Cisco Blogs


Cisco Blog > Security

Cisco 2014 Annual Security Report: Why the Before/During/After Approach to Security Offers Better Protection from Threats

The number and variety of threats that can infiltrate corporate networks and disable critical infrastructure are sobering. Take a look at our findings and analysis in the new Cisco 2014 Annual Security Report, and you’ll see that malicious actors are innovating just as fast as security professionals do. As threats proliferate, so do the solutions for responding. It’s a confusing, fragmented market. That’s why Cisco believes it’s time for a new security model: a model that’s threat-centric, providing better visibility across the entire attack continuum and across all attack vectors, so that your organization stands a better chance of stopping attacks, or minimizing the damage they cause.

As we explain in the Cisco 2014 Annual Security Report, today’s advanced attacks are too complex and sophisticated to be addressed by traditional technologies that only perform their analysis once at a specific point in time, versus technologies that work continuously. At the same time, the data protection needs of organizations have become incredibly multifaceted. Mobile users and reliance on the cloud have complicated the ways business networks need to be protected. There is no “silver bullet” to solve every security problem.

Our recommendation for meeting today’s security challenge is to move away from point-in-time solutions, to an any time, all the time, continuous approach:

  • Before an attack: You can’t protect what you can’t see. Know what’s on your network—devices, operating systems, services, applications, users, and more. With this knowledge you can set up access controls, enforce security policies, and block applications and overall access to critical assets. This will help reduce the surface area of attack. But keep in mind that there will still be gaps attackers can exploit to achieve their objectives.
  • During an attack: Deploy solutions that can address a broad range of attack vectors by operating everywhere a threat can turn up—networks, endpoints, mobile devices, and virtual environments, for example.
  • After an attack: As much as we want to stop all attacks, it’s a given that on some occasions, intruders will succeed. Prepare for this eventuality with capabilities to determine the scope of the damage, contain the event, remediate, and bring business operations back to normal as quickly as possible.

The before/during/after approach to security avoids the problems associated with fragmented security solutions, such as lack of visibility and inconsistent enforcement. The Cisco 2014 Annual Security Report details today’s top security concerns and the value of this strategy.

Tags: , , , ,

Cisco 2014 Annual Security Report: Threat Intelligence Offers View into Network Compromises

Thanks to extensive detection telemetry and analytics, we have a clear view into the attackers and malicious actors that are infiltrating Internet infrastructure and using trusted applications as a foothold for gaining access to networks. As explained in the Cisco 2014 Annual Security Report, online criminals continue to develop more sophisticated methods for breaching security protections—all of which require extra vigilance and a holistic view of threats and how they’re managed.

Perhaps the trend of most concern is malicious actors’ ability to gain access to web hosting servers, nameservers, and data centers, and using their processing power and bandwidth to launch far larger exploits and attacks. This is sobering, because it means that now the very foundations of the Internet are at risk of exploitation. The 2013 DarkLeech attack demonstrates how the compromise of hosting servers can help attackers gather the resources they need for a much larger campaign: In this case, servers were compromised worldwide, allowing the perpetrators to take over 20,000 legitimate websites.

The broad reach of this malicious behavior and resulting compromises can be seen in the results of Cisco’s examination of Domain Name Service (DNS) lookups originating from inside corporate networks, as detailed in the Cisco 2014 Annual Security Report.

Cisco threat intelligence experts found that 100 percent of the business networks analyzed had traffic going to websites that host malware, while 92 percent show traffic to webpages without content, which typically host malicious activity. Ninety-six percent of the networks reviewed showed traffic to hijacked servers. The pervasiveness of malicious traffic indicates that organizations need to monitor network traffic closely (and continuously) for possible indicators of compromise.

Some of the most tenacious players in the network compromise game are launching targeted attacks, which are proving very difficult for organizations to oust from their networks. These attacks are persistent and disruptive, threatening the security of intellectual property, customer data, and other sensitive information. As a guide to understanding targeted attacks, the Cisco 2014 Annual Security Report offers insights on the “attack chain”—that is, the events that lead to and through the stages of such attacks, as seen in the graphic below:

Russ_Smoak_blog_CASR

The bottom line is that IT security professionals need to think like attackers and understand the methods and approaches they use to execute their missions.

