Security Experts:

CISOs in the Dark on State of Security Readiness: Cisco

The gulf between reality and perception is widening, according to Cisco’s annual survey of CISOs and security executives.

Nearly 75 percent of CISOs in the survey said the security tools they have in place were very, or extremely, effective, according to Cisco’s 2015 Annual Security Report, released Tuesday.

There is nothing to celebrate, however, as it’s not clear the CISOs have an idea of what they should have. It turned out less than 50 percent of respondents had standard security tools such as patch and configuration management, the survey found.

An analysis of threat intelligence collected by Cisco for the Annual Security Report also showed that organizations need to included everyone—from executive level to end users—in order to defend against cyber-attacks, Jason Brvenik, a principal engineer in Cisco’s security business group, told SecurityWeek. Even if the best security technology is in place, the fact that the processes aren’t actually implemented correctly means there are gaps in the organization’s defenses, and attackers are increasingly taking advantage, he said.

Related: Request an Invite to the 2015 SecurityWeek CISO Forum

As an example, the report highlighted the Heartbleed vulnerability, disclosed in April 2014. Cisco’s experts estimated that in 2014, 1 percent of high-urgency vulnerabilities were actively exploited. Even using that metric, the response to Heartbleed is disappointing at best. The fact that 56 percent of all OpenSSL versions are over 4.5 years old is a strong indicator that security teams are not patching, Brvenik said. What’s worse, less than half of the security teams surveyed used standard tools like patching and configuration management to help prevent breaches, he said.

The Annual Security Report examines threat intelligence data gathered by Cisco security experts for key insights and trends for 2015. The report also compiled responses from Cisco’s Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness. The survey went to CISOs and security operations executives at 1700 companies in nine countries.

CISOs were unaware of the state of the security defenses, and so were security operations (SecOps) managers. The disconnect is smaller, but the fact that one even exists is worrisome. For example, the study found that 59 percent of CISOs viewed their security processes as optimized, compared to 46 percent of SecOps managers.

The Security Gulf

Security experts are getting better dismantling exploit kits, such as the effort to shut down the Black Hole exploit kit in 2013. No other exploit kit has been able to achieve similar levels of success and there is no clear contender for the most popular kit. However, Cisco researchers speculated that exploit writers no longer care about becoming the “top” kit. Exploit writers may be keeping a lower profile and criminals are adopting less common, less well-known kits to avoid attracting attention, the report suggested.

A significant number of Web application attacks target Web technologies such as Flash and Java. However, an interesting finding was that Java exploits have decreased by 34 percent in 2014, but Silverlight attacks have soared 280 percent, Brvenik said. While it’s worth noting that Silverlight has a smaller install base than Java, it’s still worth noting that criminals are increasingly shifting their attacks as vendors shut down weaknesses and shore up defenses in their products, he said.

And Flash malware now interacts with JavaScript code on the Web page to conceal its malicious activity, Cisco found in the report.

All Hands on Deck

Users are caught right in the middle—they are both victims as well as unwitting participants in spreading the attack, Cisco found in its report. Criminals count on users to be “careless” when using the Internet, and attackers are also targeting users to infect machines with malware or to launch exploits. For example, malware writers are increasingly using Web browser add-ons as a mechanism for distributing malware since many users automatically view these applications as benign or trustworthy.

“They [attackers] design malware that relies on tools that users trust, or view as benign, to persistently infect and hide in plain sight on their machines,” the report said.

In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.

Being Prepared, For Real

Defenders may believe they have optimal security processes in place, but it’s more likely their security readiness needs improvement. Cisco offers a “Security Manifesto,” a set of security principles corporate boards and security teams can use to address the shortcomings in their security posture.

The manifesto reminds security professionals they must support the business, work with existing architecture and be usable, be transparent and informative, enable visibility and appropriate action, and be viewed as a “people problem.” The manifesto can be used as a baseline to help organizations become more dynamic, adaptive, and innovative, Cisco said. Users rarely view technology as a way to become active partners in security, but rather as tools that get in their way.

“CISOs need to ensure that their teams have the right tools and visibility to create a strategic security posture, as well as educate users to aid in their own safety and the safety of the business,” said John N. Stewart, senior vice president and chief security and trust officer at Cisco.

The full Cisco 2015 Annual Security Report can be downloaded online in PDF format.

RelatedRequest an Invite to the 2015 SecurityWeek CISO Forum at Half Moon Bay, CA.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.