Cisco Security Report Shows Importance of User Education
Fighting malvertising attacks and other tricky exploits is nearly impossible without user education, notes a Cisco security researcher.
Java caused a lot of headaches for enterprise security teams in 2013, with researchers from Trustwave and Cisco putting it atop their lists of the most prevalent security exploits. According to Trustwave Java accounted for 78 percent of exploits in 2013, while Cisco said Java represented a whopping 91 percent of all indicators of compromise.
Oracle addressed the issue by making it more difficult for malware to run in newer versions of Java, while browser vendors began blocking older versions of the Java Runtime Environment by default. Their efforts resulted in a 34 percent drop in Java exploits in 2014, according to Cisco's 2015 annual security report, which was released last week.
If It Isn't Java, It's Something Else
While that is good news, as Sean Kerner noted on eWEEK attackers simply focused their efforts on other vulnerable platforms including Microsoft's Internet Explorer.
In an interview with Enterprise Security Planet, Craig Williams, security outreach manager for Cisco's Talos Security Intelligence and Research Group, highlighted a rise in exploits that leveraged Microsoft's Silverlight application development platform.
In addition to the usual "trifecta" of vulnerabilities (Adobe's Flash and PDF, along with Java) Williams said Cisco researchers last spring started seeing big increases in exploit kits that included Silverlight. "Silverlight went from a rarely exploited piece of technology that was not used in commercial exploit kits to being used in several different exploit kits," he said, noting that Silverlight exploits grew 228 percent in 2014. "Silverlight still makes up just a tiny percentage of attacks, but that is a huge rise," he added.
Silverlight and Malvertising
In a May blog post about a malvertising attack that leveraged Silverlight, Cisco researchers wrote: "We should expect these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates. Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft’s life cycle schedule suggests Silverlight 5 will be supported through October, 2021."
Malvertising attacks are tough to fight, Williams said, because they capitalize on two prevalent trends: borderless networks and unwitting users.
"One of the things businesses have focused on is guarding the traditional data center infrastructure, but that is not necessarily where most work happens today," he said, noting that hundreds of TCP connections are involved when an employee who is working outside the confines of the corporate network visits a website such as a daily news site.
"There can easily be thousands of servers," he said. "Attackers notice when machines are not up-to-date. They can find one that is not following security best practices and then embed a link so you have a landing page hosting a drive-by download attack. Then they use human engineering to trick users to look at that page, serve up some malware, and you are compromised."
Enterprises need to employ security technology "that lives on every endpoint" to combat these types of threats, Williams said. "That way, if you have a borderless network or you have employees working with devices at home, you are still secure."
Bring Users on Board with Security
As part of its report, Cisco suggested companies should follow five security principles:
- Security must support the business
- Security must work with existing architecture – and be usable
- Security must be transparent and informative
- Security must enable visibility and appropriate action
- Security must be viewed as a "people problem"
These five principles should help get boards of directors, company executives and front-line employees more involved in security, Williams said, adding that security teams "need to make security as painless as possible."
For instance, he said, it's always a good idea to inform users as to why specific websites might need to be blocked. "If users are blocked from a site and just get a vague message, chances are they will try to find a way to bypass it."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.