feature article
Subscribe Now

Report on the Cisco 2015 Annual Security Report

A Reasonably Comprehensive Overview, with a Minimum of Self-Serving Corporate Promotion

Large companies have large pools of resources. Occasionally, those resources document their work in a relatively coherent manner. And sometimes, these documents make for worthwhile reading. Such is the case now under discussion here: The Cisco 2015 Annual Security Report

“which presents the research, insights, and perspectives provided by Cisco Security Research and other security experts within Cisco”

and weighs in at a tidy 50-plus pages; this blog post is considerably shorter. If this article piques your curiosity, I encourage you to read the full report yourself; it is well-written and only mildly self-serving.

The theme of the Cisco report is the dynamic of cyber-attack and –defense (astute readers will recall that was the topic of a very recent blog post). The Cisco report not only does a good job covering attackers and defenders, it also pays attention to the masses:

“Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”

How’s that for empathy? “Damn shame you users are stuck between attackers trying to compromise your systems and IT people trying to protect your systems (sotto voce: reducing your productivity in the process). But we wouldn’t be having this conversation if you users would wise up and stop the Stupid People Tricks, such as opening those iffy attachments.”

Yes, Cisco is talking about opening dubious-looking attachments and the larger threat of phishing emails (which astute readers will recall was the topic of my article last month). Phishing is the most significant threat vector, because our legacy email systems present an enormous attack surface. Unfortunately, a real side effect of the sheer mass of email we each receive daily is lower scrutiny applied to handling email.

Before we move on to Cisco’s thorough analysis and discussion of phishing attacks, it is VERY interesting to note that nowhere in the 50-plus pages does Cisco suggest modernizing the legacy email systems that make phishing attacks so successful. That is a tremendous disappointment to your author, given that my prescription for Contemporary Email relies on work started nearly twenty years ago. This is not quantum physics, folks, and before IT departments open their checkbooks to defend against phishing attacks, they might want to first consider the tremendous effectiveness of authenticated encryption implemented via S/MIME. (In moments like these, I stare at a tiny Don Quixote statue sitting next to my display … there … I feel slightly better.

Phishing attacks have grown into the number one threat vector thanks to the availability of exploit kits—seriously—that provide hackers with an SDK to develop their spear phishing malware. And the hackers have quite a menu of exploit kits at their disposal: Backhole, Paunch, Angler, Sweet Orange and Goon … just to name a few and guarantee that the web page you are now reading is flagged as dangerous.

Many of these exploit kits rely on two of my own most disliked platforms: Flash and Java. Genuinely helpful, take-it-to-the-bank advice from yours truly:

  1. Completely remove Java. Odds are that everything you do every day will still work just fine. The exceptions are likely outdated proprietary corporate software. Even if you manage to keep up with the seemingly daily patches, history has demonstrated beyond a shadow of a doubt that there are more flaws waiting to exploited by hackers.
  2. Remove Flash, or at a minimum, disable it on all but your most trusted websites. Removing Flash is clearly the safest move, but may not be practical given that many websites have not gotten their act together and moved to HTML5. It is fairly easy to set the default browser behavior to disable Flash, and then manually enable it on a handful of must-have websites (Google it for directions).

Removing Java and at least disabling Flash will not only make your PC dramatically more secure, these actions will make your PC faster and more stable. Win-win, unless you are Oracle or Adobe … both of whom have had EONS to fix these sieves.

Back to the Cisco report and its conclusions on phishing:

“Spear phishing messages have evolved to the point where even experienced end-users have a hard time spotting faked messages among their authentic emails. These messages, which target specific individuals with a well-crafted message, appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers.”

During conversations at the RSA 2015 Conference, I learned that the most advanced exploit kits data mine social media sites. Using information from Facebook, for example, phishing messages appear to come from trusted friends with the added realism of citing facts in recent postings. Using corporate information gleaned from LinkedIn, alternatively, phishing messages appear to come from executives up the food chain from the target. (Don Quixote here, briefly: the scary techniques outlined in this paragraph are neutralized by authenticated S/MIME mail. Spoofing an email address is falling-over-simple; spoofing a digital signature is many, MANY orders of magnitude more difficult.)

All of these ‘effectiveness’ factors, multiplied by the sheer mass of daily email, will keep spear phishing as the number one attack vector for years to come.

