Organizations lack confidence in their ability to fend off cyber-attacks, new report finds

According to the findings of Cisco’s Annual Security Report released on Tuesday, organizations worldwide seem to be increasingly less confident in their ability to effectively fend off the myriad threats they face from cyber-attackers. In fact, the study found that just over half of security professionals strongly believe they can detect security weaknesses before they become full-blown incidents and only 45 percent were confident in their ability to determine the scope of a network compromise and mitigate the damage.

In addition, an increasing number of security executives are also losing faith in their technologies. Just two years ago, 64 percent indicated that their security infrastructure was up to date and constantly upgraded. Last year however, that figure dropped to 59 percent.

Despite these perceived shortcomings in their security programs, the report also shows that organizations are doing more to address cyber vulnerabilities. In 2015, 66 percent of companies reported that they had a written, formal security strategy in place, which was up from the 59 percent of companies in 2014. Also, 37 percent of security professionals surveyed said that their organizations were equipped with the latest security tools, which was a slight increase compared to the previous year.

Given the frequency and scope of recent high-profile data breaches, it should come as little surprise that security executives are not as confident that they could thwart a similar attack inside their organization’s network. And while it’s true that cyber criminals continue to be effective with their attacks, experts say that the increased emphasis placed by organizations on bolstering their cybersecurity posture has forced hackers to turn to more sophisticated tactics. For example, Angler, which is one of the most commonly used exploit kits, has undergone some significant changes recently.

“The people behind Angler decided that in addition to all of the other innovations they’ve done this year like domain shadowing and things like that, they thought the way people run their infrastructure could be improved,” said Craig Williams, senior technical leader and outreach manager for Cisco. “What they did was design their network like a hydra so the hydra heads are these front-end proxy servers that are exposed to the victim and so as it is compromising users, eventually network security (personnel) is going to send an abuse ticket to the provider and if it’s a reputable provider, they will shut down that server. When that happens there is going to be a status server in Angler that is querying that server every 30 seconds. As soon as it’s gone, it kicks into firing up another head on the hydra and rotating in a new proxy server, so the downtime is completely minimized.”

Essentially, Williams said that attack infrastructure is being “intelligently architected” to increase redundancy, reliability and, most importantly, to hide the activities of malicious actors from end users.  Jason Brvenik, principal engineer for Cisco’s Security Business Group, said that cyber criminals have been forced to create this type of resilient architecture due to the successful efforts of cybersecurity professionals in being able to recognize and protect their networks against traditional attacks.

“The good guys have gotten so good at their job that they’ve forced the bad guys to evolve,” added Williams. “It’s nice to see that for a change. All too often, the bad guys come up with some creative way to attack users and we end up having to architect a new way to defend against it with a new type of blocking technology or something. This is how the game should be played with give and take on each side.”

With that being said, there are still a number of cybersecurity deficiencies that organizations need to address. According to the report, one of the greatest areas of need is in updating aging infrastructure. Of 115,000 Cisco devices on the Internet that were analyzed, 92 percent of them were running software with known vulnerabilities. In addition, 31 percent of Cisco devices in the field that were included in the analysis were said to be “end of sale” and another eight percent were “end of life.” While budget constraints may hinder a lot of companies from making these necessary equipment upgrades right away, Williams said organizations need start approaching infrastructure maintenance the same way most people do with their car.

“Some people just take it for granted until one day it turns out its end of life and it hasn’t been patched in the last 12 months,” he said. “It would be like deciding not to change your oil. You can do it and you can get away with it for a short period of time, but eventually it’s going to have catastrophic consequences. As part of any budgeting or product plan, you need to look at that maintenance and make sure you are performing it.”      

Faced with the seeming inevitability of a data breach, an increasing number of organizations have also begun leveraging encryption as a way to protect sensitive data. However, encryption can also provide organizations with a false sense of security, according to Brvenik, if it is not used properly.

“Encryption doesn’t mean safe. Encryption means you can’t see what’s there but it doesn’t mean that what you’re being given is safe,” explained Brvenik. “Attacks can be perpetrated over encrypted channels just like they can be perpetrated over unencrypted channels.”

Williams said a good example of this is malvertising. Many website are now switching over to SSL (Secure Sockets Layer) for everything because their users want it, but Williams said they are still exposed to threats.   

“As long as that traffic is encapsulated in SSL, your security device isn’t going to see any threats and attacks through malvertising are incredibly common,” he said.

Despite these and other areas that still need to be shored up, Brvenik believes that the industry has come a long way in protecting networks - both public and private - against cyber-attacks.

“I remember starting in the industry, it was so easy to compromise something that you could sneeze at it and it would fall over,” he said. “We’ve come a long way in just the basics and we have a long way to go, but we’re now seeing the adversary on the other side having to reinvest in infrastructure and create professionally designed and architected systems that are resilient to our attack on it.”

Click here for more information or to download a full copy of the 2016 Cisco Annual Security Research report.