ONE in A HUNDRED reported bugs exploited, says Cisco

Cisco's latest annual security report has found a mix of the usual things and emerging trends: people are still naive, there's too much unpatched software out there, and there are new threat types emerging as attackers respond to defences.

The report, here, notes that attackers are learning to tread more carefully. For example, rather than get caught quickly by spam filters and the like, attackers are using what's referred to as “snowshoe” attacks: recruiting large numbers of compromised hosts that send only low volumes of spam on a per-host basis.

In addition to our coverage of the study here, Vulture South spoke to Cisco Security's ANZ GM, Anthony Stitt about the study, and asked him what findings he thought were most relevant to The Register's readership.

Stitt highlighted a “discrepancy between the level of comfort between CSOs and secops teams about their level of protection,” he said.

CSOs are prone to overconfidence, Stitt explained, which suggests there's an information gap between the boss and the muscle.

“There's an opportunity for secops to be more transparent about their operational security”, he said.

Vulture South wonders if this couldn't be considered an “insurmountable opportunity”. In any case, it was worth asking Stitt how secops personnel could tell the boss “we're less secure than you think we are” without getting sacked.

“As you would appreciate we would like to approach the market saying you're never 100 per cent secure,” he answered. “Security is about appropriate … what's the level of risk, and what's happening in the threat environment.

“That's a detailed and nuanced conversation,” he said, emphasising the need “to talk about security in business terms”.

“Cisco is trying to foster that discussion, working on the visibility component [with] what we have and what we sell.

“We've also we've been championing the idea of security as a “before, during, after” activity – scope, containment, and remediation after attacks”, he said.

“Secops could have that conversation – say to the CSOs, 'we're getting compromised, but here are the steps we're taking to deal with issues in a matter of hours rather than in days, weeks or months.'

“What we've learned from high-profile attacks is that attackers have been in an environment for a long time. I think organisations need to talk about that, acknowledge it internally, and approach it as a before-during-after activity.

He said secops people should tell the CSO: “We need these tools, this funding, these headcounts, because … we want to take 12 hours, not 24 or 48, because that's the window our business can work with.”

Those pesky browsers

In some environments, browser patching seems almost intractable, Stitt said. Around 64 per cent of browsing activity observed by Cisco came from patched browsers – if the browser happened to be Chrome. At the other end of the scale, however, only 10 per cent of browsing on IE came from patched browsers.

“So in 90 per cent of IE transactions, there would be some level of insecurity”, he said.

While we're thinking about patches: Heartbleed is still out there, Stitt said, with “something like 56% of SSL instances that we saw hadn't been patched … 56 % of OpenSSL versions are over 4.5 years old”.

In a lot of cases, he said, the “guilty parties” are abandoned Websites that their owners have forgotten and never get patched.

As evidence of the zombie site, Stitt said, “You only have to look at how exploiters using botnets on old, forgotten, unpatched WordPress sites”.

Pick your CVE

Another statistic that caught Vulture South's interest was that out of the huge number of vulnerabilities reported each year, Cisco reckons only one per cent are exploited.

“That's a good and a bad statistic,” Stitt said. “On the good side, if I can find out which CVEs are in the one per cent, the patching regime is more straightforward.

“But if I can't may as well say 'patch everything'.”

In making that assessment, Stitt said, the secops' best strategy is “Go to the security experts to see which vulnerabilities are getting exploited … prioritise patching on CVEs those that are actively exploited.”

That statistic “... highlights that a lot of vulnerabilities, including in our products, aren't necessarily exploited. They're CVEs that exist in such narrow situations, that don't offer a successful compromise remotely.”

And then there's the user …

User behaviour is the perennial problem and while awareness training is needed it's not the whole answer.

“In our internal studies on this, some users just click on everything they're sent,” he said. “You can't rely on awareness alone."

“it's a problem for every organisation … if you look at the difference in the patching level in IE and Chrome, it's clear that if you can take that decision-making away from the user, you're doing yourself a favour.

“If you can automate patching, you can at least get some way to creating a significant dent in your risk profile,” Stitt said.

“Train users, but assume the worst, that they're going to click on links that they shouldn't. You need to work within the existing architecture and the environment that customers have, including users that click on the links.

“It is a people problem. It needs to be treated as such, and it's getting a worse.” ®