feature article
Subscribe Now

Report on the Cisco 2015 Annual Security Report

A Reasonably Comprehensive Overview, with a Minimum of Self-Serving Corporate Promotion

Large companies have large pools of resources. Occasionally, those resources document their work in a relatively coherent manner. And sometimes, these documents make for worthwhile reading. Such is the case now under discussion here: The Cisco 2015 Annual Security Report

“which presents the research, insights, and perspectives provided by Cisco Security Research and other security experts within Cisco”

and weighs in at a tidy 50-plus pages; this blog post is considerably shorter. If this article piques your curiosity, I encourage you to read the full report yourself; it is well-written and only mildly self-serving.

The theme of the Cisco report is the dynamic of cyber-attack and –defense (astute readers will recall that was the topic of a very recent blog post). The Cisco report not only does a good job covering attackers and defenders, it also pays attention to the masses:

“Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”

How’s that for empathy? “Damn shame you users are stuck between attackers trying to compromise your systems and IT people trying to protect your systems (sotto voce: reducing your productivity in the process). But we wouldn’t be having this conversation if you users would wise up and stop the Stupid People Tricks, such as opening those iffy attachments.”

Yes, Cisco is talking about opening dubious-looking attachments and the larger threat of phishing emails (which astute readers will recall was the topic of my article last month). Phishing is the most significant threat vector, because our legacy email systems present an enormous attack surface. Unfortunately, a real side effect of the sheer mass of email we each receive daily is lower scrutiny applied to handling email.

Before we move on to Cisco’s thorough analysis and discussion of phishing attacks, it is VERY interesting to note that nowhere in the 50-plus pages does Cisco suggest modernizing the legacy email systems that make phishing attacks so successful. That is a tremendous disappointment to your author, given that my prescription for Contemporary Email relies on work started nearly twenty years ago. This is not quantum physics, folks, and before IT departments open their checkbooks to defend against phishing attacks, they might want to first consider the tremendous effectiveness of authenticated encryption implemented via S/MIME. (In moments like these, I stare at a tiny Don Quixote statue sitting next to my display … there … I feel slightly better.

Phishing attacks have grown into the number one threat vector thanks to the availability of exploit kits—seriously—that provide hackers with an SDK to develop their spear phishing malware. And the hackers have quite a menu of exploit kits at their disposal: Backhole, Paunch, Angler, Sweet Orange and Goon … just to name a few and guarantee that the web page you are now reading is flagged as dangerous.

Many of these exploit kits rely on two of my own most disliked platforms: Flash and Java. Genuinely helpful, take-it-to-the-bank advice from yours truly:

  1. Completely remove Java. Odds are that everything you do every day will still work just fine. The exceptions are likely outdated proprietary corporate software. Even if you manage to keep up with the seemingly daily patches, history has demonstrated beyond a shadow of a doubt that there are more flaws waiting to exploited by hackers.
  2. Remove Flash, or at a minimum, disable it on all but your most trusted websites. Removing Flash is clearly the safest move, but may not be practical given that many websites have not gotten their act together and moved to HTML5. It is fairly easy to set the default browser behavior to disable Flash, and then manually enable it on a handful of must-have websites (Google it for directions).

Removing Java and at least disabling Flash will not only make your PC dramatically more secure, these actions will make your PC faster and more stable. Win-win, unless you are Oracle or Adobe … both of whom have had EONS to fix these sieves.

Back to the Cisco report and its conclusions on phishing:

“Spear phishing messages have evolved to the point where even experienced end-users have a hard time spotting faked messages among their authentic emails. These messages, which target specific individuals with a well-crafted message, appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers.”

During conversations at the RSA 2015 Conference, I learned that the most advanced exploit kits data mine social media sites. Using information from Facebook, for example, phishing messages appear to come from trusted friends with the added realism of citing facts in recent postings. Using corporate information gleaned from LinkedIn, alternatively, phishing messages appear to come from executives up the food chain from the target. (Don Quixote here, briefly: the scary techniques outlined in this paragraph are neutralized by authenticated S/MIME mail. Spoofing an email address is falling-over-simple; spoofing a digital signature is many, MANY orders of magnitude more difficult.)

All of these ‘effectiveness’ factors, multiplied by the sheer mass of daily email, will keep spear phishing as the number one attack vector for years to come.

