Another security vendor has issued a report looking back on the previous 12 months with gloomy words and predictions.
“The threat picture in 2013 was pretty bleak,” Levi Gundert, technical lead at Cisco System Inc.’s Threat Research Analysis and Communications (TRAC) group, looking at the figures.
The number of vulnerabilities and threats catalogued by the company was the highest since it began counting in 2000, he said. Threats were up 14 per cent over 2012.
Hackers are increasing attacks on the core of the Internet – servers of Web hosting providers, nameservers and data centres – to spread exploits.
Cisco-collected data from customers says 91 per cent of Web exploits are targeting holes in Java. In fact customer data shows that 76 per cent of companies using Cisco Web Services are still running Java 6 – which is unsupported. The current is version 7 update 51.
It also got disappointing news after analyzing domain name server requests of some pretty big companies – 33 members of the Fortune 500 who are Cisco customers: Some traffic from every one of them went to known malicious Web destinations, meaning they all had at least one infected PC.
“I’ve been in the threat intel space for quite a while and I’m pretty jaded, but it’s still surprising to see 100 per cent of these companies affected,” Gundert confessed. “It speaks for the fact that it’s not ‘Is your network going to be compromised’ but it’s more a question of ‘How long is it going to take you to detect and can you shorten the remediation window?’”
Gundert disagreed with a suggestion that organizations are defenceless.
“I think organizations need to rethink how they’re going to do detection. If they’re exclusively relying on intrusion prevention, it’s a failed model. It just can’t work. You really do have to assume you are compromised at some level and attackers do have access to your network.
“If organizations recognize that there is a lot of opportunity to make the right choices around detection because you really need to address the attack before, during and after and you need the visibility to be able to do that.”
Organizations can head off some attacks by profiling the behaviour of users and traffic to set thresholds. When risk scores reach a certain level that triggers a security response.
For example, he said, a lot of Web page redirects use obfuscated Javascript. There aren’t a lot of legitimate reasons to have that. If a system prefetches pages being requested and this is discovered, the request should be blocked.
Because organizations have to assume the network has been or eventually will be penetrated they also have to determine what’s really valuable on the network — payment card data, personnel or customer data, intellectual property – and put detection and defence mechanisms there, he added.
While tools aren’t in short supply there is a shortage of skilled IT security personnel. Cisco [Nasdaq: CSCO] estimates that this year the industry will be short more than 1 million security professionals around the world.
“You can have great tools and a great strategy but if you don’t have the right people none of this works,” Gundert said.
Finally, to give organizations confidence in the IT security products they buy he said security vendors should have respected third parties audit products to certify they don’t have backdoors and vulnerabilities.