We recently released the Cisco 2009 Annual Security Report. This is the most recent edition of our security report series, which was started in December of 2007 and now includes both annual and midyear reports. These documents primarily seek to do two things: to help you understand the threats and security events that existed during the report time frame, and to provide you with appropriate guidance on how we believe threats will evolve in the coming year.
I am not one who admires the pontification often performed by security experts and I assure you that any forward-looking guidance we write is intended solely to help you understand the emerging security threats. I believe in looking into the past with a critical eye and understanding how we could have done better.
With that in mind, the release of our 2009 annual report has reminded me to take a few minutes and review our past guidance, and naturally, evaluate our results.
Here are the predictions that we laid out in two earlier security reports: the Cisco 2008 Annual Security Report and the Cisco 2009 Midyear Security Report. It is worth noting that while the title and short summary are directly from the reports, the text that follows is my evaluation of the guidance.
First, our predictions from the Cisco 2008 Annual Security Report:
- Smaller, More Frequent, Targeted Attacks More sophisticated attacks will occur in the year ahead. They will be deployed rapidly and designed for even more specific targets—individuals, groups, businesses, organizations, and governments.
This was certainly the case in 2009 and we will see the continued evolution of this threat. Even though many targeted attacks are never publicly disclosed, we are seeing them being reported with greater frequency. Attackers have successfully integrated this approach into their cache of weapons, whether enabled through social engineering, privately discovered zero-day vulnerabilities, or by leveraging inadequately patched vulnerabilities of the past. However, this does not mean that indiscriminate attacks against any and all who happen into the dark alleys of the Internet have disappeared—they have not.
- Cross-Protocol Attacks Online criminals looking to improve their odds of success will increasingly rely on cross-protocol or “blended” approaches that combine e-mail, web-based threats, and intrusions.
I will go as far as to say that blended threats are becoming the norm. Perhaps it is due to the successful security enhancements and infrastructure in modern operating systems, or to the proliferation of security functionality in everyday locations, but most modern attacks seek to exploit the user through some form of blended threat. This is manifested as many things; for example, the use of search engine optimization techniques that misdirect search engine users to websites that host drive-by exploits, or e-mail spam that includes a link to a “must see” video that, when visited, prompts the user to install malware disguised as a required video codec.
- Reputation Hijacking In 2009, more online criminals will be actively hijacking reputations and will work on finding additional, more sophisticated ways to do so.
While there are signs that instances of Phishing may be on the decline, reputation hijacking continues to be a threat. Online criminals continue to innovate and use techniques that disguise the origin of their attacks as trusted sources. An advanced example of reputation hijacking is the malicious use of search engine optimization. Search engine optimization is a technique that enables criminals to stack search engine results in their favor, returning malicious web pages within and near the top of search results for popular, time-sensitive searches, as described in the Cisco 2009 Annual Security Report. This particular technique leverages the reputation of the search engine to add credibility to web pages that exist solely for nefarious purposes.
- Mobility, Remote Working, and New Tools as Risk Factors The trend of remote working and related use of web-based tools, mobile devices, virtualization, “cloud computing,” and similar technologies to enhance productivity—especially in an economic climate that demands leaner, more cost-effective and global staff—will continue in 2009.
This means that preventing loss of data—from outside attacks, insiders, or negligence around data storage devices such as laptops—will become more crucial than ever.
2009 saw a lot of development in the arena of Cloud Computing, and with it some widely publicized failures. To compound the problem, laptop theft or loss has been continually highlighted as a key contributor to both corporate data leakage and the release of Personally Identifiable Information.
Our guidance from the Cisco 2009 Midyear Security Report included:
- Spam to Return to Record High Levels Following the “noise” that helped to expose Conficker last year, botmasters have been working harder to conceal their activities for as long as possible so they can quietly grow their botnets to desired size. Thus, there has been a rise in lower-volume and more frequent botnet attacks recently.
In the months ahead, expect spam volume to rise to record levels.
Spam volumes have in fact continued to rise. This is evident in the six months of new data within the Cisco 2009 Annual Security report. For instance, in October 2009 the daily average spam volume topped 250 billion messages, whereas documented spam volumes before the publication of the 2009 Midyear report peaked below 200 billion messages a day on average.
- More Attacks on Legitimate Websites Criminals are expected to maintain their aggressive targeting of legitimate websites, especially to distribute malware for creating botnets.
Our 2009 annual report details an interesting instance of this prediction occurring in the second half of 2009. In the scenario described, three popular and legitimate websites were persuaded into hosting advertisements that ultimately led users to malicious content such as fake antivirus or malware. As the report points out, this is particularly troublesome as smaller websites may be reluctant to impede ad sales and may not have the staffing to sufficiently vet ads prior to placing them online.
- Social Networking Attacks to Continue Worms have also been a problem for many popular social networking sites recently, and until these sites start featuring more robust protection that is built into the network, expect social networking communities to remain favorite hunting fields for many cyber criminals.
While social networking worms appear to have decreased since this report was published, attacks using social media have increased and now include new types of threats. Malware is enticing users with messages via social networks and now your “friends” can ask you for money online. The question is: are they really your friends? Or have your friends lost control of their account and it is in fact a thief looking to steal your money, or worse, your personal information.
What is interesting in seeing our previous predictions laid out compactly is that a clear theme becomes apparent: we humans are the weakest link in security. Years ago operating systems and applications were the primary security “problem.” That is no longer the case.
Coincidentally, Jean and Christopher have both recently written about the human side of security here on the Cisco Security blog. We also see evidence that this trend will continue as we look forward in the Cisco 2009 Annual Security Report, which declared “Social Media: We’re the Problem.” Our most recent set of guidance in that report includes the following predictions:
- We will see expanded use of vishing—the combination of voice over IP and phishing—in 2010
- Criminals will continue to leverage search engine optimization extensively
- We will see a continuing emphasis from the U.S. government on the improvement of best practices, information sharing, education, and R&D focused on breakthrough technologies
- The number of politically motivated attacks will rise in 2010
- Developing countries will experience a renaissance of older threats as large numbers of new users come online
- Worldwide spam volume in 2010 will rise 30 to 40 percent over 2009
In the past we have focused on the security precautions and functionality that can be embedded into operating systems and network devices. This was the case for good reason, and as an industry there were many successes in this space. However, as we move forward we must focus on the more difficult problem in front of us: education. But with this challenge comes opportunity, and our successes in education will undoubtedly have a great impact on the security of the Internet.