Moving on, there ARE significant threats other than phishing emails. Take sheer frickin’ laziness for example; in a broad survey of the Internet, Cisco found that:

“56% of devices indexed are using versions of OpenSSL more than 50 months old”

Remember Heartbleed? Of course you do! You read about it right here just over a year back. Now I have no delusions of blogging grandeur, so don’t get ANY ideas that I am remotely implying “I told you so.” Heartbleed was on the evening news, for crying out loud. Here we are, over one year later, and only half of the devices on the Internet running OpenSSL have been patched. (Note that ‘devices’ include more than web servers; your home Wi-Fi router may be running OpenSSL. You have absolutely nothing to worry about, of course, because I know that EVERYONE who reads this blog patches router firmware regularly.)

Forget the cyber-attackers, the supposed cyber-defenders are frightening enough: that 56% figure is seriously scary.

Last, but by no means least, the Cisco report addresses “Geopolitical and Industry Trends” and casually name-drops:

“Edward Snowden’s allegations about U.S. government surveillance overreach, data sovereignty, and data localization have become hot-button issues.”

Without putting their own corporate stake in the ground—which seems ludicrous, given the damage Cisco’s reputation suffered when it was revealed that their hardware was routinely modified with back doors before being shipped overseas—the Cisco report dryly notes:

“Some leading technology companies in the United States are hoping that use of end-to-end encryption will be a way to satisfy their customers’ concerns that their data be protected as it traverses the borderless Internet. The U.S. government has raised concerns, however, that such encryption will prevent its ability to protect citizens. The new director of the GCHQ, Britain’s premier signals intelligence organization, similar to the U.S. National Security Agency, even suggested that U.S. social media technology giants are aiding the efforts of terrorists by enabling them to send encrypted communications around the world.”

Even less-than-astute readers know where I stand on end-to-end encryption: I strongly believe it is a vital component of cyber-security. I included the entire paragraph above, NOT to provide the context for a full rebuttal to the ‘1984’ doublethink from GCHQ … I will let you reach your own conclusions.

The report concludes with the “Cisco Security Manifesto: Basic Principles for Achieving Real-World Security”:

  • Security must be considered a growth engine for the business
  • Security must work with existing architecture, and be usable
  • Security must be transparent and informative
  • Security must enable visibility and appropriate action
  • Security must be viewed as a “people problem”

Those bullets are reasonably good guidelines or at least a great starting point. Kudos to Cisco for assembling a reasonably balanced (and only MILDLY self-serving) report on the cyber-security landscape. Genuinely good stuff …

Leave a Reply

featured blogs
Feb 21, 2024
In the dynamic landscape of automotive design, optimizing aerodynamics is key to achieving peak performance, fuel efficiency, vehicle range, and sustainability. Large eddy simulation (LES), a cutting-edge simulation technique, is reshaping how we approach automotive aerodynam...
Feb 15, 2024
This artist can paint not just with both hands, but also with both feet, and all at the same time!...

featured video

Shape The Future Now with Synopsys ARC-V Processor IP

Sponsored by Synopsys

Synopsys ARC-V™ Processor IP delivers the optimal power-performance-efficiency and extensibility of ARC processors with broad software and tools support from Synopsys and the expanding RISC-V ecosystem. Built on the success of multiple generations of ARC processor IP covering a broad range of processor implementations, including functional safety (FS) versions, the ARC-V portfolio delivers what you need to optimize and differentiate your SoC.

Learn more about Synopsys ARC-V RISC-V Processor IP

featured paper

How to Deliver Rock-Solid Supply in a Complex and Ever-Changing World

Sponsored by Intel

A combination of careful planning, focused investment, accurate tracking, and commitment to product longevity delivers the resilient supply chain FPGA customers require.

Click here to read more

featured chalk talk

PIC® and AVR® Microcontrollers Enable Low-Power Applications
Sponsored by Mouser Electronics and Microchip
In this episode of Chalk Talk, Amelia Dalton and Marc McComb from Microchip explore how Microchip’s PIC® and AVR® MCUs are a game changer when it comes to low power embedded designs. They investigate the benefits that the flexible signal routing, core independent peripherals, and Analog Peripheral Manager (APM) bring to modern embedded designs and how these microcontroller families can help you avoid a variety of pitfalls in your next design.
Jan 15, 2024