I’ve spent a few hours reviewing the Cisco Annual Security Report for 2014 and some of the data contained in it just isn’t interesting, but extraordinary. I’ve excerpted parts of it here with comments (my comments are in italics):
Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version – This is a huge problem for organisations, particularly given that many of the Java exploits are due to older versions and updating Java across a computer fleet is difficult and fraught with challenges.
Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware – Android devices are becoming more ‘trusted’ in organisations rather than the ‘walled garden’ iOS environment. With the enclosed ecosystem at Apple comes security so I’m not sure why corporations who are security conscious would be considering Android? It’s potentially a cost issue as iOS devices are generally much more expensive, but it’s easy to see this is false economy due to the security risks.
There should be an assumption by all users, perhaps, that nothing in the cyber world can or should be trusted – I’m intrigued what we can do in the industry around getting this point across to users, it’s still apparent to me that people who wouldn’t dream of letting someone in their front door without checking all information about them freely invites them into their computer world where there is arguably more information available about a person (banking, tax etc).
- Cisco defines the primary security concerns for 2014 as:
- Greater Attack Surface – Data is the prize that most attackers are after, either personal data or information about the environment for further attacks, a staggering statistic – 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware – do you know what’s going on in your network? If the companies analysed skew towards Fortune 500 as most Cisco clients, what chance do SMEs have at securing their networks? The two questions Cisco suggest asking are:
– Where is our critical data?
– How do we create a secure environment to protect that data, particularly when Cloud and Mobility leaves us with little control over it?
2. Proliferation and Sophistication of the attack model – The vectors for attack are numerous and the surface area is huge, the weakest part of your network is where attackers are focusing (usually endpoints) but always with the goal of accessing data residing in datacentres or computing centres. Segration of networks will become key to securing data in the future.
3, Complexity of threats and solutions – Gone are the days when spam blockers and antivirus software could help guard an easily defined network perimeter from most threats. Today’s networks go beyond traditional boundaries, and constantly evolve and spawn new attack vectors: mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers, home computers, and even vehicles. Point-in-time solutions can’t respond to the myriad technologies and strategies in use by malicious actors – Agree with this point wholeheartedly, in the past all we really needed to worry about was securing our networks from outside at the perimeter level and securing endpoints. The endpoint types have now become myriad and securing them is often impossible, it’s apparent that the majority of security now needs to occur at the network level in order to be effective.
- Spam volume is down however malicious spam doesn’t appear to be decreasing – Spammers are increasingly using public interest stories (such as the Boston bombing) to drive traffic to malicious websites. Again, how do we stop users from accessing this data given the speed at which spammers can register domains, create fake websites and spam out?
- Java provides an attack vector too large to ignore, 97 percent of enterprise desktops run Java, as do 89 percent of desktop computers overall in the United States – When will Adobe address the inherent risks of Java? Or when will sysadmins demand that Java just isn’t installed on corporate desktops? We surely mustn’t be far away from this time given the risk and depth of the issue?
Today’s security teams are grappling with the “any-to-any problem”: how to secure any user, on any device, located anywhere, accessing any application or resource – MDM is just one part of this problem (although a growing one), how do we secure BYOD at the network level and more importantly accessing corporate applications that are required for people to be productive in their employment? Loss and targeted theft of devices also causes challenges for businesses, particularly ones that haven’t encrypted information on their mobile devices or don’t enforce security on the mobile devices. Given the privacy act amendments I’d suggest that mobile devices will be one of the first ports of call for attackers seeking to compromise corporate networks.
- Attackers are targeting specific, high value industries via a number of ways to potentially infect – these industries are electronic manufacturing, pharmaceutical and chemical industries. However it’s important to note that other previously low risk industries (such as mining and agriculture) are also rising as those industries value increases – I’ve actually heard from customers that no-one would want to see the data they keep so why should they be concerned about securing it (in a more than cursory fashion) – anywhere there is money, attackers are interested, so if your business is making money, I’d be worried about security.
- Hosting partners, DNS Namespace providers and Infrastructure as a Service providers are increasingly becoming the focus of attacks due to the fact that once they are compromised, compromising other customers of this provider or using their services to deliver more malware is simple. One compromised server in a large hosting provider could essentially compromise hundreds or thousands of websites. – How secure is your hosting provider? What tools and protection do they have in place at even the hypervisor level to ensure they won’t be compromised?
All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when … and for how long. – This is demonstrated by the fact that 100% of business networks monitored by Cisco have traffic going to malicious websites, it would be naïve to assume that most businesses have not been compromised. Organisations should review what data is going across and out of their networks in order to understand potential compromises.
- Brute force logins are the number one way websites are compromised – Security logging /alerting, lockout policies and complex password enforcement on any public facing platforms is essential to ensure that brute force attacks are difficult to succeed.
- DDOS Attacks are increasing in volume and severity – Most businesses that are usually subject to these sort of attacks have already invested in infrastructure to mitigate these attacks, however with the growth of the Internet of Everything and ever increasing bandwidth available organisations should prepare for longer and stronger attacks which may bring previously adequate protection to it’s knees. We’ve also seen that industries that traditionally wouldn’t be targets are becoming targets for a variety of reasons, particularly sites that allow users to comment or ‘flame’ each other which may invite ‘payback’ from people with the means to do so.
- Ransomware is still a concern and still a major source of revenue for cybercriminals – We’ve actually seen a lot of Ransomware attempts on our customers, which we’ve mitigated through client and server side AV which allows us to ‘undo’ the changes made by these encrypted type Ransomware software (e.g Cryptolocker), however this isn’t going away as a challenge to organisations.
- Security talent gap – Most organisations don’t have the skills and experience to protect themselves from sophisticated cyber-criminals. There appears to be a shortfall of security professionals, particularly those with ‘white-hat’ type skills. Organisations that can’t source appropriate talent, or aren’t big enough to, should partner with organisations who have strong security focus to round out that skill shortage.
- Cloud is the new perimeter – With the moving of the ‘edge’ to the cloud, organisations are often at the mercy of their cloud providers security model which may not be in-step with the internal expectation of security process. What questions are you asking your cloud provider on their security process, disclosure policy and patching policy? Is it backended with the business expectation of security?
The Cisco Annual Security Report is available at: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html?keycode=000350063 and I heartily recommend downloading it and reviewing it for your own purposes, it’s a bit wordy but certainly valuable to all organisations.