In an effort to shed greater light on growing trends involving security threats around the world, Cisco announced the release of its first annual report on the global state of security. The report spotlights the risks and challenges that businesses, government organizations and consumers increasingly face and offers suggestions on guarding against them.
The 2007 Cisco Annual Security Report, released in conjunction with the launch of the company's updated Cisco Security Center site (www.cisco.com/security), provides a concise summary of the past year's major issues. It offers predictions for security threats in 2008 and recommendations from Cisco security practitioners, such as Chief Security Officer John Stewart and Vice President of Customer Assurance and Security Programs Dave Goddard. While many end-of-year industry reports focus on content security threats (viruses, worms, trojans, spam and phishing), the Cisco report broadens the discussion to a set of seven risk management categories, many of which extend well beyond isolated content security issues. The categories are vulnerability, physical, legal, trust, identity, human and geopolitical, and together they encompass security requirements that involve anti-malware protection, data-leakage protection, enterprise risk management, disaster planning, and more.
The report's findings reinforce the fact that security threats and attacks have become more global and sophisticated. As the adoption of more and more IP-connected devices, applications, and communication methods increases, the opportunity emerges for a greater number of attacks. These trends are writing a new chapter in the history of security threats and attack methodologies.
Years ago, viruses and worms (Code Red, Nimda, and others) ransacked computer systems to cause damage and gain notoriety. As Internet adoption and e-commerce increased, blended threats (spam-enabled phishing attacks, botnets, etc.) evolved with the intent to steal money and personal information. This "stealth-and-wealth" approach subsequently evolved into a more worldwide phenomenon that frequently features more than one of the seven risk categories.
According to Stewart, information security is no longer just a battle against a virus or spam attack. There are oftentimes legal, identity-based and geopolitical factors involved. As examples, he points to identity theft at major retailers and a recent distributed denial-of-service attack allegedly launched by politically motivated hackers within Russia on its neighbor Estonia this spring. The cyber attack, which reportedly stemmed from outrage over Estonian authorities' decision to move a Soviet-era war memorial from a park, shut down many of the country's government Web sites.
"Cybercrime is evolving before our eyes, oftentimes using well-known techniques seen before only in electronic form," Stewart said. "You just can't afford to view information security threats as a standalone duel against a virus or a phishing attack; threats involve social engineering and technology, trust and pervasive use. Today, the effort to secure businesses, personal identities and countries requires a greater level of coordination among parties that have not traditionally worked together as closely as they'll need to. IT security teams, businesses, government, law enforcement, consumers, citizens: They're all targets, yet they're also allies. The effectiveness of national, enterprise and personal security will depend on the collaboration and communication among all of these constituencies."