The cyberthreats companies faced were greater in 2013 than in any of the previous thirteen years, mobile malware is much less of a threat than anybody thought it would be, large company websites have formed a bad habit of connecting to questionable websites, most web exploits target Java, and hackers are making excellent use of cloud computing — these are a few highlights of Cisco's Annual Security Report, which was released Thursday.
The report is compilation of observations and numbers from the security intelligence and operations group within Cisco. This includes daily reviews of 16 billion web requests, 93 billion emails, 200,000 IP addresses, 400,000 malware samples, 33 million endpoint files and 28 million network connections.
"The threat landscape was dire in 2013, there's no way to sugarcoat that," says Levi Gundert, lead analyst for Cisco's Threat Research Analysis & Communications team. Overall vulnerabilities and threats, at the highest levels since Cisco began tracking them in 2000, continue to trend upward.
"It's an issue everyone has to deal with, including the financial services industry," Gundert says.
Cisco's IntelliShield service, which reports on vulnerabilities in major software programs and operating systems, issued nearly 7,000 alerts in 2013, a 14% increase over 2012. Multipurpose Trojans, malicious iFrames, and data-theft Trojans were among the top offenders.
Among 33 Fortune 500 business networks the company analyzed over the course of the year, 100% had traffic going to websites that host malware. This means that either these networks have been hacked or legitimate users have been tricked into clicking on fraudulent web pages.
The biggest target of web-based threats is the Java runtime environment, Cisco's research finds. About 91% of web exploits detected by Cisco security subsidiary Sourcefire exploited vulnerabilities in the Java programming language. It's a logical choice: 97% of enterprise desktops run Java, as do 89% of desktop computers overall in the U.S. Apps written in Java can run on Windows, Linux and Apple computers. Cisco suggests a few best practices: use the latest version of Java, disable Java in in-network browsers, monitor Java-associated traffic (this is partly a plug for Cisco's NetFlow monitoring product), use comprehensive patch management, and monitor endpoints.
Gundert points out that patching and updating Java is hard for organizations that have built massive Java-based proprietary applications. "It's not necessarily as feasible as some security folks would like to think it is," he says.
Distant runners-up were Microsoft Excel and Adobe Reader, which each attracted 3% of malware exploits; Microsoft Word, which was hit by 2% of malware activity; and Microsoft PowerPoint, which attracted 1%.
For years, many of us have been waiting for the big crisis in mobile banking security to occur and fortunately, we're still waiting. The Cisco report analyzed mobile malware in 2013 and found there's not that much going on — about 1.2% of all web malware targeted mobile devices.
"In 2013, there was a lot of talk of mobile being a big threat, but it never materialized the way a lot of people thought it would," Gundert concurs. Although there are still issues around protecting data stored on a mobile device and dealing with a lost or stolen device, from a malware perspective, mobile devices and mobile banking have dropped a few notches on the priority list. "We haven't seen an exploit pack specifically designed for mobile web traffic," he says. "If one does emerge, or if a threat actor or group decides to target mobile devices, I think that priority will change very quickly."
Of the mobile malware that does exist, 99% targets Android devices. This is due to malicious apps being sold in unauthorized Android third party markets, Cisco researchers say. "Many of the actual malware families are really sort of nuisances that are game add-ons that try to monetize SMS channel," Gundert says.
But even though there isn't a lot of malware being created for mobile devices, mobile device users are still subject to other forms of foul play, including phishing, likejacking (a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like"), and other forms of social engineering. Cisco's analysis has found that among those that have encountered such mobile threats, 71% are Android users and 14% are Apple iPhone owners.
One positive finding of the report is that spam is trending downward — toward the end of 2013, the daily volume of spam emails was down to around 25 billion. (At its peak in March, it was more than 150 billion). However, one could argue these numbers are still rather high. And the proportion of maliciously intended spam remains constant. The top category of ill-intentioned spam is fake bank alerts about deposits, payments and even fraud.
In a feel-good trend for the hacker community, cybercriminals last year began making excellent use of cloud computing technology to improve their uptime and improve the effectiveness of the malware they create.
Where once, malware orchestrators such as botnet creators burrowed into a victim company and used its servers and desktop computers to execute their dastardly work, they've all moved to the cloud, according to Cisco.
"The actual attack infrastructure and how it gets launched is being completely moved into the internet and the cloud and hosting providers, where a lot of resources are centralized and there's better uptime, bandwidth, and hardware resources," Gundert says. "That's not even talking about the way these hackers are compromising content management systems such as Wordpress and Jumla. In that space, every time there's a new vulnerability issue, thousands of them fall like dominoes. Even if they're only leveraging a site or server for 24 hours, they can continue to evolve the attack across different providers in 24-hour increments. It makes their attack strategy much more resilient and much more potent."
Some cloud providers are complicit and knowingly host cybercriminals. Others, legitimate hosting providers, try to ferret out such activity.
"But if the attack only lasts 18 or 12 hours within a specific hosting provider, that's a very tight window to try and stop the attack or shut down that account," Gundert says.