Cisco release global security report

Published 20 December 2007

Security threats and attacks have become more global and sophisticated; as the adoption of more and more IP-connected devices, applications, and communication methods increases, the opportunity emerges for a greater number of attacks

Cisco has just released its first annual report on the global state of security. The report highlights the risks and challenges that businesses, government organizations, and consumers increasingly face and offers suggestions on guarding against them. The 2007 Cisco Annual Security Report, released in conjunction with the launch of the company’s updated Cisco Security Center site, provides a concise summary of the past year’s major issues. It offers predictions for security threats in 2008 and recommendations from Cisco security practitioners, such as CSO John Stewart and Vice President of Customer Assurance and Security Programs Dave Goddard. Many end-of-year industry reports focus on content security threats (viruses, worms, trojans, spam, and phishing), but the Cisco report broadens the discussion to a set of seven risk management categories, many of which extend beyond isolated content security issues. The categories are vulnerability, physical, legal, trust, identity, human and geopolitical, and together they encompass security requirements that involve antimalware protection, data-leakage protection, enterprise risk management, disaster planning, and more.

The report’s findings reinforce the fact that security threats and attacks have become more global and sophisticated. As the adoption of more and more IP-connected devices, applications, and communication methods increases, the opportunity emerges for a greater number of attacks. These trends are writing a new chapter in the history of security threats and attack methodologies. Years ago, viruses and worms (remember Code Red, Nimda, and others?) ransacked computer systems to cause damage and gaining notoriety. As Internet adoption and e-commerce increased, blended threats (spam-enabled phishing attacks, botnets, etc.) evolved with the intent to steal money and personal information. This “stealth-and-wealth” approach subsequently evolved into a more worldwide phenomenon that frequently features more than one of the seven risk categories.

Some of the noteworthy recommendations include:

* Conduct regular audits within organizations of attractive targets and evaluate the avenues that can be used to attack them. “Exploits are too often successful because of not following security basics: host-based intrusion prevention, patches and upgrades with security fixes, and regular audits,” Stewart said.

* Understand the notion that threats follow usage patterns. “Where the majority goes, attackers will follow,” Goddard said. “Every time a new application or device enters the fold, new threats will emerge.”

* Change the mindset of employees, consumers and citizens who consider themselves innocent bystanders and empower them to become active influencers with shared ownership over security responsibilities. IT teams should help lead this charge, but it’s not solely their problem.

* Make security education a priority. Businesses, security vendors, and government agencies need to invest in security education and awareness-building. This effort should include industry-wide collaboration among partners and competitors.

* Institutionalize IT security education by incorporating it into school curricula.

* Consider more than just performance when building a secure network. Focus on the network’s ability to collaborate, inspect, adapt and resolve security issues end to end, from gateways and servers to desktops and mobile devices.

* Security vendors need to provide comprehensive security solutions that extend throughout the network infrastructure, application mix and data itself.