There’s good and bad news from the front line of the cyber-security war. According to the Cisco 2015 Annual Security Report, the total number of product vulnerability alerts fell by 1.8 percent from January to November 2014.
The bad news: 6,756 vulnerability alerts is still a lot for organisations to patch or otherwise mitigate in less than a year.
Meanwhile, the threat environment continues to intensify. The volume of spam, for example, increased by 250 percent over the January–November 2014 period.
How attackers are breaching defences
As the world’s largest supplier of internet infrastructure – and with a strong team of security experts – Cisco is well placed to report on the global cyber-security war.
Its 2015 security report says that organisations appear to have “upped their game by adopting more sophisticated tools for preventing attacks”. However, it points out that adversaries are also becoming more sophisticated by:
- changing their tactics and tools from moment to moment
- devising spam campaigns using hundreds of Internet Protocol (IP) addresses to bypass conventional antispam tools
- designing malware that uses tools that users trust or view as benign, such as web browser plug-ins
- establishing a hidden presence or blending in with a target organisation, sometimes over months, to establish multiple footholds.
Users are the biggest security risks
The report identifies organisations’ users as the main weak links in cyber security.
“Users’ careless behaviour when using the internet, combined with targeted campaigns by adversaries, places many industry verticals at a higher risk of web malware exposure,” the report says.
The pharmaceutical and chemical industry was the highest-risk sector in 2014, followed by media and publishing, then manufacturing.
Despite the advances in security tools, “adversaries continue to steal information, make money through scams or disrupt networks for political goals”, the report says. “In the end, security is a numbers game. Even if an organisation blocks 99.99 percent of billions of spam messages, some will make it through. There is no way to ensure 100 percent effectiveness.”
How to protect your organisation
Cisco’s security experts warn that many organisations need to take a fundamentally different approach to cyber security. The report recommends multiple strategies including:
- adopting more sophisticated security controls to help defend against threats before, during and after an attack
- making security a topic at the corporate boardroom level
- implementing the Cisco Security Manifesto, a set of principles that can help organisations “become more adaptive and innovative than adversaries”.
According to the manifesto, security must:
- work with existing architecture and be usable
- be transparent and informative
- enable visibility and appropriate action
- be viewed as a “people problem”, with security teams educating users about safe habits
- be considered a growth engine for the business by enabling agility and success while also protecting the organisation’s data, assets and image.
The Cisco 2015 Annual Security Report is freely available from http://www.cisco.com/web/offers/lp/2015-annual-security-report/index.html.