Cisco: Outdated IT Infrastructure Increasing Cyber Vulnerabilities
Aging IT infrastructure is exposing businesses to more security vulnerabilities and cyberthreats, as both malicious actors and those defending companies’ IT systems ratchet up the sophistication of their tactics, according to a report from Cisco.
One of its key conclusions of the Cisco 2016 Annual Security Report is that cyberthreats to companies are multiplying and becoming more complex.
“Adversaries and defenders are both developing technologies and tactics that are growing in sophistication,” the report notes. “For their part, bad actors are building strong back-end infrastructures with which to launch and support their campaigns. Online criminals are refining their techniques for extracting money from victims and for evading detection even as they continue to steal data and intellectual property.”
Jason Brvenik, principal engineer in Cisco’s Security Business Group told BizTech that the company is “now sees the attackers using professionally designed, architected and scaled architectures. They’re not fly-by-night operations.”
The Threat of Old Infrastructure
The report notes that connected and digitized IT and operational technology are critical elements for any business today, resulting in the need for companies to make IT security a top priority. “Yet many organizations rely on network infrastructures built of components that are old, outdated and running vulnerable operating systems — and are not cyber-resilient,” the report states.
Cisco says it “recently analyzed 115,000 Cisco devices on the Internet and across customer environments as a way to bring attention to the security risks that aging infrastructure— and lack of attention to patching vulnerabilities—present.”
The company looked at the devices as they would be seen from the Internet, an “outside in” view, and found that 106,000 of the devices — 92 percent of the sample — had “known vulnerabilities in the software they were running.”
Cisco also found that the software in those devices was outdated and vulnerable, containing 26 vulnerabilities on average.
“In addition, we learned that many organizations were running outdated software in their network infrastructure,” the report notes. “We found some customers in the financial, healthcare and retail verticals using versions of our software that are more than six years old.”
Why are there so many vulnerabilities? “Reliability breeds complacency,” Brvenik says. “We know that breaches drive vendor behavior to improve security. We haven’t seen large-scale infrastructure attacks. We think it’s a latent issue and that organizations need to plan to protect their infrastructure in much the same way they protect their compute plans.”
Security Professionals Lack Confidence, but Boost Preparedness
Cisco surveyed chief security officers and security operations managers in 12 countries to get information on the state security threats and defenses, Brvenik says. The survey found that security professionals’ confidence in their ability to respond to threats compared has declined since 2014.
“For example, in 2015, 59 percent of organizations said their security infrastructure was ‘very up to date,’” the report notes. “In 2014, 64 percent said the same. However, their growing concerns about security are motivating them to improve their defenses.” Cisco attributes the falling confidence levels to “the steady drumbeat of high-profile attacks on major enterprises, the corresponding theft of private data, and the public apologies from companies whose networks have been breached.”
Threats are growing more sophisticated, but that is also pushing security professionals to protect their networks more. “For example, we are seeing more security training, an increase in formal written policies, and more outsourcing of tasks such as security audits, consulting and incident response,” the report says. “In short, security professionals show signs that they are taking action to combat the threats that loom over their networks.”
According to the report, “more companies (66 percent) have a written, formal security strategy in 2015 than was the case in 2014 (59 percent).” Additionally, 90 percent of respondents said that security awareness and/or training programs are delivered to security staff on a regular basis, the first time in Cisco’s surveys that the 90 percent threshold had been reached on that question, Brevnik says.
Yet Cisco warns against complacency. “The moves toward training and outsourcing are positive developments, but the security industry can’t stop there,” the report states. “
It must continue to increase its use of tools and processes to improve the detection, containment and remediation of threats. Given the barriers of budget limitations and solution compatibility, the industry must also explore effective solutions that provide an integrated threat defense.”
SMBs not Investing as Much as Enterprises
According to Cisco, small and mid-size businesses (SMBs) are not devoting as many resources to IT security as their larger counterparts. “For example, 48 percent of SMBs said in 2015 that they used web security, compared to59 percent in 2014,” the report notes. “And 29 percent said they used patching and configuration tools in 2015, compared with 39 percent in 2014. Such weaknesses can place SMBs’ enterprise customers at risk, since attackers may more easily breach SMB networks.”
More often than not, the report found, “SMBs are less likely than large enterprises to have incident response and threat intelligence teams.” This could be because they lack the resources to dedicate to such teams. The report found that 40 percent of respondents at companies with fewer than 500 employees cited budget constraints as the biggest obstacle to adopting advanced security processes and technology.
“In addition, of the SMB respondents that do not have an executive responsible for security, nearly one-quarter do not believe their businesses are high-value targets for online criminals,” the report says. “This belief hints at overconfidence in their business’s ability to thwart today’s sophisticated online attacks — or, more likely, that attacks will never happen to their business.”