The Cisco 2014 Annual Security Report has many more findings on security threats, gleaned from Cisco research and observations—including updates on mitigating Java exploits, threats observed in mobile device use, and the status of threats and vulnerabilities reported by Cisco. You’ll find it a valuable resource as you prepare to understand security challenges in the year ahead.

Tags: , , , ,

Bridging the Looming Global IT Security Professional Shortage

I must admit that I recorded the accompanying video blog post before I had a chance to read the 2014 Cisco Annual Security Report (CASR), but this time slip on my part sets up a now-more-than-ever situation for what I’m about to tell you. The CASR projects 500,000 to 1,000,000 person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future. Yikes!

How will societies around the world bridge this gap? Technical schools and universities can train new people, but that’s going to take time for them to respond to demand, much less do the actual training. Public and private organizations can also recruit existing security professionals, but this can quickly turn into a bidding war for talent. I can also project increased demand for outsourced security services, but many of the supply and demand dynamics will apply here as with recruiting from the pool of established experts. Read More »

Tags: , , ,

Cisco 2014 Annual Security Report: Cybercriminals Applying “Old” Techniques in New Ways

We know that as time goes on, the cybercrime network’s operations will only more closely resemble those of any legitimate, sophisticated business network. And like all enterprising businesspeople, those who are part of the “cybercriminal hierarchy”—which is discussed in the Cisco 2014 Annual Security Report and illustrated below—look to increase their profits by continually innovating new products and improving upon existing ones.

This was certainly the trend in 2013: Cisco researchers observed cybercriminals applying several tried-and-true techniques in new, bold, and highly strategic ways. The Cisco 2014 Annual Security Report examines some of these actions and our associated research in detail, including:

  • Brute-force login attempts: There was a threefold increase in the use of brute-force login attempts just in the first half of 2013. Cisco TRAC/SIO researchers discovered a hub of data with millions of username and password combinations that malicious actors were using to feed these actions. Many brute-force login attempts are being directed specifically at popular content-management system (CMS) platforms like WordPress, Joomla, and Drupal. (Read the Cisco 2014 Annual Security Report to find out why CMS platforms are favored targets—especially for adversaries trying to commandeer hosting servers in an effort to compromise the Internet’s infrastructure.)
  • Distributed denial of service (DDoS) attacks: Another oldie but goodie among cybercrime techniques, DDoS attacks have been increasing in both volume and severity since 2012. But today’s DDoS attacks aren’t just about creating disruption for businesses or making a political statement. There is evidence some attacks are now being used as smokescreens to conceal the theft of funds. The DarkSeoul attacks, examined in the Cisco 2014 Annual Security Report and a big focus for our researchers last year, are an example of this strategy. Looking ahead, we expect DDoS attacks launched through DNS amplification to be an ongoing concern. (It’s not a big leap when you consider The Open Resolver Project reports that 28 million open resolvers on the Internet pose a “significant threat.”)
  • Ransomware: In 2013, we saw many attackers moving away from traditional botnet-driven infections on PCs and increasing their use of ransomware. This includes a new type of malware in this category called Cryptolocker, which our researchers discovered last fall. Ransomware prevents normal operation of infected systems until a prescribed fee is paid. It provides a direct revenue stream for attackers—and it’s hard to track.

The Cisco 2014 Annual Security Report also notes that while the tactics used by today’s profit-oriented online criminals are only growing in sophistication, there’s a shortage of security talent to help organizations address these threats. The bottom line: Most organizations just don’t have the people or systems to monitor their networks consistently. There’s also a clear need for data scientists who can help the business understand why cybersecurity needs to be a top priority, and how security and business objectives can (and should) be aligned.

Tags: , , , , ,

Securing the Future Enterprise

This blog post is part three of a three-part series discussing how organizations can address mobile security concerns through an architectural approach to mobility. The first post discusses how next-gen Wi-Fi models will pave the way for secure mobility. The second post highlights the risks versus the rewards of mobility.

Providing corporate network access via mobile devices is nothing new to today’s IT administrators. However, the future of BYOD and mobility will change as rising generations expect and demand more seamless and secure connectivity. Recently Tab Times editor Doug Drinkwater shared a similar idea: BYOD is still in an early phase with plenty of new challenges and opportunities ahead.

In this last installment of this security and mobility series, I’ll discuss why BYOD policies will change and outline how C-level executives can leverage employees as solution drivers in order to solidify the future of mobility within their organization. Read More »

Tags: , , , , , , , , , , , , , ,