According to Cisco’s Annual Security Report, 2013 was a banner year for organized cybercrime. Many companies were infected with malware, yet completely unaware, and employees relying on trusted services inadvertently exposed business assets to hackers. It sounds grim, but knowledge is power.
Here are three key takeaways from the Cisco report.
Effective use of technology depends on trust. Employees must trust systems, IT professionals must have confidence in applications and executives must trust the people they hire. Although businesses are now more discerning when it comes to selecting web hosts and cloud providers, abuse of trust remains the No. 1 cause of malware infections — anything from socially engineered password theft to “hide-in-plain-sight infiltrations that execute in minutes.” The result? Diminished consumer confidence and corporate concern that even high-level trust mechanisms can fail.
ZDnet‘s examination of the Cisco report points to a sobering fact: In a 30-company sample from the Fortune 500, 100 percent generated visitor traffic that was redirected to malware sites. In other words, everyone’s infected — but no one knows it.
Part of the problem is increased attack-surface area. From the cloud to local perimeter to crucial enterprise network, there are a number of entry and exit points that malware actors can use. Cisco describes a common malware progression: Devices outside the corporate network are compromised and then spread infections to campus networks. From there, infection moves to enterprise data centers and wreaks havoc.
But attack surface alone isn’t enough to propagate malware; this code needs a backdoor. Enter Java, responsible for 91 percent of web exploits in 2013. It’s no surprise; according to Java’s Webpage, 97 percent of Enterprise desktops use this programming language. While its newest version, Java 7, deflects most exploits, Cisco discovered that 76 percent of companies still use a Java 6 Runtime environment alongside Java 7, in effect providing hackers with an opening.
Mobile is also a key takeaway from the annual report. Although only 1.2 percent of all malware encounters on the web were mobile-focused, Cisco argues this is a growth industry. Ninety-nine percent of all mobile malware targeted Android devices (not surprising, given more lenient app store policies and the open source nature of the Android OS) but didn’t always focus on compromising the actual devices. Many malicious programs use smartphones and tablets to bridge the public–private gap and make their way onto secure company networks. For the moment, mobile is the middleman, but that’s likely to change as devices take on essential corporate roles.
Ultimately, the Cisco report points to the development of Crimeware-as-a-Service (CaaS), where only a few technical innovators and criminal resellers are needed; much like public clouds have made compute power available to nontechnical users on demand, so too will CaaS make malware tools a third-party “service.” Search IT Channel points to a significant shortage of security professionals in 2014 — by more than a million. And in a recent TechRepublic security round table, director of career services for ECPI University Kenton Scearce notes that the top hot skill for IT professionals this year is network security.
But hiring additional security pros isn’t the only way to combat CaaS, according to Cisco. Initiatives like the Common Criteria for Information Technology Security Evaluation are attempting to create worldwide standards, which technology products must meet in order to be deemed trustworthy. Increased focus on heuristic threat analysis may also improve defense by focusing on the behavior of potentially malicious programs rather than code.
It was a good year for the bad guys; compromised trust, unwitting infections and the spread of mobile malware all contributed to the rise of CaaS throughout 2013. Improved threat recognition and the development of common standards, meanwhile, may help limit cybercrime’s impact in 2014.