feature article
Subscribe Now

Report on the Cisco 2015 Annual Security Report

A Reasonably Comprehensive Overview, with a Minimum of Self-Serving Corporate Promotion

Large companies have large pools of resources. Occasionally, those resources document their work in a relatively coherent manner. And sometimes, these documents make for worthwhile reading. Such is the case now under discussion here: The Cisco 2015 Annual Security Report

“which presents the research, insights, and perspectives provided by Cisco Security Research and other security experts within Cisco”

and weighs in at a tidy 50-plus pages; this blog post is considerably shorter. If this article piques your curiosity, I encourage you to read the full report yourself; it is well-written and only mildly self-serving.

The theme of the Cisco report is the dynamic of cyber-attack and –defense (astute readers will recall that was the topic of a very recent blog post). The Cisco report not only does a good job covering attackers and defenders, it also pays attention to the masses:

“Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”

How’s that for empathy? “Damn shame you users are stuck between attackers trying to compromise your systems and IT people trying to protect your systems (sotto voce: reducing your productivity in the process). But we wouldn’t be having this conversation if you users would wise up and stop the Stupid People Tricks, such as opening those iffy attachments.”

Yes, Cisco is talking about opening dubious-looking attachments and the larger threat of phishing emails (which astute readers will recall was the topic of my article last month). Phishing is the most significant threat vector, because our legacy email systems present an enormous attack surface. Unfortunately, a real side effect of the sheer mass of email we each receive daily is lower scrutiny applied to handling email.

Before we move on to Cisco’s thorough analysis and discussion of phishing attacks, it is VERY interesting to note that nowhere in the 50-plus pages does Cisco suggest modernizing the legacy email systems that make phishing attacks so successful. That is a tremendous disappointment to your author, given that my prescription for Contemporary Email relies on work started nearly twenty years ago. This is not quantum physics, folks, and before IT departments open their checkbooks to defend against phishing attacks, they might want to first consider the tremendous effectiveness of authenticated encryption implemented via S/MIME. (In moments like these, I stare at a tiny Don Quixote statue sitting next to my display … there … I feel slightly better.

Phishing attacks have grown into the number one threat vector thanks to the availability of exploit kits—seriously—that provide hackers with an SDK to develop their spear phishing malware. And the hackers have quite a menu of exploit kits at their disposal: Backhole, Paunch, Angler, Sweet Orange and Goon … just to name a few and guarantee that the web page you are now reading is flagged as dangerous.

Many of these exploit kits rely on two of my own most disliked platforms: Flash and Java. Genuinely helpful, take-it-to-the-bank advice from yours truly:

  1. Completely remove Java. Odds are that everything you do every day will still work just fine. The exceptions are likely outdated proprietary corporate software. Even if you manage to keep up with the seemingly daily patches, history has demonstrated beyond a shadow of a doubt that there are more flaws waiting to exploited by hackers.
  2. Remove Flash, or at a minimum, disable it on all but your most trusted websites. Removing Flash is clearly the safest move, but may not be practical given that many websites have not gotten their act together and moved to HTML5. It is fairly easy to set the default browser behavior to disable Flash, and then manually enable it on a handful of must-have websites (Google it for directions).

Removing Java and at least disabling Flash will not only make your PC dramatically more secure, these actions will make your PC faster and more stable. Win-win, unless you are Oracle or Adobe … both of whom have had EONS to fix these sieves.

Back to the Cisco report and its conclusions on phishing:

“Spear phishing messages have evolved to the point where even experienced end-users have a hard time spotting faked messages among their authentic emails. These messages, which target specific individuals with a well-crafted message, appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers.”

During conversations at the RSA 2015 Conference, I learned that the most advanced exploit kits data mine social media sites. Using information from Facebook, for example, phishing messages appear to come from trusted friends with the added realism of citing facts in recent postings. Using corporate information gleaned from LinkedIn, alternatively, phishing messages appear to come from executives up the food chain from the target. (Don Quixote here, briefly: the scary techniques outlined in this paragraph are neutralized by authenticated S/MIME mail. Spoofing an email address is falling-over-simple; spoofing a digital signature is many, MANY orders of magnitude more difficult.)

All of these ‘effectiveness’ factors, multiplied by the sheer mass of daily email, will keep spear phishing as the number one attack vector for years to come.

