Large companies have large pools of resources. Occasionally, those resources document their work in a relatively coherent manner. And sometimes, these documents make for worthwhile reading. Such is the case now under discussion here: The Cisco 2015 Annual Security Report
“which presents the research, insights, and perspectives provided by Cisco Security Research and other security experts within Cisco”
and weighs in at a tidy 50-plus pages; this blog post is considerably shorter. If this article piques your curiosity, I encourage you to read the full report yourself; it is well-written and only mildly self-serving.
The theme of the Cisco report is the dynamic of cyber-attack and –defense (astute readers will recall that was the topic of a very recent blog post). The Cisco report not only does a good job covering attackers and defenders, it also pays attention to the masses:
“Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”
How’s that for empathy? “Damn shame you users are stuck between attackers trying to compromise your systems and IT people trying to protect your systems (sotto voce: reducing your productivity in the process). But we wouldn’t be having this conversation if you users would wise up and stop the Stupid People Tricks, such as opening those iffy attachments.”
Yes, Cisco is talking about opening dubious-looking attachments and the larger threat of phishing emails (which astute readers will recall was the topic of my article last month). Phishing is the most significant threat vector, because our legacy email systems present an enormous attack surface. Unfortunately, a real side effect of the sheer mass of email we each receive daily is lower scrutiny applied to handling email.
Before we move on to Cisco’s thorough analysis and discussion of phishing attacks, it is VERY interesting to note that nowhere in the 50-plus pages does Cisco suggest modernizing the legacy email systems that make phishing attacks so successful. That is a tremendous disappointment to your author, given that my prescription for Contemporary Email relies on work started nearly twenty years ago. This is not quantum physics, folks, and before IT departments open their checkbooks to defend against phishing attacks, they might want to first consider the tremendous effectiveness of authenticated encryption implemented via S/MIME. (In moments like these, I stare at a tiny Don Quixote statue sitting next to my display … there … I feel slightly better.
Phishing attacks have grown into the number one threat vector thanks to the availability of exploit kits—seriously—that provide hackers with an SDK to develop their spear phishing malware. And the hackers have quite a menu of exploit kits at their disposal: Backhole, Paunch, Angler, Sweet Orange and Goon … just to name a few and guarantee that the web page you are now reading is flagged as dangerous.
Many of these exploit kits rely on two of my own most disliked platforms: Flash and Java. Genuinely helpful, take-it-to-the-bank advice from yours truly:
- Completely remove Java. Odds are that everything you do every day will still work just fine. The exceptions are likely outdated proprietary corporate software. Even if you manage to keep up with the seemingly daily patches, history has demonstrated beyond a shadow of a doubt that there are more flaws waiting to exploited by hackers.
- Remove Flash, or at a minimum, disable it on all but your most trusted websites. Removing Flash is clearly the safest move, but may not be practical given that many websites have not gotten their act together and moved to HTML5. It is fairly easy to set the default browser behavior to disable Flash, and then manually enable it on a handful of must-have websites (Google it for directions).
Removing Java and at least disabling Flash will not only make your PC dramatically more secure, these actions will make your PC faster and more stable. Win-win, unless you are Oracle or Adobe … both of whom have had EONS to fix these sieves.
Back to the Cisco report and its conclusions on phishing:
“Spear phishing messages have evolved to the point where even experienced end-users have a hard time spotting faked messages among their authentic emails. These messages, which target specific individuals with a well-crafted message, appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers.”
During conversations at the RSA 2015 Conference, I learned that the most advanced exploit kits data mine social media sites. Using information from Facebook, for example, phishing messages appear to come from trusted friends with the added realism of citing facts in recent postings. Using corporate information gleaned from LinkedIn, alternatively, phishing messages appear to come from executives up the food chain from the target. (Don Quixote here, briefly: the scary techniques outlined in this paragraph are neutralized by authenticated S/MIME mail. Spoofing an email address is falling-over-simple; spoofing a digital signature is many, MANY orders of magnitude more difficult.)
All of these ‘effectiveness’ factors, multiplied by the sheer mass of daily email, will keep spear phishing as the number one attack vector for years to come.
Moving on, there ARE significant threats other than phishing emails. Take sheer frickin’ laziness for example; in a broad survey of the Internet, Cisco found that:
“56% of devices indexed are using versions of OpenSSL more than 50 months old”
Remember Heartbleed? Of course you do! You read about it right here just over a year back. Now I have no delusions of blogging grandeur, so don’t get ANY ideas that I am remotely implying “I told you so.” Heartbleed was on the evening news, for crying out loud. Here we are, over one year later, and only half of the devices on the Internet running OpenSSL have been patched. (Note that ‘devices’ include more than web servers; your home Wi-Fi router may be running OpenSSL. You have absolutely nothing to worry about, of course, because I know that EVERYONE who reads this blog patches router firmware regularly.)
Forget the cyber-attackers, the supposed cyber-defenders are frightening enough: that 56% figure is seriously scary.
Last, but by no means least, the Cisco report addresses “Geopolitical and Industry Trends” and casually name-drops:
“Edward Snowden’s allegations about U.S. government surveillance overreach, data sovereignty, and data localization have become hot-button issues.”
Without putting their own corporate stake in the ground—which seems ludicrous, given the damage Cisco’s reputation suffered when it was revealed that their hardware was routinely modified with back doors before being shipped overseas—the Cisco report dryly notes:
“Some leading technology companies in the United States are hoping that use of end-to-end encryption will be a way to satisfy their customers’ concerns that their data be protected as it traverses the borderless Internet. The U.S. government has raised concerns, however, that such encryption will prevent its ability to protect citizens. The new director of the GCHQ, Britain’s premier signals intelligence organization, similar to the U.S. National Security Agency, even suggested that U.S. social media technology giants are aiding the efforts of terrorists by enabling them to send encrypted communications around the world.”
Even less-than-astute readers know where I stand on end-to-end encryption: I strongly believe it is a vital component of cyber-security. I included the entire paragraph above, NOT to provide the context for a full rebuttal to the ‘1984’ doublethink from GCHQ … I will let you reach your own conclusions.
The report concludes with the “Cisco Security Manifesto: Basic Principles for Achieving Real-World Security”:
- Security must be considered a growth engine for the business
- Security must work with existing architecture, and be usable
- Security must be transparent and informative
- Security must enable visibility and appropriate action
- Security must be viewed as a “people problem”
Those bullets are reasonably good guidelines or at least a great starting point. Kudos to Cisco for assembling a reasonably balanced (and only MILDLY self-serving) report on the cyber-security landscape. Genuinely good stuff …