Our just-released 2016 Cisco Annual Security Report (ASR) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom. Meanwhile attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks.
Security threats, attacks, and challenges are not new—Cisco released our first ASR in 2007. While the major trends remain essentially constant, the cumulative intelligence in the reports demonstrates how quickly attackers—with the luxury of working outside the law—innovate to exploit new security gaps.
This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge.
Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%.
The picture we see is disturbing:
Given this backdrop, the ability to recognize and respond to security threats in near real time is no less than a business imperative. We simply cannot continue to create technical debt, leaving systems unpatched, critical services exposed, and application services open to attack. These are what we can control, and yet the data shows we aren’t succeeding. This means fortifying the weakest links, such as older networking software, taking a proactive approach to patches and upgrades, and taking control of critical infrastructure. It also means working toward a cohesive security landscape, where companies, industries, and governments communicate and collaborate to thwart cyber criminals, taking an integrated approached to threat defense that operates in near real time on our behalf. What are we waiting for?
Here’s my take on what we can all do now:
- Senior leaders across organizations of all types must acknowledge, embrace, and own security as their strategy, not a CISO’s, and not just in IT.
- Vendors that embed IT in their offerings must produce solutions that customers can trust and are designed with security in mind. We have to slow the vulnerability being introduced.
- Adding “yet another vendor” cannot continue to be our answer. This just adds to the complexity of the security challenge and leaves companies more vulnerable to attacks. For cost, return on investment, efficacy, and to remain nimble, security efforts must be business led, architecturally delivered, and provably integrated and effective.
Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late.
The 2016 Cisco Annual Security Report analyzes the most compelling trends and issues in cybersecurity from Cisco security experts, providing insight on advancements made by both the security industry and the criminals hoping to breach defenses. Geopolitical trends, perceptions of cybersecurity risk and trustworthiness, and the tenets of an integrated threat defense are also discussed.