Recent security reports give insight into security best practices often missed.

In order to gain intelligence about the threats that may be directed to our organizations we need to tune into what is happening on the Internet. By reading the latest annual security reports we can learn from what others have experienced and broaden our perspective on the current threat landscape. Security practitioners should be sharing information about threats and attacks just as readily as the attackers share information, exfiltrated data and access to botnets. We can learn from recent security reports and anticipate what we can expect to occur in 2015 and try to adapt our defensive strategies to protect our enterprises.
ted talks logo
Six TED Talks that can change your career

Of the hundreds of TED talks available online, many are geared toward helping people view life in a new
Read Now
IT Security is Like Dental Floss

Parallels can be drawn between IT security and using dental floss. We know that using dental floss can add years to your life expectancy but it requires discipline and a small time commitment every day. Similarly, IT security requires a relatively small capital investment and a relatively small investment in time to configure granular policies and be vigilant. Good security is a result of taking time to configure prudent security and then spending the time to establish situational awareness of the environment. The papers are full of news about companies that have not invested enough time into their security programs.
Sharing Security Experiences

We can be sure that the attackers are sharing information between themselves about what attack types are more successful than others. They are sharing information about targets, trading information about application vulnerabilities, trading access to botnets, and coordinating with organized crime organizations as part of their business ecosystem.

Few IT staff members actually share the valuable tidbits of knowledge that they have accumulated with the rest of the industry. Think about the powerful amplification affect an individual can have on the industry if they shared what they knew with others. Defenders should be sharing information about what attack types they are observing and what defensive capabilities are most effective. However, companies are often unwilling to share information for fear of embarrassment, a lack of security knowledge and experience, or a lack of time to communicate it. Many IT security organizations run so lean they don’t have the time required to keep up on security topics, time to keep tabs on security events, or time to share intelligence information with other organizations.
Annual Security Reports

One way an organization can gain information about what types of attacks are taking place “in the wild” is to read annual security reports that are published. Many different companies write periodic security reports about current security trends, current attack types, and best current defensive practices. These reports are written by security equipment and software manufacturers, security service companies, Internet service providers, and other security associations.

In the distant past (2009, 2010, 2011) I have written about the annual security reports that companies publish. We should applaud these organizations who are spending a vast amount of time compiling and publishing these reports on what is happening in terms of Internet security. There were a whole host of “security SNAFUs” (as Ellen Messmer calls them) in 2014 and 2013 and we should all try to learn from these incidents. In the last 6 to 12 months, many organizations have published some very good reports on the state of Internet security.

This article will list and review many of the recently published security reports. By reading these reports and sharing this type of knowledge with our colleagues we can strive for better security practices. We can read these reports to anticipate what attack types may become prevalent in the new year, to get an idea of the threats our organizations are currently facing, and how we should configure our security systems to have maximum effectiveness.
Verizon Data Breach Investigations Report (DBIR) 2014

Every springtime since 2008, Verizon has published its Data Breach Investigations Report (DBIR). This is one of the best annual security reports because it anonymously compiles information from 63,000 actual security incidents. This year’s report covered all incidents, even if data records were not leaked, unlike previous year’s reports that covered only confirmed information breaches. This year’s report identified nine common attack patterns represent the vast majority of cyber-attacks. This report breaks down these nine attack types and covers which attack types are common in specific industries.

Of all the statistics revealed in the DBIR, the one that continues to amaze us is the duration between a security incident occurring and when the organization actually discovers the compromise. In some cases, it takes organizations over a hundred days to discover a breach has occurred. Often times, an organization discovers the break from another outside person or company identifies that information has been leaked.

The 2014 breach report actually covers information gathered during 2013 so by this time in the year, this information can be at least 18 months old. In several months we are likely to receive the 2015 DBIR that will cover data from 2014.

Cisco Systems Annual Security Report (ASR)
Cisco publishes their Annual Security Report (ASR) on the state of Internet security twice a year. There is a midyear security report which covers threat intelligence from the first half of the year, and an annual security report which covers what occurred the whole previous year. The report is a combination of threat intelligence from Talos, Cisco’s threat research team, and examining cybersecurity trends.

