Report finds growing disparity between perceived and actual cybersecurity readiness
Earlier this week, the results of the Cisco 2015 Annual Security Report were released which shows that there continues to be a large discrepancy between organizations’ perceptions of their cybersecurity posture versus the reality of where they actually stand in relation to being able to detect and respond to an online intrusion. Of the chief information security officers (CISOs) and security operations (SecOps) executives from 1,700 companies in nine different countries interviewed for the study, 75 percent of CISOs said they believed their security tools to be very or extremely effective. However, less than 50 percent of respondents reported using standard tools such as patching and configuration to help prevent data breaches.
According to Craig Williams, security outreach manager for Talos, Cisco’s recently formed IT security group, 90 percent of the companies surveyed expressed confidence in their security practices, but at the same time, 54 percent admitted to having faced a public security breach.
“Everyone really thinks they have the problem solved, but there is probably some disconnect between what they think they have addressed and what they actually addressed,” he said.
Aside from the disconnect that exists between the perceptions and reality of cybersecurity readiness in today’s organizations, Williams said that the sophistication of hackers and their schemes are on the rise. For example, he said the average exploit kit, which hackers develop and sell to one another to try to take advantage of security gaps in software applications, is becoming more complex in nature. Additionally, cyber criminals have moved away from attacking the physical assets of a business to the users because they’ve found it will give them easier access to an organization’s network.
“The bad guys are consistently evolving ways to compromise the good guys. As a security good guy, part of our job is to basically find out what (malicious actors) are up to, what new techniques they’re using and then find ways to mitigate that so it is not a threat to our customers,” said Williams.
Hackers Changing Their Tactics
The report also found that cyber attacker are becoming more proficient at their craft. Williams said that even though spam emails have been around since nearly the dawn of the internet, last year the study found that there was a 250 percent increase in spam emails received by organizations and their employees. Even more disturbing, according to Williams, is that attackers have started changing their delivery method for spam to a new technique called snowshoe spam.
“The historic spammer would just send a million emails from one IP address. You could think of it in terms of somebody in a house sending out a thousand pieces of junk mail. Well, pretty soon it gets easy to figure out, ‘ok, this one IP address or this guy’s house is bad so let’s block it,’ and everybody did that” explained Williams. “The bad guys figured out instead of doing that, what if we send one piece of spam from a hundred different IP addresses. It would be like sending out a piece of junk mail from every street on the black and it becomes much more difficult to block because it looks like legitimate email.”
Another way in which hackers’ methods appear to be evolving is in the types of software they are now attempting to exploit. For years, Williams said that Java, PDF and Flash have been the three most consistent pieces of software targeted by cyber criminals. However the report found that over the past year, attacks against PDF and Flash remained relatively flat and that there was actually a 34 percent drop in attacks on Java. On the other hand, the report found a startling 228 percent rise is attacks against Silverlight, a plugin from Microsoft used primarily for playing back video.
“Historically, we haven’t seen a lot of Silverlight exploitations. They just haven’t been there,” said Williams. “But beginning in early 2014, we started seeing Silverlight exploits being included in exploit kits. We were looking into it wondering why would they pick Silverlight of all things… and what we found out when it was detected by different pieces of detection technology was that security in the industry, as whole, was not great at detecting it. What we suspect happened is the bad guys realized that no one was looking for Silverlight attacks and started focusing their research and development on it.”
Williams emphasized that despite the increase, Silverlight exploits still only make up a very small percentage of the software that is actively attacked by hackers. But it does show that as one attack vector falls, another will rise to take its’ place.
Finally, the study discovered a substantial increase in malvertising attacks, including a 250 percent increase in October alone last year. Essentially, malvertising, sometimes referred to as a “drive-by download attack,” involves the use of an exploit on a webpage in which attackers try to lure unsuspecting users into clicking on, at which point their computers become infected. Williams said the reason for the spike can be attributed to the fact that cyber criminals have figured out that ad servers are an attractive way to compromise users.
“What we found was that the typical website, if you can imagine the typical news website when you go there on your web browser, you would think it would only create one or two connections, but the reality it is it is over 500,” said Williams. “The reason behind this is a webpage is composed of different pieces of content and high-volume websites like major news websites have to have redundant servers for each piece of content and so when you talk about an advertising server, you end up with a tree of connections and each piece of the tree has several hundred machines or something, so it is an insane number of computers. Any of those that aren’t patched could potentially be used to serve a link to a malicious website thus creating a malvertisement. So you could go to what’s thought of as a known, safe website… but it could serve a malicious advertisement and then you are exploited. We’re seeing this being very heavily used by the bad guys.”
Cybersecurity Moves from the Backroom to the Boardroom
Williams said that cybersecurity has become a tug of war between the defenders (security professionals), users and attackers. The problem that the users face, according to Williams, is that the defenders are telling them one thing to improve their security, while the attackers are taking advantage of them in other ways. For example, a user may receive a notification telling them a software plugin needs to be updated to patch a security flaw and while they think they are doing the right thing by downloading it, in many cases what they clicked on was a piece of malware from a hacker.
The good news is that because of the numerous, high-profile data braches that have occurred over the past several years, IT security is now top of mind for many corporate executives who are now taking an active role in making sure their organizations implement security best practices. To help organizations get to this point, Cisco has released a set of guidelines, dubbed as the Cisco “Security Manifesto,” to help companies better understand and respond to cybersecurity challenges. Among these guiding principles are:
1. Security must support the business.
2. Security must work with existing architecture – and be usable.
3. Security must be transparent and informative.
4. Security must enable visibility and appropriate action.
5. Security must be viewed as a “people problem.”
“I think what a lot of people do wrong is they make people sit through a long, boring training class that is like drinking out of a fire hose,” Williams said. “I think the way you train and teach the employees of the average business is you figure out what their threat vectors are… and the closer you can align security training with an individual’s day-to-day job, the better off they are going to be from a security perspective.”