Report: Companies Still Not Patching Security Vulnerabilities

Cisco 2015 Annual Security Report

The Cisco 2015 Annual Security report shows that CISOs and other security personnel are confident about their strategies despite that they are not patching.

The Cisco 2015 Annual Security Report is out and the findings are troubling as always: for every positive finding in the report, it seems, there is a negative finding, neutralizing any gains in the network security struggle.

Chief information security officers say their security postures are strong while also admitting they do not install patches. Spam, which has been on the decline for years, increased by 250 percent from January through November. And while Java, once a favorite exploit platform, gets harder and harder to compromise, attackers have simply moved on to new targets such as Silverlight.

Jason Brvenik, the principal Engineer of Cisco’s Security Business Group, explained that upticks in spam are due in large part to a shift in tactics. Instead of hundreds of thousands of messages coming from a single server, he explained, we are seeing a few messages coming from thousands of accounts. The tactic is known as “snowshoe spam,” because of the way the weight of the spam operation is distributed widely among compromised accounts. He went on to explain that these spam accounts offer their controllers more opportunity to launch phishing attack campaigns as well.

Nine out of 10 security chiefs are expressing confidence in their strategies, but, according to available data and survey results, they are doing a poor job of deploying security updates. Some 75 percent of CISOs surveyed from 1700 companies rated their tools as very or extremely effective. However, fewer than 50 percent of respondents use standard tools such as patch and configuration management to help prevent security breaches and ensure that they are running the latest software versions. To that end, 40 percent of respondents admitted they are not patching and 54 percent have had to manage public scrutiny following a security breach.

Beyond survey results and despite the high-profile nature of Heartbleed, 56 percent of installed OpenSSL versions are more than 50 months old, and therefore remain vulnerable to Heartbleed, according to Cisco. That, they say, is a strong indicator that security teams are not patching. Standard users are no better considering that only 10 percent of Internet Explorer users are working with the most updated version of Microsoft’s browser. Even with browsers that update automatically such as Chrome, Brvenik said, we still aren’t seeing 100 percent patch penetration. Brvenik claimed that Cisco is seeing a higher degree of adoption of detect and quarantine than of patching as a defense.

Clearly, Brvenik told Threatpost, there is a gap between policies and behavior. Problematically, the report illustrates that standard users and even IT teams are often unwitting participants in the security problem.

Java attacks decreased by 34 percent over the year while Silverlight attacks increased by 280 percent. Throughout 2014, Cisco says its threat intelligence research revealed that attackers are shifting their focus from servers and operating systems as more users are downloading from compromised sites leading to the massive increase in Silverlight attacks.

Furthermore, as popular exploit kits like Blackhole become more thoroughly understood by researchers, criminals are relying more heavily on alternative exploit kits that are harder to detect. Similarly, historically insecure Adobe Flash and JavaScript are becoming more secure, so hackers are combining weak points in the two in order to exploit them. Flash malware can now interact with JavaScript to hide malicious activity by sharing an exploit between two different files: one Flash, one JavaScript. This type of blended attack, the report claims, is very hard to detect.

The bottom line, Brvenik suggested, is that attackers are getting more proficient. The boardroom, he went on, has an increasingly important role to play. Security must be considered as a critical component of business success. It’s been proven this year in particular (with prominent and costly breaches at companies like Target, Sony, The Home Depot and others) that security incidents have a direct impact on business operations.

“Security traditionally has been a function of IT,” he said. “It needs to move up the stack into a function of business.”
One of the key points of the Cisco report is that security must support the business, work with existing architecture – and be usable, be transparent and informative, enable visibility and appropriate action and be viewed as a “people problem.”
Technologies can’t require experts to be usable, Brvenik explained.

Security is now the responsibility of everyone within an organization, from the board room to individual users

He went on to explain that users need to see and understand security and not view it as a barrier to productivity. When a user is blocked access to a site they deem relevant to work and they see a vague warning, they are just going to go home and access the site from their home network, Brvenik said. Then if they get compromised at home, the attackers can move laterally onto the to work network. Instead, users should see specific warnings, saying things like, “You are being blocked from accessing this site because it has served malware in the last 48 hours. Please try back tomorrow.”

Users need to understand the importance and impact of security, Brvenik said. Traditionally we have tried to shield customers from the complexities of security. I think that works against us, he said.

“Security is now the responsibility of everyone within an organization, from the board room to individual users,” said John N. Stewart, the chief security and trust officer at Cisco. “Security leaders and practitioners need the support of the entire business to combat malicious actors who are increasing in their proficiencies to exploit weakness and hide their attacks in plain sight. To protect organizations against attacks across the attack continuum, CISOs need to ensure that their teams have the right tools and visibility to create a strategic security posture, as well as educate users to aid in their own safety and
the safety of the business.”

Suggested articles

Discussion

  • Swashbuckler on

    "56 percent of installed OpenSSL versions are more than 50 months old, and therefore remain vulnerable to Heartbleed" Seems highly unlikely as Heartbleed only affected 1.0.1 and the vast, vast majority of installed versions of OpenSSL are 0.9.8.
  • CISO on

    Do you really think patching is CISO's responsibility? None of the systems and software installed on them are. When building a system and putting it into production shouldn't it be secured by default? This work is under CIO. Shouldn't owners of the systems required to define how often patches are installed, it's their risk. CIO should have IT security personell to help with all this. CISO isn't in that organization (hopefully) since there are a clear conflict of intrests. CISO should assure patching is defined and processed as it should. CIO's personnel do the rest.
  • CISO on

    I need to add that CIO is also responsible to have such CMDB or Asset Management in place that you can find system owners and to know where the organization has the particular software in use which is vulnerable. I haven't yet worked in a such organization where we would have even parts of these in place. How much money goes into waste when you don't have these for several other processes than patching like the damn ITIL ones.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.