This posting needs to come with a reader warning so here it is. Please take an antacid, make that two, before reading any further.
It should be good news for all of us that the good folks at Cisco are out with The Cisco 2014 Annual Security Report. However, the only good news appears to be for bad actors. According to the detailed report, and in what has been an oft-repeated refrain from all of the security vendors on numerous fronts, the bad guys enjoyed a banner year.
As Cisco is detailing, in 2013 there was unprecedented growth of advanced attacks and malicious traffic that unfortunately reached historic levels. And, if that was not bad enough, the report notes that in the face of increased attack surface exposures, exponential improvements in attack sophistication, more widespread use of state of the black art monetization techniques by attackers, and involvement of rogue states, there is a worldwide shortage of nearly a million skilled security professionals.
In short, while defense tools are improving, the lack of skilled security professionals across all of the security practice areas is impacting organizations’ abilities to monitor and secure networks.
Now is the time to take a deep breath since there is an OMG moment. There is every reason to believe 2014 will be as bad and more likely worse than 2013. Those with malicious intent and capabilities are constantly exploring more diabolical ways to undermine trust and commerce. This is true whether their intentions are political, commercial, or both.
Indeed, it is depressing to note that hacking has become one of the great growth areas of the information age. It seems to always be on the cutting edge of innovation covering all the bases, i.e., who, what, where, when, why, how (fast, long, and for how much). Given, both how lucrative this activity is, and the low risks or consequences of getting caught, putting aside a lack of young workers being educated as security experts for a moment, the allocation of brain power on security issues is certainly something to contemplate when evaluating who has the resources to win cyber warfare.
News and views you can use
As noted, there is a lot to try and digest as usual in the report. In fact, the addition recent acquisition Sourcefire by Cisco makes this edition the report that much more insightful. What is striking is the complex and dynamic picture it paints of just how rapidly security challenges facing businesses, IT departments and individuals are evolving. As Cisco details, attacker methods now include socially engineered theft of passwords and credentials, hide-in-plain-sight infiltrations, and exploitation of the trust required for economic transactions, government services and social interactions.
“Really insidious stuff”
In fact, Cisco Threat Technical Leader Levi Gundert, told me that one of the most alarming trends the Cisco security team is watching, “A shift in the criminal attacker space away from end points to going after core Internet infrastructure.” He continued, “The shift helps complicate finding out the threat source, gives attackers broader reach, and looks legit to the end users. It is done through things like compromising SSH, and modifying HTTP software. This is really insidious stuff. The threat actors have rethought how they launch attacks. Hosting companies because of the layers of resellers can’t identify owners, and the attacks scale nicely. This is really insidious stuff.”
Before getting to some of the more insidious highlights, or low lights, depending on your view of things, the graphic below is a good visualization of what Gundert said about the shift in infection strategy and why it works so well.
Source: Cisco Annual Security Report 2014
As to the things to look for when you read the report, there are a long list of things which all are relevant and summarized by the authors as follows:
As noted, this is a lot to digest, but there is one other chart from the report that is worth a quick look.
The takeaway is that organization is immune from being attacked and the probability is substantial you and your organization will be.
John N. Stewart, senior vice president, chief security officer, Threat Response Intelligence and Development, Cisco, had this to say about the findings: “Although the Cisco Annual Security Report paints a grim picture of the current state of cyber security, there is hope for restoring trust in people, institutions and technologies – and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations and their methods – before, during and after an attack.”
I will not spoil your reading of what I keep handy on my hard drive for easy reference, but do not just look at the facts. Read through the recommendations which include:
In addition, if you wish to learn more and question in real-time John Stewart and Levi Gundert, Cisco is hosting a live broadcast with the two on Friday, Jan. 17 at 10:30 AM PT.
I resonate with Mr. Stewart about the need for better education and the need to take a posture that is more proactive and not just reactive in dealing with risk assessment and mitigation challenges.
This means as the recommendation highlight, getting not just security experts but C-levels across organizations to examine their security capabilities and model a reasoned holistic strategy for gaining visibility and knowing what to do about the entire attack continuum. It also means there is a lot of real education to be done so that the good guys can close the talent gap.
It may seem like a keen grasp of the obvious point on my part, but from both a technology and people perspective, you should not enter a gun fight bearing only a knife. The odds of success tilt very much in favor of the opposition. There are many reports from various sources that are sounding wake-up calls to all of us, and particularly upper management, about security threats. The recent data breaches at Target and Neiman-Marcus only punctuate the sense of urgency for actions since clearly staying the course or doing nothing is not an alternative.
I you are an IT security professional, you might wish to socialize this report. Fear truly can be a great motivator.
To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…
The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.
Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…
Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…
Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…