Moving on, there ARE significant threats other than phishing emails. Take sheer frickin’ laziness for example; in a broad survey of the Internet, Cisco found that:

“56% of devices indexed are using versions of OpenSSL more than 50 months old”

Remember Heartbleed? Of course you do! You read about it right here just over a year back. Now I have no delusions of blogging grandeur, so don’t get ANY ideas that I am remotely implying “I told you so.” Heartbleed was on the evening news, for crying out loud. Here we are, over one year later, and only half of the devices on the Internet running OpenSSL have been patched. (Note that ‘devices’ include more than web servers; your home Wi-Fi router may be running OpenSSL. You have absolutely nothing to worry about, of course, because I know that EVERYONE who reads this blog patches router firmware regularly.)

Forget the cyber-attackers, the supposed cyber-defenders are frightening enough: that 56% figure is seriously scary.

Last, but by no means least, the Cisco report addresses “Geopolitical and Industry Trends” and casually name-drops:

“Edward Snowden’s allegations about U.S. government surveillance overreach, data sovereignty, and data localization have become hot-button issues.”

Without putting their own corporate stake in the ground—which seems ludicrous, given the damage Cisco’s reputation suffered when it was revealed that their hardware was routinely modified with back doors before being shipped overseas—the Cisco report dryly notes:

“Some leading technology companies in the United States are hoping that use of end-to-end encryption will be a way to satisfy their customers’ concerns that their data be protected as it traverses the borderless Internet. The U.S. government has raised concerns, however, that such encryption will prevent its ability to protect citizens. The new director of the GCHQ, Britain’s premier signals intelligence organization, similar to the U.S. National Security Agency, even suggested that U.S. social media technology giants are aiding the efforts of terrorists by enabling them to send encrypted communications around the world.”

Even less-than-astute readers know where I stand on end-to-end encryption: I strongly believe it is a vital component of cyber-security. I included the entire paragraph above, NOT to provide the context for a full rebuttal to the ‘1984’ doublethink from GCHQ … I will let you reach your own conclusions.

The report concludes with the “Cisco Security Manifesto: Basic Principles for Achieving Real-World Security”:

  • Security must be considered a growth engine for the business
  • Security must work with existing architecture, and be usable
  • Security must be transparent and informative
  • Security must enable visibility and appropriate action
  • Security must be viewed as a “people problem”

Those bullets are reasonably good guidelines or at least a great starting point. Kudos to Cisco for assembling a reasonably balanced (and only MILDLY self-serving) report on the cyber-security landscape. Genuinely good stuff …

Leave a Reply

featured blogs
May 5, 2021
New 5G infrastructure is powering smart city projects worldwide; explore the importance of IoT security for smart city solutions in public safety & logistics. The post How 5G Networks Will Accelerate Development of Smart Cities appeared first on From Silicon To Software...
May 4, 2021
What a difference a year can make! Oh, we're not referring to that virus that… The post Realize Live + U2U: Side by Side appeared first on Design with Calibre....
May 3, 2021
As a NASA flight enthusiast, the idea of unmanned aerial vehicle systems (also known as drones) sounds like a lot of fun. A good example of how fun drones can be is through drone racing'¦yes you read that right'¦ drone racing! However, apart from how fun they can be, drones...
May 2, 2021
https://youtu.be/1HEd6JCriCQ Made in Groveland CA (camera Carey Guo) Monday: Package Assembly Design Kits Tuesday: Rapid Adoption of the Arm Server-Class Processors Wednesday: Arm V9A Thursday:... [[ Click on the title to access the full blog on the Cadence Community site. ]...

featured video

The Verification World We Know is About to be Revolutionized

Sponsored by Cadence Design Systems

Designs and software are growing in complexity. With verification, you need the right tool at the right time. Cadence® Palladium® Z2 emulation and Protium™ X2 prototyping dynamic duo address challenges of advanced applications from mobile to consumer and hyperscale computing. With a seamlessly integrated flow, unified debug, common interfaces, and testbench content across the systems, the dynamic duo offers rapid design migration and testing from emulation to prototyping. See them in action.

Click here for more information

featured paper

Keys to quick success using high-speed data converters

Sponsored by Texas Instruments

Hardware designers using modern high-speed data converters face tough challenges. Issues might include connecting with your field-programmable gate array (FPGAs), being confident that your first design pass will work, or determining how to best model the system before building it. In this article, Texas Instruments takes a closer look at each of these challenges.

Click to read more

Featured Chalk Talk

Cloud Computing for Electronic Design (Are We There Yet?)

Sponsored by Cadence Design Systems

When your project is at crunch time, a shortage of server capacity can bring your schedule to a crawl. But, the rest of the year, having a bunch of extra servers sitting around idle can be extremely expensive. Cloud-based EDA lets you have exactly the compute resources you need, when you need them. In this episode of Chalk Talk, Amelia Dalton chats with Craig Johnson of Cadence Design Systems about Cadence’s cloud-based EDA solutions.

More information about the Cadence Cloud Portfolio