Networking giant Cisco recently released its Annual Security Report highlighting trends in data breaches and threats from the previous year, and its findings—while similar to other recent reports (e.g., Verizon DBIR, Trend Micro Security Roundup)—offer some unique insights regarding the current threat landscape. No stranger to IT security, Cisco details in its report shifting patterns in cyberattack methods, emerging vulnerabilities, and best practices on how to mitigate future threats.
Created by Cisco Security Research and other security experts within Cisco’s organization, 2015’s Annual Security Report identifies some interesting emerging trends in cybercrime. The following are some highlights of those findings.
Pharmaceutical/Chemical Industries are at the highest risk for web malware exposure.
“In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.”
Top verticals at-risk for malware exposure compromises. Source: Cisco Security Research
This metric coincides with other statistics in the report (as well as data from other organizations’ reports) that illustrate a continuing shift towards cybercrime carried out for commercial purposes. For the pharmaceutical and chemical industries, bolstering security to hinder/prevent intellectual property theft should be a top priority.
The majority of organizations do not use patching and configuration management (CM) to bolster their security.
“Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches”
This is especially disconcerting, given the integral role that CM and patching have in preventing data breaches and intrusions. Organizations rely too heavily on standard security tools like firewalls and IDS/IDPS solutions and fail to address shortcomings in foundational components that are more often the cause of security compromises.
Security is clearly not part of the airline wifi equation, as one journalist famously discovered last week on a domestic American Airlines flight.
Intruders are increasingly targeting the application stack for exploitation.
The rise of cloud apps and the ubiquity of DIY open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.
Complexity breeds insecurity.
“The growing number of Apache Struts Framework exploits is an example of the trend toward criminals compromising online infrastructure as a way to expand their reach and ability during their attacks.”
Top Vendor and Product Vulnerability Exploits. Source: Cisco Security Research
Frameworks like Apache Struts—while streamlining development with common patterns/constructs—ultimately introduce more working parts into the software delivery mechanism, and hence more attack vectors into the application. This goes for all languages and associated frameworks (e.g., Python/Django, PHP/Laravel, Ruby/RoR, et al.).
“Content management systems (CMS) are also preferred targets; adversaries rely on websites running outdated versions of CMS to facilitate exploit delivery.”
Top Product Categories Exploited. Source: Cisco Security Research
Complexity and resulting vulnerabilities also plague CMS platforms, as many of these solutions are built upon layers of open-source packages. Furthermore, the majority of CMS users are not security professionals, or even web developers for that matter—they are DIYers and proprietors of small/medium-sized organizations. Consider the most popular CMS on the market today: WordPress—and any application/website built with it—is susceptible to all vulnerabilities in the underlying LAMP stack (Linux, Apache, MySQL, and PHP). For more information about CMS vulnerabilities, check out Wordpress’ Zero-Day Vulnerability and Weaponized Code.
Security must evolve into a continuous effort that includes testing during all phases of development.
“Annual alert totals, the cumulative new and updated product vulnerabilities reported in 2014 and compiled by Cisco Security Research, appear to be on the decline...the most likely reason for the decline is the growing attention to software testing and development on the part of vendors. Improved development lifecycles appear to reduce the number of vulnerabilities that criminals can easily exploit."
So it’s not all doom-and-gloom. Apparently last year was the first time new and updated product vulnerabilities were on the decline (when compared to the previous year). This is attributed to more robust testing methodologies and security/vulnerability assessments carried out during all phases of software development and delivery.
The report ends with guidelines on how to bolster enterprise security against a future of unknown threats:
Security must be considered a growth engine for the business.
Security must work with existing architecture, and be usable.
Security must be transparent and informative.
Security must enable visibility and appropriate action.
Security must be viewed as a people problem.
These principles are also manifest in UpGuard’s platform for infrastructure visibility and validation. Our solution enables comprehensive vulnerability assessment and monitoring, ensuring that security and integrity is maintained in all parts of the development pipeline. Furthermore, UpGuard dovetails into existing security platforms and integrates easily with popular CM and automation tools, enabling complete end-to-end coverage.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >