Cisco’s Security Manifesto for the real world

Cisco believes security teams need to rethink strategy, to ensure that their principles assist users in resisting attacks – since the reverse is all too common now.

Cisco logoCisco has released its 2015 Annual Security Report, and the findings are not good, unless you are a hacker. Some of the report’s themes are familiar. Attackers are getting better and better at what they do, and some tactics which have fallen into disuse are making a return. Ultimately however, Cisco believes that security teams themselves need to have a better grasp on their own strategy, to ensure that their own principles assist users in resisting attacks – since the reverse is all too common now.

“Attackers have become increasingly efficient in taking advantage of gaps in a security posture,” said Jason Brvenik, Principal Engineer at Cisco’s Security Business Group. “They are continuing to innovate by exploiting users at the browser and email level.”

Brvenik said that we are definitely seeing a case of “what’s old is new again” in malware.

“Spam, which had been on the decline, has increased 250 per cent, as attackers shift focus from attacks on servers and operating systems to attempting seeking to exploit users at the browser and email level.” Brvenik said. “Spam has changed though in that while we used to see large numbers of messages coming from a smaller number of accounts, we are now seeing several messages coming from thousands of accounts – snowshoe spam. This thwarts classic reputation- based systems and increases penetration rates.” It also makes the attacker less conspicuous, and thus likely to be targeted and shut down. The days of competing to have the largest botnet appear to be done, since the hackers want a steady source of income, not to become a target for defenders.

Malvertising, hiding malicious codes on trusted sites, is also on the increase

“We saw a 250 per cent increase in malvertising in October,” Brvenik said. “The ads appear and disappear, which make it difficult for them to be caught.”

Users downloading from compromised sites contributed to a 228 per cent increase in Silverlight attacks.

Increased use is also being made of what is called the Dropper Technique.

“This is a lot more common than we think,” said Jack Pagano, Regional Manager, Cyber Security, Cisco Canada.” This is where they drop it in in parts, and it’s harmless until all the files are in. It’s much harder to detect than a single piece of malware.”

The increasing networking of other devices in the Internet of Everything also gives hackers new targets and new tactics.

“There was a recent discovery that ecigarette machines had been successfully hacked, so that when you plug one in to charge, it downloads malware,” said Steve Gindi Account Manager, Security Sales, who has responsibility at Cisco for advanced malware in Canada.

“Organizations struggle because they don’t look at security from an architectural approach, but from a siloed approach,” Gindi said. “Today’s sophisticated malware bypasses point in time scans.”

The Cisco Security Capabilities Benchmark Study surveyed Chief Information Security Officers and Security Operations executives at 1700 companies in nine countries, and found that the execs were bullish on their companies’ security capabilities. 75 per cent of the CISOs rated their security tools as very or extremely effective. Brevnik was dubious however, noting the evidence indicated that even when tools were in place, they were not being used optimally.

“Patching applications remains a challenge for organizations,” he said. “56 per cent of OpenSSL versions are older than 50 months. That indicates that security teams are not patching, which is shocking, given the attention given to Heartbleed last year. Only 38 per cent of the Security Operations executives said patching was part of their defensive posture. Now that doesn’t touch on whether it was operationally done in other parts of their business, but it does speak to whether it was considered a priority.”

Similar results were found on other issues, indicating that less than half of security practitioners leverage known effective practices. Only 43 per cent routinely practiced Identity Administration and Provisioning, only 39 per cent did Pentesting, and only 55 per cent quarantined malicious applications.

So what is to be done? In advocating a ‘Security Manifesto for the Real World,’ Brevnik said Cisco is asking many companies to rethink the way they think about security.

“It starts in the boardroom, where there is a need to deepen strategic understanding,” he said. “Strategic understanding at the boardroom level isn’t yet there. They need to treat security as a critical operation.”

Similarly, security needs to take the needs of users into account more than they have.

“As an industry, we want to keep security away from users.” Brevnik said. “That sounds great – but it doesn’t work. Instead they see security as a barrier to getting work done, and try to work around it. We need to change the approach in getting security to users.”

Cisco’s Security Manifesto, consists of five principles, to make organizations more dynamic in their approach to security.

“First, security must support the business,” Brevnik said. “There is a wealth of information you can get about the operation of the business from security. A business can also differentiate itself on its security, especially in high tech.”

Second, security must work with existing architecture — and be usable.

“There has been a habit of deploying new technology to deal with the latest hacker behavior, and that is unsustainable,” Brevnik said.

Third, security must be transparent and informative.

“An example of an uninformative security message with no value would be “Access Denied – Contact Administrator,” Brevnik said. “The user gets this, so what they do is go around it, they try it at home, and compromise security. We need to make the technology transparent to the user so they know what it is doing. The message should say instead that access to the site has been blocked because it has sent malware in the last 48 hours, and to try again tomorrow. That shows the user the ongoing value, instead of a message with no value.”

Fourth, security must enable visibility and appropriate action.

Finally, security must be viewed as a ‘people problem.’

“Users are the entry point, since they are the people being targeted,” Brevnik said.

Kevin Lonergan, an analyst with the Infrastructure Solutions Group at IDC Canada, agreed that enterprises really need to emphasize the kind of awareness defense typically pitched at the consumer market, something that most Canadian companies don’t train their IT staff to do today.

“The rise of BYOD means that consumer defense is now important in the enterprise, because users download attachments on their devices when they leave the office,” he said. “We see the consumer and enterprise issues converging more and more.”