The Cisco 2014 Annual Security Report covered information from the 2013 year. This report covered how attacks are now targeting manufacturing and agricultural targets, but retail and point-of-sale systems are still financially lucrative targets. Even though spam volumes are down, breaking news spam, spear phishing and “watering hole” attacks are on the rise. Their report revealed that 99% of all mobile malware was directed toward Android OS devices. Java was the leading Indicator of Compromise (IoC) ahead of Flash exploits and PDF issues.

In August 2014, Cisco published their Midyear Security Report 2014 which covered security intelligence from the first half of 2014. This report noted that the Internet of Things (IoT) may represent a growing attack target in the coming years as more IP-enabled embedded devices connect to networks. This report covered Cisco’s “Inside Out” project where they looked at outgoing DNS queries were destined for Dynamic DNS (DDNS) systems. Cisco’s recommendation is for organizations to use a system like Infoblox’s DNS Firewall to restrict DNS queries destined to malicious systems. This midyear report also confirmed the increase in Java exploits and recommends organizations update to more secure updated Java 8 versions. The report covered the recent NTP packet amplification attacks and showed how attackers can change their tactics rapidly based on effectiveness of the attacks.

Cisco just today released their 2015 Annual Security Report. This year’s report covered events occurring in 2014. This ASR noted that there is an ever-widening gap between the capabilities of defenders and attackers. This report also noted the decline in Java exploits. The report also found that many organizations are over-confident about their security posture because there are still many of these same companies who are experiencing breaches. There was also a large percentage of unpatched OpenSSL servers operating showing that many organizations are not patching frequently enough.

Microsoft Security Intelligence Report (SIR)
Microsoft publishes their annual Security Intelligence Report (SIR) that provides information on current threats based on their host operating systems, popular enterprise and consumer applications and cloud-based service perspective on security. Microsoft has been publishing these reports every 6 months since 2006 and they have been the go-to source for information on current security threats. The Microsoft Security Intelligence Report (SIR) Volume 16 covered issues occurring from July 2013 to December 2013. The latest Microsoft Security Intelligence Report, Volume 17, published in November 2014, covers issues from the first half of this year: January through June 2014.

The SIRv17, weighting in at a hefty 166 pages, provides a comprehensive look at the current vulnerability, exploit, and malware trends. The report mentioned how weak login credentials leads to compromise far too often and how two-factor authentication systems and encrypting the passwords on the servers can prevent many of these types of attacks. The report covered results of gathering data from the Malicious Software Removal Tool (MSRT) and showed that many infected computers were not running adequate up-to-date real-time security AV software. The report showed how applications were more vulnerable than operating systems and browser vulnerability disclosures increased significantly. The SIRv17 showed a drop in Java exploit attempts and a rise in JavaScript and HTML exploit kits. The majority of malware is now hosted on servers in data centers and the majority of those malware servers are located within the United States.

One great initiative that Microsoft has taken on is the Microsoft Active Protections Program (MAPP). MAPP is forum for software providers to share and access vulnerability information to help them update their software faster in response to new vulnerabilities. MAPP is an example of how sharing security information between companies can be beneficial to the whole industry.
Akamai State of the Internet Report

Akamai has been producing their State of the Internet Report for many years now. Akamai’s extremely large cloud and Content Distribution Network (CDN) gives them access to a large amount of data about Internet threats targeting them and their customers. This year, Akamai acquired Prolexic, a network security company that provides services that help companies avoid damaging DDoS attacks. Akamai is leveraging the Prolexic services to help Akamai’s CDN and cloud customers mitigate the effects of the service-affecting attacks. Prolexic used to publish their own Quarterly Global DDoS Attack Report but that research has now been brought into the quarterly State of the Internet Report.

