This summer saw the release of the Cisco 2014 Midyear Security Report, the latest examination of “weak links” in organizations – such as outdated software, bad code, and user errors – that could pose serious security threats.
The Report indicated an unusual increase in the number of malware within vertical markets, malicious botnets, and standard “Man-in-the-Browser” attacks (traffic is redirected to websites that host malware). All of these leave organizations vulnerable to exploits through DNS queries, exploit kits, malvertising, ransomware and other methods.
Most interesting, though, is the report’s insistence that organizations are spending too much time focusing on high-profile vulnerabilities, rather than on high-impact, common and stealthy threats. While there’s no doubt that boldface vulnerabilities, such as the recent Heartbleed threat, need to be addressed, it’s a mistake to think that attackers have abandoned weaknesses found in low-profile legacy applications and infrastructure.
What the Report underlines to me is that the security landscape continues to be vast and constantly evolving. It’s imperative that organizations be aware of every potential threat, whether large or small. This Report, along with others released in the market, are a means for organizations to educate themselves so they are better prepared.
It’s not uncommon for me to run into people during business trips who ask about the validity of such reports. “Are they really useful? Or are they just a marketing tool?”
On the surface it does appear that many security reports tell the same story: there are a lot of threats out there and you need to be prepared. But there are two key things to remember.
First, companies like Cisco have a unique perspective on the industry and the resources to carry out vital examination. The research conducted is in-depth, with deep data and metrics that give a detailed analysis of the situation, not a cursory glance. And of course, we do more than simply tell you about security threats; we also provide potential solutions, something that would not be possible if we didn’t have a clear understanding of the situation.
Second, in my experience, there are still a large number of organizations that don’t understand how to approach the many threats that exist. Organizations have to stop thinking like consumers when it comes to security threats. A person at home whose computer has been compromised by a virus, for example, has more control over the situation and is usually able to solve the problem quickly and easily with a number of available tools – many of which are free.
Organizations, however, have to deal with more complex challenges and need to assume that they will, inevitably, be compromised. This means they need to go beyond mere prevention and understand what their critical data is and have the proper detection tools – and people – in place.
That’s why at Cisco, we tell our customers they need to be ready across the attack continuum – before, during and after – they are attacked. Investing a balanced amount of time and effort across these phases results in a business that can limit the attack surface (before), identify an attack when it happens (during) and be ready to react and restore normal operations when an attack is successful (after).
I think that resources such as the Cisco Midyear and Annual Security Reports help organizations make the decisions necessary in order to remain protected and prepared across the attack continuum. Do you agree? Leave a comment below, and download the Midyear Security Report on our website.