Connect with us

Hi, what are you looking for?


Management & Strategy

CISOs in the Dark on State of Security Readiness: Cisco

The gulf between reality and perception is widening, according to Cisco’s annual survey of CISOs and security executives.

Nearly 75 percent of CISOs in the survey said the security tools they have in place were very, or extremely, effective, according to Cisco’s 2015 Annual Security Report, released Tuesday.

The gulf between reality and perception is widening, according to Cisco’s annual survey of CISOs and security executives.

Nearly 75 percent of CISOs in the survey said the security tools they have in place were very, or extremely, effective, according to Cisco’s 2015 Annual Security Report, released Tuesday.

There is nothing to celebrate, however, as it’s not clear the CISOs have an idea of what they should have. It turned out less than 50 percent of respondents had standard security tools such as patch and configuration management, the survey found.

An analysis of threat intelligence collected by Cisco for the Annual Security Report also showed that organizations need to included everyone—from executive level to end users—in order to defend against cyber-attacks, Jason Brvenik, a principal engineer in Cisco’s security business group, told SecurityWeek. Even if the best security technology is in place, the fact that the processes aren’t actually implemented correctly means there are gaps in the organization’s defenses, and attackers are increasingly taking advantage, he said.

Related: Request an Invite to the 2015 SecurityWeek CISO Forum

As an example, the report highlighted the Heartbleed vulnerability, disclosed in April 2014. Cisco’s experts estimated that in 2014, 1 percent of high-urgency vulnerabilities were actively exploited. Even using that metric, the response to Heartbleed is disappointing at best. The fact that 56 percent of all OpenSSL versions are over 4.5 years old is a strong indicator that security teams are not patching, Brvenik said. What’s worse, less than half of the security teams surveyed used standard tools like patching and configuration management to help prevent breaches, he said.

The Annual Security Report examines threat intelligence data gathered by Cisco security experts for key insights and trends for 2015. The report also compiled responses from Cisco’s Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness. The survey went to CISOs and security operations executives at 1700 companies in nine countries.

Advertisement. Scroll to continue reading.

CISOs were unaware of the state of the security defenses, and so were security operations (SecOps) managers. The disconnect is smaller, but the fact that one even exists is worrisome. For example, the study found that 59 percent of CISOs viewed their security processes as optimized, compared to 46 percent of SecOps managers.

The Security Gulf

Security experts are getting better dismantling exploit kits, such as the effort to shut down the Black Hole exploit kit in 2013. No other exploit kit has been able to achieve similar levels of success and there is no clear contender for the most popular kit. However, Cisco researchers speculated that exploit writers no longer care about becoming the “top” kit. Exploit writers may be keeping a lower profile and criminals are adopting less common, less well-known kits to avoid attracting attention, the report suggested.

A significant number of Web application attacks target Web technologies such as Flash and Java. However, an interesting finding was that Java exploits have decreased by 34 percent in 2014, but Silverlight attacks have soared 280 percent, Brvenik said. While it’s worth noting that Silverlight has a smaller install base than Java, it’s still worth noting that criminals are increasingly shifting their attacks as vendors shut down weaknesses and shore up defenses in their products, he said.

And Flash malware now interacts with JavaScript code on the Web page to conceal its malicious activity, Cisco found in the report.

All Hands on Deck

Users are caught right in the middle—they are both victims as well as unwitting participants in spreading the attack, Cisco found in its report. Criminals count on users to be “careless” when using the Internet, and attackers are also targeting users to infect machines with malware or to launch exploits. For example, malware writers are increasingly using Web browser add-ons as a mechanism for distributing malware since many users automatically view these applications as benign or trustworthy.

“They [attackers] design malware that relies on tools that users trust, or view as benign, to persistently infect and hide in plain sight on their machines,” the report said.

In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.

Being Prepared, For Real

Defenders may believe they have optimal security processes in place, but it’s more likely their security readiness needs improvement. Cisco offers a “Security Manifesto,” a set of security principles corporate boards and security teams can use to address the shortcomings in their security posture.

The manifesto reminds security professionals they must support the business, work with existing architecture and be usable, be transparent and informative, enable visibility and appropriate action, and be viewed as a “people problem.” The manifesto can be used as a baseline to help organizations become more dynamic, adaptive, and innovative, Cisco said. Users rarely view technology as a way to become active partners in security, but rather as tools that get in their way.

“CISOs need to ensure that their teams have the right tools and visibility to create a strategic security posture, as well as educate users to aid in their own safety and the safety of the business,” said John N. Stewart, senior vice president and chief security and trust officer at Cisco.

The full Cisco 2015 Annual Security Report can be downloaded online in PDF format.

RelatedRequest an Invite to the 2015 SecurityWeek CISO Forum at Half Moon Bay, CA.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...