The Security Reports of Cisco and Sans Highlighting Some of the Most Relevant Topics of the Year 2016

...

Looking forward

It seems as though everyone is moving to the cloud. But would any particular security event lead to organizations moving apps back on-premises? In fact, 78% felt that largescale external breaches could lead to applications being moved back to their own premises, followed by 74% who cited customer data loss as such a trigger. Compliance violations, employee data loss and other events might also lead to issues, but who really knows today? Based on the rapid proliferation of cloud applications and data, it’s unlikely that anything minor would lead to an organization’s “pulling back” its infrastructure, but many security professionals felt that any major security event could prove to be a catalyst for exactly that

It’s apparent that we still have a lot of work to do in designing and implementing our cloud security strategies. Respondents’ comments on their cloud and security strategies

uncover some major themes:

• Security teams want more access to event and forensic data within the cloud,

regardless of the cloud model they use.

• Organizations need better visibility and transparency from cloud providers with

regard to security controls and processes in use in their environments.

• Cloud security solutions (both vendor options and cloud service provider

capabilities) are generally considered to be immature.

• Administrators and IT staff need to better understand cloud architecture and the

security control capabilities of providers.

Overall, we seem to be improving, albeit slowly. However, until cloud providers become more open and accommodating of security data and controls, it’s likely to be a slow process. For cloud users, the biggest challenges today still seem to revolve around visibility into their cloud provider’s controls and practices, and a lack of tolos and integration capabilities that allow for compatibility with or transition from wellunderstood internal security controls. While more and more security-as-a-service solutions and APIs are becoming available all the time, many providers just aren’t moving fast enough to address enterprise needs in the cloud today. In 2017, we hope to see cloud providers adding more capable security controls and integration options for third-party solutions; providing access to more artifacts needed for proper incident detection, response and forensics; and also providing more details about the controls and processes they have in place to help secure their customers’ environments.

Cisco 2016 Annual Security Report Highlights

Cisco just released its annual Security Report that can be downloaded HERE. This report takes research, insights and perspectives from Cisco and other security experts such as Level 3 Threat Research labs. Topics covered are Threat Intelligence IE trends in web attack vectors, web attack methods and vulnerabilities , Industry Insights IE how the industry is doing, Security capabilities Benchmark Study IE security professional’s perceptions of the state of security and Looking Forward, which covers some case studies and updates on on research targeting reducing time to detection of threats.

It was great to see the Angler exploit kit go down (I posted about this HERE) however what is interesting is how fast it came back (here is a article on that HERE). Basically, the people behind these attacks are able to tweak things very quickly and get it back out there making it almost impossible to truly prevent these attacks from happening.

[pic 2]

Cisco, with help from Level 3 Threat Research Labs and cooperation from the hosting provider Limestone Networks, identified and sidelined the largest Angler exploit kit operation in the United States, which was targeting 90,000 victims per day and generating tens of millions of dollars annually for the threat actors behind the campaign.

I found this one interesting being a fan of the Browser Exploitation Framework (BeEF) tool. Not only are browsers vulnerable, the auto installation of browser extensions IE crapware are causing people to get compromised. Remember to not quickly click through installing software or just download software from anywhere or you may get some malicious extras that expose you to bad stuff.

Malicious browser extensions can be a major source of data leakage for businesses and are a widespread problem. We estimate that more than 85 percent of organizations studied are affected by malicious browser extensions.

Looks like Flash is still bad. Hopefully the reducing of risk will actually happen.

Adobe Flash vulnerabilities continue to be popular with cybercriminals. However, software vendors are reducing the risk that users will be exposed to malware through Flash technology.

DNS seems to be something to leverage for security intelligence since the majority of malware is using it to carry out campaigns.

[pic 3]

Cisco’s analysis of malware validated as “known bad” found that the majority of that malware—91.3 percent— uses the Domain Name Service (DNS) to carry out campaigns. Through retrospective investigation into DNS queries, Cisco uncovered “rogue” DNS resolvers in use on customer networks. The customers were not aware that the resolvers were being used by their employees as part of their DNS infrastructure.

We all saw this coming. Now HTTPS is being seen more than HTTP. Go encryption however don’t think this is a security feature. Many malicious websites can hide as categories many customers tend to not decrypt such as banking or religion. We find it is common practice to do “selective decryption of SSL” and the attackers know this as well.

[pic 4]

Observing the trends in 2015, our researchers suggest that HTTPS encrypted traffic has reached a tipping point: it will soon become the dominant form of Internet traffic. Although encryption can help protect consumers, it also can undermine the effectiveness of security products, making it more difficult for the security community to track threats. Adding to the challenge, some malware may initiate encrypted communications across a diverse set of ports.

It

...