Delusion about cyber security growing, says Cisco report

The gulf between perception and reality of cyber security readiness is widening, according to the Cisco 2015 Annual Security Report

The gulf between perception and reality of cyber security readiness is widening, according to the Cisco 2015 Annual Security Report.

A Cisco benchmark revealed 90% of respondents said they were confident in their cyber security capabilies, yet 60% are not patching software and systems, while only 10% are running the latest version of Microsoft’s Internet Explorer.

The survey of security executives at 1,700 companies in the UK and eight other countries also showed while 75% of chief information security officers see their security tools as very or extremely effective, less than 50% of respondents use standard tools such as patching and configuration management to help prevent security breaches and ensure they are running the latest versions. 

Cisco chief security and trust officer John Stewart said the results show the gap has got to close between those who think they are on the right track and those who do not.  

“Grounded in all data and reality, the separation between leadership and operations cannot continue,” he said.

Heartbleed was the landmark vulnerability in 2014, yet 56% of all installed OpenSSL versions are more than four-years-old, which is a strong indicator security teams are not patching, the report said.

“While many defenders believe their security processes are optimised – and their security tools are effective – in truth, their security readiness likely needs improvement,” the report said.

The report, which examines both threat intelligence and cyber security trends, revealed attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity.

Defenders must improve approach to protection

Defenders must be constantly improving their approach to protect their organisation from these increasingly sophisticated cyber attack campaigns, the report said.  

According to Cisco, these issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localisation and encryption. 

Cyber criminals are expanding their tactics and adapting their techniques to carry out cyber attack campaigns in ways that make it harder to detect and analyse, the report said.

The top three trends in 2014 are identified as snowshoe spam, web exploits hiding in plain sight and malicious combinations.

Low volumes of spam from a large set of IP addresses to avoid detection and create an opportunity to use compromised accounts in multiple ways emerged as a preferred strike method in 2014, the report said.

And because widely-used exploit kits are getting dismantled by security companies in short order, online criminals are turning to less common kits to avoid detection.

Similarly, because of advances in security detection and defence against attacks exploiting weaknesses in Adobe Flash and JavaScript, attackers have adapted by deploying exploits which combine their respective weaknesses.

According to the report, sharing exploits over two different files – one Flash and one JavaScript – can make it more difficult for security devices to identify and block the exploit, and to analyse it with reverse engineering tools.

Users unknowingly aiding cyber attacks

Another trend identified by the report is that users are getting caught in the middle. Not only are they the targets, but users are unknowingly aiding cyber attacks, the report said.

Throughout 2014, Cisco threat intelligence research revealed attackers have increasingly shifted their focus from seeking to compromise servers and operating systems to seeking to exploit users at the browser and email level.

Users downloading from compromised sites contributed to a 228% increase in Silverlight attacks along with a 250% increase in spam and malvertising exploits, the report said.

Security must provide protection across the full attack continuum and technology must be bought that is designed and built with that in mind

John Stewart, Cisco

“Security needs an ‘all hands on deck’ approach, where everybody contributes, from the board room to individual users,” said Stewart.

“We used to worry about DoS [denial of sevice], now we also worry about data destruction. We once worried about IP theft, now we worry about critical services failure,” he added.

Stewart said adversaries are increasingly proficient, exploit weaknesses and hide their attacks in plain sight.

“Security must provide protection across the full attack continuum and technology must be bought that is designed and built with that in mind,” he said.

Stewart said organisations need to build a capability to detect and contain attacks quickly to ensure as little impact as possible on critical services.

He said online services must be run with resiliency in mind, and all of these moves must happen now to tip the scales in favour of the defenders. 

“It requires leadership, cooperation, and accountability like never seen before in our industry,” he said.

Stewart said if attacks are on critical systems, organisations should not try to deal with them alone, but engage with professional networks and law enforcers to help.

“If there is a serious problem, the executive community has got to know, the board has got to know and law enforcement should be engaged, along with other companies who may have fought of similar attacks,” he said.

Cisco's security manifesto

The report concluded it is time for corporate boards to take a role in setting security priorities and expectations and recommended implementing Cisco’s security manifesto.

According to the report, this formal set of security principles as a foundation to achieving security can help corporate boards, security teams and users in an organisation better understand and respond to the cyber security challenges.

The principles can also serve as a baseline for organisations as they strive to become more dynamic in their approach to security, and more adaptive and innovative than adversaries, the report said.

Cisco’s five security principles state that security must:

  • support the business;
  • work with existing architecture and be usable;
  • be transparent and informative;
  • enable visibility and appropriate action;
  • be viewed as a people problem.

Read more on Hackers and cybercrime prevention