Risk
1/20/2016
05:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IT Confidence Ticks Down

Cisco security report shows aging infrastructure no match for constantly advancing attack techniques.

IT confidence in its current cybersecurity protections dropped down a tick this past year in the face of aging infrastructure, rampant ransomware campaigns, and constant shifts in attack tactics from the bad guys.

So says the Cisco 2016 Annual Security Report, which showed that only 59 percent of organizations report that their security infrastructure is "very up to date," compared to 64 percent who reported the same last year. What's more, fewer than half of respondents say that they're confident in their security posture today.

The report took a look at attitudes and practices of more than 2,400 CSOs and security operations experts across the enterprise and midmarket, and combined that with analysis of Cisco's network of customer devices.

In addition to a dip in the ratio of organizations claiming up-to-date security infrastructure, the report shows that organizations continue to suffer from an inability to update its infrastructure. Approximately 92 percent of analyzed Internet devices are running known vulnerabilities and 31 percent of devices analyzed aren't even supported or maintained by their vendor.

Among the findings, Cisco reports that only about 9 percent of organizations have an IT security budget distinct from the overall IT budget, though at this point 98 percent have a department or team solely dedicated to security.

"Many organizations rely on network infrastructures built of components that are old, outdated, and running vulnerable operating systems—and are not cyber-resilient," the report noted, explaining that devices had 26 vulnerabilities on average.

In the report, Cisco also highlighted the growing threat to respondents and analyzed devices from increasingly sophisticated exploit kit and ransomware campaigns. In particular, the report dove into the activity of the highly prevalent and damaging Angler exploit kit, which 60 percent of the time delivered ransomware payloads. For example, Cisco researchers point to the July 2015 spike in Cryptowall 3.0 to activity from Angler. The firm estimates that criminals are making $34 million annually per ransomware campaign through Angler, with about 2.9 percent victims paying an average ransom of $300.

"The authors of Angler and other exploit kits have been quick to exploit 'patching gaps' with Adobe Flash—the time between Adobe’s release of an update and when users actually upgrade," the report stated. "Cisco threat researchers attribute the July 2015 spike to the Flash zero-day exploit CVE-2015-5119 that was exposed as part of the Hacking Team leaks."

The report took a look at a number of techniques attackers are using to exploit enterprises today. For example, with the rise of HTTPS traffic use, security tools are struggling to keep tabs on malware using encrypted communication across a diverse set of ports. Additionally, attackers are taking advantage of the DNS "blind spot" within organizations. Approximately 91 percent of malware used DNS to gain command and control, exfiltrate data and redirect traffic. As things stand, few organizations monitor DNS for security purposes if at all, the report says.

"Why is DNS a security blind spot for so many organizations?" the authors say. "A primary reason is that security teams and DNS experts typically work in different IT groups within a company and don’t interact frequently."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2016 | 2:14:42 PM
Re: Advanced?
Even aside from more offensive cybersecurity stances, there is a need for greater proactivity overall when it comes to InfoSec, security policies, and other related risk management issues.  The better prepared you are not only for prevent attacks but also for the eventual successful attack, the better able you are to prevent, lessen, or mitigate damage.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/24/2016 | 1:33:18 AM
Re: Advanced?
I would tend to agree that volume and availability of "old hat" techniques and tools is more a problem than innovation in the styles of intrusion programming.  However, this is just looking at the larger body of "common" attacks.  There is a whole new level of intrusion and data acquisition techniques, programming methodologies and experimental programming happening that Enterprise IT sorely needs to become acquainted with.  We imagine the most creative hacking occurs only when the targets are government, infrastructure and financial institutions, but in fact many of these programs and techniques are first put up against Enterprise IT during the early release and testing stages.

I still believe InfoSec needs to change its model to one of offense in addition to defense, and data analytics are a huge piece of setting that stage.  But then, there also needs to be a resource on the Security team that has strong coding chops and can improvise, innovate and meet the skills of the less mundane attacks.  Seeing the model change, seeing more confidence on the part of the InfoSec team with a level of aggression added with the offensive shift - these are things that might help improve IT confidence in their Security functions.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/22/2016 | 11:03:24 PM
Advanced?
"constantly advancing attack techniques"

Are these attack techniques and kits really more advanced, though?  All that's happening here is that the kits are becoming more widely distributed as pricing makes them more available to less-skilled attackers.  The attacks themselves though -- the code -- are often based upon "old [black] hat" (heh) techniques.

This is why some researchers are now using predictive analytics to anticipate what future attacks will look like.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.