Their Q3 2014 State of the Internet Report is available for download now. This report talks a lot about the increase in bandwidth of DDoS attacks due to the increasing Internet access speeds whereby subscriber devices are used as bots to generate the traffic. The attack mentions that reflection attacks using DNS and NTP are starting to wane, but new reflecting attacks using different protocols like SSDP and UPnP and leveraging vulnerable mobile, CPE and IoT devices may become pervasive. This report also mentioned that the U.S. was the primary source of DDoS attacks.

Arbor Networks Worldwide Infrastructure Security Report (WISR)
Arbor Networks has also been publishing annual security reports since about 2004. Their ninth Worldwide Infrastructure Security Report (WISR) covers data gathered from late 2012 to late 2013. This report is based on data that their DDoS products gather and information from their user base on survey results from over 220 service providers and large enterprises worldwide. This data is also based on the information gathered from their Active Threat Level Analysis System (ATLAS) global threat intelligence system from their Peakflow SP customers. Arbor Networks also publishes threat information from their Arbor Security Engineering & Response Team (ASERT) group based on ATLAS information.

The current WISR indicated that the largest DDoS attacks are now well over 100Gbps where just a few years ago they were peaking at 40Gbps. The duration of DDoS attacks is also typically less than an hour in duration. This report also confirmed a rise in the number of IPv6-enabled service provider networks and that IPv6 transport was used on some DDoS attacks. However, IPv6 traffic visibility trails IPv4 traffic visibility. This report confirmed the use of DNS and NTP as packet amplification techniques used by attackers. One interesting set of statistics was on the size of the OPSEC teams. A few organizations had large OPSEC teams, while the majority of companies have extremely small teams or no team to speak of and lack of headcount or resources was listed as the largest OPSEC team challenge. This report also shows that most organizations are using ACLs, firewalls, IPSs and Intelligent DDoS Mitigation Systems (IDMS) to defend against DDoS attacks.

NTT/Solutionary Global Threat Intelligence Report (GTIR)
Solutionary (which is now part of the NTT Group) provides managed security services to their global customers. Because their Solutionary Security Engineering Research Team (SERT) is watching over the security for many organizations, it gives them a unique perspective of the state of Internet security. NTT Group 2014 Global Threat Intelligence Report (GTIR) came out earlier in 2014 and covers attacks seen in 2013. In case you are curious you can also look at their SERT Quarterly Threat Intelligence Report from Q3 2013.

The GTIR described how “good enough” security by organizations is not sufficient to keep up with the quick and nimble responsiveness of well-funded attackers. This report also commented on the well-known fact of the erosion of the traditional enterprise security perimeter and a need for enterprises to deploy a diverse and layered security strategy that involves the end-user and their BYOD systems. The GTIR discussed how application-layer attacks are the norm, but DDoS attacks and botnet activity account for many of the security incidents. This report also confirmed the other reports in citing that the greatest number of attack sources and botnet C&C systems like ZeroAccess Supernodes are found within the United States. The GTIR also has several realistic case studies for the various attack types highlighted.

FireEye Advanced Threat Report & Mandiant M-Trends Report
FireEye is a manufacturer of perimeter-based adaptive threat defense systems that focus on preventing malware from being received over web, e-mail or through file transfers. FireEye’s system leverages their virtual-machine detection Multi-Vector Virtual Execution (MVX) technology that uses a sandbox and signature-detection methods to detect and prevent malware infections. FireEye has published their Advanced Threat Report for several years and their most recent 2013 edition is available for download.

Now that FireEye has acquired Mandiant and the knowledge team lead by Richard Bejtlich (longtime security researcher and author of many fantastic security books), their combined research has produced improved security guidance. The security reports are created by the FireEye/Mandiant Intel team. Mandiant has historically published their M-Trends report and their M-Trends 2013: Attack the Security Gap report.

The FireEye report corroborated other reports that showed that APTs and malware most frequently targeted the U.S. and that Java exploits were popular. The M-Trends report confirmed that the number of days that networks were compromised was well over 200 and that attackers leveraged malware propagation, drive-by downloads, and business partner networks to infiltrate organizations. The M-Trends report also covered how adept attackers are getting at external and internal reconnaissance of their victims. We should soon expect new and improved combined versions of these reports to be published with data from 2014.

