Unpatched systems on networks creates dangerous holes that are ripe for exploiting. But updating efforts by IT departments is pretty patchy, according to a report today released by Cisco Systems.
The company recently scanned 115,000 customer-owned Cisco devices on the Internet over one day and found 106,000 — or 92 per cent — had known vulnerabilities in the software they were running. On average the version of the software on those devices had 26 vulnerabilities.
In addition, it found many organizations were running outdated Cisco software in their network infrastructure, in some cases versions that were more than six years old. In fact eight per cent of devices had reached their last day of support, meaning they can’t be updated and made more secure.
The test was to show in general how aging infrastructure increases security risks. Between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10 percent, the report says.
“Organizations need to plan for regular upgrades and recognize the value of taking control of their critical infrastructure proactively—before an adversary does,” says the report.
Asked what the test says about security teams, a Cisco spokesperson said that many organizations have old networking devices built of components that are outdated and running operating systems, which are not frequently patched or upgraded by the IT teams. “We urge customers to make IT security a priority and remain vigilant in their efforts to upgrade their infrastructure and patch their software to be more resilient to cyber attacks.”
That’s just part of the findings in Cisco’s 87-page 2016 Security Report for the previous 12 months. Others include:
·Decreasing confidence, increasing transparency: Less than half of businesses surveyed were confident in their ability to determine the scope of a network compromise and to remediate damage. On the other had an overwhelming majority of finance and line-of-business executives agreed that regulators and investors expect companies to provide greater transparency on future cybersecurity risk;
·SMBs as a potential weak link: As more enterprises look closely at their supply chain and small business partnerships, they are finding that these organizations use fewer threat defense tools and processes. For example, from 2014 to 2015 the number of SMBs that used Web security dropped more than 10 per cent. “This indicates potential risk to enterprises due to structural weaknesses,” says the report;
·Detection too slow: The industry estimate for time to detection of a cybercrime is an unacceptable 100 to 200 days. Shrinking the time to detection has been shown to minimize cyberattack damage, lowering risk and impact to customers and infrastructures worldwide;
·Outsourcing on the rise: As part of a trend to address the talent shortage, enterprises of all sizes are realizing the value of outsourcing services to balance their security portfolios. This includes consulting, security auditing and incident response. SMBs, which often lack resources for an effective security posture, are improving their security approach, in part, by outsourcing, which is up to 23 per cent in 2015 over 14 per cent the previous year.
·Shifting server activity: Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, leveraging social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals grew 221 per cent between February and October 2015;
·Browser-based data leakage: While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85 per cent of organizations. Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software;
·DNS blind spot: Nearly 92 per cent of “known bad” malware was found to use DNS as a key capability. This is frequently a security “blind spot,” the report says, as security teams and DNS experts typically work in different IT groups within a company and don’t interact frequently.
While a Cisco survey of infosec pros suggests confidence in their readiness to block attackers is wavering, the vendor notes that — spurred by high-profile exploits — there has been an “uptick” in security training and formal policy development. The more frequent outsourcing of audits and incident response services indicates that defenders are searching for expert help,” the report adds.
“Enterprises should continue to raise their awareness of their security preparedness, and security professionals must champion the growth of budgetary outlays to support technology and personnel,” it says. “In addition, confidence will rise when security practitioners deploy tools that can not only detect threats, but also contain their impact and boost understanding of ways to prevent future attacks.”