Cisco 2017 Security Annual Report The Cisco 2017 Annual Cybersecurity Report presents our latest security industry advances designed to help organizations and users defend against attacks. We also look at the techniques and strategies that adversaries use to break through those defenses. The report also highlights major findings from the Cisco 2017 Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness to defend against attacks. Cisco 2017 Security Annual Report
Cisco 2017 Security Capabilities Benchmark Study To gauge the perceptions of security professionals on the state of security in their organizations, Cisco asked chief security officers (CSOs) and security operations (SecOps) managers in several countries and at organizations of various sizes about their perceptions of their own security resources and procedures. The Cisco 2017 Security Capabilities Benchmark Study offers insights on the maturity level of security operations and security practices currently in use, and also compares these results with those of the 2016 and 2015 reports. The study was conducted across 13 countries with more than 2900 respondents.
Major Findings Three leading exploit kits—Angler, Nuclear, and Neutrino—abruptly disappeared from the landscape in 2016, leaving room for smaller players and new entrants to make their mark.
Exploit kit F-secure.com trendmicro.com
Major Findings According to the Cisco 2017 Security Capabilities Benchmark Study most companies use more than five security vendors and more than five security products in their environment. 55% of the security professionals use at least six vendors 45% use anywhere from one to five vendors And 65% use six or more products. The top constraints to adopting advanced security products and solutions, according to the benchmark study are: Budget (35%) product compatibility (28%) Certification (25%) Talent (25%).
Major Findings The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations: can investigate only 56% of the security alerts they receive on a given day. Half of the investigated alerts (28%) are deemed legitimate less than half (46%) of legitimate alerts are remediated. 44% of security operations managers see more than 5000 security alerts per day.
Major Findings 27% of connected third-party cloud applications introduced by employees into enterprise environments in 2016 posed a high security risk. Open authentication (OAuth) connections touch the corporate infrastructure and can communicate freely with corporate cloud and software-as-a- service (SaaS) platforms after users grant access.
Major Findings An investigation by Cisco that included 130 organizations across verticals found that 75% of those companies are affected by adware infections. Adversaries can potentially use these infections to facilitate other malware attacks.
Major Findings Spam accounts for nearly two-thirds (65%) of total email volume Cisco research suggests that global spam volume is growing due to large and thriving spam-sending botnets 8% to 10% of the global spam observed in 2016 could be classified as malicious the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed.
Major Findings The Cisco 2017 Security Capabilities Benchmark Study also found that nearly a quarter of the organizations that have suffered an attack lost business opportunities Four in 10 said those losses are substantial One in five organizations lost customers due to an attack 30% lost revenue. 36% had their operations affected 26% Brand reputation and customer retantion
Major Findings Network outages that are caused by security breaches 45% of the outages lasted from 1 to 8 hours 15% lasted 9 to 16 hours 11% lasted 17 to 24 hours 41% of these outages affected between 11% and 30% of systems.
Major Findings The cadence of software updates can affect user behavior when it comes to installing patches and upgrades. According to our researchers, regular and predictable update schedules result in users upgrading their software sooner, reducing the time during which adversaries can take advantage of vulnerabilities. The 2017 Security Capabilities Benchmark Study found that most organizations rely on third-party vendors for at least 20 percent of their security, and those who rely most heavily on these resources are most likely to expand their use in the future.
VOLUME 22, APRIL 2017
Symantec Global Intelligence Network 98 million attack sensors 157 countries Through a combination of Symantec products And third parties More than 88,900 recorded vulnerabilties More than 20 years 24,560 vendors, 78,900 products
Summary Multi-million dollar virtual bank heists Open attempts to disprupt the US elections One of the biggest DdoS attacks on record using a botnet of IoT devices Using very simple tools and tactics
Living off the land “Only pre-installed software is used by the attacker and no additional binary executables are installed onto the system” Symantec Less new files → no trace → harder detection Spear-phishing and social engineering Categories Memory-only Filess persistence (Windows registry) Dual-use tools (netsh, sc.exe) Non-PE file (Portable Executable) (power shell script)
Fileless malware targeting US restaurants went undetected by most AV By FIN7 It arrives in a Word document attached to a phishing email Contains attachments with names like menu.rtf, Olive Garden.rtf, etc Convince the victim to exit “Protected View” Javascript (obfuscated) copies malicious code into 2 files, stored in two distinct directories The first malicious code creates a schedule Windows task that executes the second The second starts up a powershell process ……..
Targeted attacks More overt activity with decline in covert activity economic espionage, theft of intellectual property, and trade secrets 2015 agreement US/China Designed to destabilize and disprupt organizations and countries DNC attack and leak of stolen information Disk-wiping malware was used against targets Ukraine and power outages The trojan Shamoon reappeared after four years against multiple organizations in Saudi Arabia
Financial heists Cyber criminals focused mainly in customers Now the attackers are targeting the banks Up to millions of dollars in a single attack Gangs Carnabak, against US banks Banswift, $81 US millions from Bangladesh’s central bank in fraudulent transactions Odinaff, fraudulent transactions hiding customer’s own records of SWIFT messages relating to such transactions Less sophisticated groups using BEC (Busisness Email Compromise) scams. More than $3 billion in the past three years
Emails Malicious emails were the weapon of choice 1 in 131 emails sent were malicious The highest rate in 5 years Proven attack channel It does not rely on vulnerabilities Social enginnering to open attachments, follow links and disclosing credentials
Ransomware Continues to plague businesses and consumers Indiscriminate campaigns with massive volumes of malicious emails Attackers are demanding more From $294 in 2015 to $1,077 in 2016, in average
IoT and cloud Beginning to emerge as big threats Mirai Ransomware and financial fraud still ahead Mirai Botnet composed of IoT devices (routers and cameras) Weak security The average IoT device was attacked once every two minutes