Check Point 2014 Internet Security Report
Check Point has published annual security reports for several years now. Their latest report is their 2014 Security Report which covers security trends observed in 2013 by their security researchers and by their ThreatCloud system. This report, like the others listed here, recognized the transition of malware attacks to political and ideological hacktivism, state-sponsored industrial espionage, the increased appearance of ransomware, advanced APTs, and DNS packet amplification DDoS attacks. Check Point, therefore, recommends that more organizations utilize improved AV software, better URL filtering, anti-bot mitigation, malware detection/prevention systems that perform emulation, sandboxing, and have capabilities to disarm the malware at various points along the “Kill Chain”. The security report also discussed the risks related to the use of web anonymizers, file sharing and storage services, social media applications, and Remote Administration Tools (RATs). The report also talked about the data loss experience by high-profile companies and discussed, like other reports listed here, that there are many more incidents of data loss that go unreported.

Trustwave Global Security Report (GSR)
Trustwave is a global security services company. Through their work helping organizations secure their environments, they observe attacks and their security researchers are discovering the latest security threats. Trustwave publishes a comprehensive Global Security Report based on their observations from the previous year. This year’s report was as easy to read as a comic book, yet it contained valuable statistics that provide insights into the security challenges enterprises face. The report confirmed other report’s observation of the increase in retail attacks and Point-of-Sale (POS) breaches, number of days between intrusion till detection, amount of spam traffic, origins of hosted malware, and victim geography. This report provided a vast amount of infographic-like statistics based on Trustwave’s global perspective of current security incidents.

Securosis is a leading independent and objective security research firm that provides practical advice on how to make your organization more impervious to modern cyber threats. Securosis provides much of their research library on their web site and there are a wide range of useful reports listed there. While these reports are not necessarily annual security reports, in the spirit of sharing security information, they provide useful information to organizations wanting to improve their security posture. Some of my favorite reports they have written are their “The Future of Security, The Trends and Technologies Transforming Security” published on February 20, 2014 and their Continuous Security Monitoring (CSM) report from 2013. One of their most recently published reports is their “2015 Endpoint and Mobile Security Buyer’s Guide”.

The Ponemon Institute is also an independent research firm and consultancy that focuses on IT security topics in order to help organizations learn about emerging threats and the best practices for securing their infrastructure. The Ponemon Institute provides their research library or published papers on their web site. Again, while not necessarily annual security reports on the changing global threat landscape, these are very useful reports nonetheless.

The Ponemon Institute also worked with HP Enterprise Security to create the “2013 Fourth Annual Cost of Cyber Crime Study”. These reports are published for different geographies and you can download the report for your location. The Ponemon Institute has published other useful papers such as the “2013 Cost of Data Center Outages”, published December 18, 2013 and their “2013 Cost of Data Breach: Global Analysis”, published mid-2013.
Conclusions

In the IT industry, there are many people who consume content that is created by others but don’t share information. We can be certain that this knowledge sharing is taking place among the attackers. Therefore, it is imperative for us as defenders share our experiences with each other. From the statistics revealed in these security reports, there are many organizations who need their security teams to learn about current Internet threats. We can be certain that the more we share, the stronger we can make our collective defenses.

Based on all this information from these reports and historical trends, we can expect the security threat landscape to continue to change in 2015. Companies need to start to seriously invest in their security programs beyond just “checkbox security” to achieve the minimum compliance level of protection. Organizations can no longer run IT shops as lean as possible trying to continually cut operational costs. Enterprises can only “do more with less” up to a point where it starts to hurt the business. Security is a time-intensive exercise and there are few shortcuts. Those organizations who do less than the minimum level of effort to stay secure will encounter breaches resulting in loss of their intellectual property, customer data, and subsequently loss of their reputations in the industry.

For 2015, more organizations should share information about their security and absorb information that others are writing about the current state of security threats and attacks. Organizations can use this free security research information to make sure that their security systems are being adaptive to the latest threats.

---

 

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com