Channel Daily News

Cisco finds major security disconnect between policies and reality

TORONTO – As part of Cisco Canada’s first ever Security Day, the networking vendor released a security report that examined the threat landscape and cyber security trends.

Jason Brvenik, principal engineer for Cisco’s security business group, said there is a major security disconnect with organizations and their security policies.

Jason Brvenik

The Cisco Security Report for 2015 found that 90 per cent of organization believed they were confident in their security policy, but more than 50 per cent of them were unfortunate to have a breach, Brvenik said.

The Cisco 2015 Security Report surveyed Chief Information Security Officers (CISOs) and Security Operations (SecOps) executives at 1,700 companies in nine countries.

Another disconnect is the approximately 75 per cent of Chief Information Security Officers (CISO) believe their security tools are either very effective or extremely effective.

Meanwhile, less than 50 per cent of the respondents use standard tools such as patching and configuration.

Also less than half of the security practitioners leverage known effective practices. For example, only 43 per cent of SecOps employ identity administration and provisioning, 38 per cent patch and use configuration as a defense, 39 per cent do pentesting and 55 per cent of SecOps quarantine malicious applications.

The report did come to two conclusions:

  1. Attackers have become more proficient at taking advantage of gaps in security; and
  2. Defenders must be constantly improving their approach to protect their organization.

“Attackers have become more proficient at taking advantage of the gaps in security to hide and conceal multiple threats,” Brvenik said.

Attackers are also innovating, Brvenik added. “What’s old is new. Spam used to be on the decline, but it’s exploded by 250 per cent as they exploit users at the browser and email level. This is called a snowshoe Spam attack,” he said.

Cybercriminals have also improved operationally. For example, Brvenik said some of these attackers are running their crews as a business and managing hackers using KPIs (Key Performance Indicators) similar to most large legitimate organizations.

Another factor for the defenders are the many geopolitical regulations and conflicting requirements brought about by local law makers on issues such as data sovereignty, data localization and encryption.

Other findings from the Cisco 2015 Security Report are:

Malvertising, Brvenik said is a new term in the security field, but its new attack method that is on the rise.

Malvertising infections become harder to detect as they are dropped into ads in a network. “They appear and disappear and defenders find it harder to find these (compromised) ads. Consumers are not expecting compromised ads as they are on trusted and known sites,” he added.

Some of these malvertisement infections are on Freemium style sites. The use of the advertising is hiding malicious codes and they are served up to users. “You can read your news and have your browser compromised and you never saw it as it is gone quickly,” he said.

Brvenik has developed a Security Manifesto for the real world that includes five new directions for security professionals. They are:

  1. Must support the business;
  2. Work with exiting architecture and be usable;
  3. Must be transparent and informative;
  4. Enable visibility and appropriate action; and
  5. Must be viewed as a “people problem”.