05:00 PM
Connect Directly

IT Confidence Ticks Down

Cisco security report shows aging infrastructure no match for constantly advancing attack techniques.

IT confidence in its current cybersecurity protections dropped down a tick this past year in the face of aging infrastructure, rampant ransomware campaigns, and constant shifts in attack tactics from the bad guys.

So says the Cisco 2016 Annual Security Report, which showed that only 59 percent of organizations report that their security infrastructure is "very up to date," compared to 64 percent who reported the same last year. What's more, fewer than half of respondents say that they're confident in their security posture today.

The report took a look at attitudes and practices of more than 2,400 CSOs and security operations experts across the enterprise and midmarket, and combined that with analysis of Cisco's network of customer devices.

In addition to a dip in the ratio of organizations claiming up-to-date security infrastructure, the report shows that organizations continue to suffer from an inability to update its infrastructure. Approximately 92 percent of analyzed Internet devices are running known vulnerabilities and 31 percent of devices analyzed aren't even supported or maintained by their vendor.

Among the findings, Cisco reports that only about 9 percent of organizations have an IT security budget distinct from the overall IT budget, though at this point 98 percent have a department or team solely dedicated to security.

"Many organizations rely on network infrastructures built of components that are old, outdated, and running vulnerable operating systems—and are not cyber-resilient," the report noted, explaining that devices had 26 vulnerabilities on average.

In the report, Cisco also highlighted the growing threat to respondents and analyzed devices from increasingly sophisticated exploit kit and ransomware campaigns. In particular, the report dove into the activity of the highly prevalent and damaging Angler exploit kit, which 60 percent of the time delivered ransomware payloads. For example, Cisco researchers point to the July 2015 spike in Cryptowall 3.0 to activity from Angler. The firm estimates that criminals are making $34 million annually per ransomware campaign through Angler, with about 2.9 percent victims paying an average ransom of $300.

"The authors of Angler and other exploit kits have been quick to exploit 'patching gaps' with Adobe Flash—the time between Adobe’s release of an update and when users actually upgrade," the report stated. "Cisco threat researchers attribute the July 2015 spike to the Flash zero-day exploit CVE-2015-5119 that was exposed as part of the Hacking Team leaks."

The report took a look at a number of techniques attackers are using to exploit enterprises today. For example, with the rise of HTTPS traffic use, security tools are struggling to keep tabs on malware using encrypted communication across a diverse set of ports. Additionally, attackers are taking advantage of the DNS "blind spot" within organizations. Approximately 91 percent of malware used DNS to gain command and control, exfiltrate data and redirect traffic. As things stand, few organizations monitor DNS for security purposes if at all, the report says.

"Why is DNS a security blind spot for so many organizations?" the authors say. "A primary reason is that security teams and DNS experts typically work in different IT groups within a company and don’t interact frequently."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/24/2016 | 2:14:42 PM
Re: Advanced?
Even aside from more offensive cybersecurity stances, there is a need for greater proactivity overall when it comes to InfoSec, security policies, and other related risk management issues.  The better prepared you are not only for prevent attacks but also for the eventual successful attack, the better able you are to prevent, lessen, or mitigate damage.
Christian Bryant
Christian Bryant,
User Rank: Ninja
1/24/2016 | 1:33:18 AM
Re: Advanced?
I would tend to agree that volume and availability of "old hat" techniques and tools is more a problem than innovation in the styles of intrusion programming.  However, this is just looking at the larger body of "common" attacks.  There is a whole new level of intrusion and data acquisition techniques, programming methodologies and experimental programming happening that Enterprise IT sorely needs to become acquainted with.  We imagine the most creative hacking occurs only when the targets are government, infrastructure and financial institutions, but in fact many of these programs and techniques are first put up against Enterprise IT during the early release and testing stages.

I still believe InfoSec needs to change its model to one of offense in addition to defense, and data analytics are a huge piece of setting that stage.  But then, there also needs to be a resource on the Security team that has strong coding chops and can improvise, innovate and meet the skills of the less mundane attacks.  Seeing the model change, seeing more confidence on the part of the InfoSec team with a level of aggression added with the offensive shift - these are things that might help improve IT confidence in their Security functions.

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/22/2016 | 11:03:24 PM
"constantly advancing attack techniques"

Are these attack techniques and kits really more advanced, though?  All that's happening here is that the kits are becoming more widely distributed as pricing makes them more available to less-skilled attackers.  The attacks themselves though -- the code -- are often based upon "old [black] hat" (heh) techniques.

This is why some researchers are now using predictive analytics to anticipate what future attacks will look like.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.