are being blocked from accessing this site because it has served malware in the last 48 hours. Please try back tomorrow.”
Users need to understand the importance and impact of security, Brvenik said. Traditionally we have tried to shield customers from the complexities of security. I think that works against us, he said.
“Security is now the responsibility of everyone within an organization, from the board room to individual users,” said John N. Stewart, the chief security and trust officer at Cisco. “Security leaders and practitioners need the support of the entire business to combat malicious actors who are increasing in their proficiencies to exploit weakness and hide their attacks in plain sight. To protect organizations against attacks across the attack continuum, CISOs need to ensure that their teams have the right tools and visibility to create a strategic security posture, as well as educate users to aid in their own safety and
the safety of the business.”