Moving on, there ARE significant threats other than phishing emails. Take sheer frickin’ laziness for example; in a broad survey of the Internet, Cisco found that:

“56% of devices indexed are using versions of OpenSSL more than 50 months old”

Remember Heartbleed? Of course you do! You read about it right here just over a year back. Now I have no delusions of blogging grandeur, so don’t get ANY ideas that I am remotely implying “I told you so.” Heartbleed was on the evening news, for crying out loud. Here we are, over one year later, and only half of the devices on the Internet running OpenSSL have been patched. (Note that ‘devices’ include more than web servers; your home Wi-Fi router may be running OpenSSL. You have absolutely nothing to worry about, of course, because I know that EVERYONE who reads this blog patches router firmware regularly.)

Forget the cyber-attackers, the supposed cyber-defenders are frightening enough: that 56% figure is seriously scary.

Last, but by no means least, the Cisco report addresses “Geopolitical and Industry Trends” and casually name-drops:

“Edward Snowden’s allegations about U.S. government surveillance overreach, data sovereignty, and data localization have become hot-button issues.”

Without putting their own corporate stake in the ground—which seems ludicrous, given the damage Cisco’s reputation suffered when it was revealed that their hardware was routinely modified with back doors before being shipped overseas—the Cisco report dryly notes:

“Some leading technology companies in the United States are hoping that use of end-to-end encryption will be a way to satisfy their customers’ concerns that their data be protected as it traverses the borderless Internet. The U.S. government has raised concerns, however, that such encryption will prevent its ability to protect citizens. The new director of the GCHQ, Britain’s premier signals intelligence organization, similar to the U.S. National Security Agency, even suggested that U.S. social media technology giants are aiding the efforts of terrorists by enabling them to send encrypted communications around the world.”

Even less-than-astute readers know where I stand on end-to-end encryption: I strongly believe it is a vital component of cyber-security. I included the entire paragraph above, NOT to provide the context for a full rebuttal to the ‘1984’ doublethink from GCHQ … I will let you reach your own conclusions.

The report concludes with the “Cisco Security Manifesto: Basic Principles for Achieving Real-World Security”:

  • Security must be considered a growth engine for the business
  • Security must work with existing architecture, and be usable
  • Security must be transparent and informative
  • Security must enable visibility and appropriate action
  • Security must be viewed as a “people problem”

Those bullets are reasonably good guidelines or at least a great starting point. Kudos to Cisco for assembling a reasonably balanced (and only MILDLY self-serving) report on the cyber-security landscape. Genuinely good stuff …

Leave a Reply

featured blogs
Jan 26, 2023
Are you experienced in using SVA? It's been around for a long time, and it's tempting to think there's nothing new to learn. Have you ever come across situations where SVA can't solve what appears to be a simple problem? What if you wanted to code an assertion that a signal r...
Jan 24, 2023
We explain embedded magnetoresistive random access memory (eMRAM) and its low-power SoC design applications as a non-volatile memory alternative to SRAM & Flash. The post Why Embedded MRAMs Are the Future for Advanced-Node SoCs appeared first on From Silicon To Software...
Jan 19, 2023
Are you having problems adjusting your watch strap or swapping out your watch battery? If so, I am the bearer of glad tidings....
Jan 16, 2023
By Slava Zhuchenya So your net trace has too much parasitic resistance. Where is it coming from? You ran your… ...

featured video

Synopsys 224G & 112G Ethernet PHY IP OIF Interop at ECOC 2022

Sponsored by Synopsys

This Featured Video shows four demonstrations of the Synopsys 224G and 112G Ethernet PHY IP long and medium reach performance, interoperating with third-party channels and SerDes.

Learn More

featured chalk talk

Twinax Flyover Systems for Next Gen Speeds

Sponsored by Samtec

As the demand for higher and higher speed connectivity increases, we need to look at our interconnect solutions to help solve the design requirements inherent with these kinds of designs. In this episode of Chalk Talk, Amelia Dalton and Matthew Burns from Samtec discuss how Samtec’s Flyover technology is helping solve our high speed connectivity needs. They take closer look at how Samtec’s Flyover technology helps solve the issue with PCB reach, the details of FLYOVER® QSFP SYSTEM, and how this cost effective, high–performance and heat efficient can help you with the challenges of your 56 Gbps bandwidths and beyond design.

Click here for more information about Twinax Flyover® Systems for Next Gen Speeds