Cisco issues inaugural report on global IT security landscape. Meantime, spam just gets worse… 

In what it says is an effort to shed greater light on growing trends involving security threats around the world, networking giant Cisco Systems (aka the Kid)  has announced the release of its first annual report on the global state of security. The report is designed to spotlight the risks and challenges that businesses, government organisations and consumers increasingly face, and offer suggestions on guarding against them.

The ‘2007 Cisco Annual Security Report’, released in conjunction with the launch of the company’s updated Cisco Security Center site (www.cisco.com/security), provides a summary of the past year’s major issues. It offers predictions for security threats in 2008 and recommendations from Cisco security practitioners, such as chief security officer John Stewart and vice president of Customer Assurance and Security Programs Dave Goddard. While many end-of-year industry reports focus on content security threats (viruses, worms, trojans, spam and phishing), the Cisco document expands the discussion to a set of seven risk management categories, many of which extend beyond isolated content security issues. The categories are: vulnerability, physical, legal, trust, identity, human and geopolitical, and together they encompass security requirements that involve anti-malware protection, data-leakage protection, enterprise risk management and disaster planning.

According to Cisco the report’s findings reinforce the fact that security threats and attacks have become more global and sophisticated. As the adoption of more and more IP-connected devices, applications and communication methods increases, the opportunity emerges for a greater number of attacks.

Years ago, viruses and worms (Code Red, Nimda, and others) ransacked computer systems to cause damage and gain notoriety. As Internet adoption and e-commerce increased, blended threats (spam-enabled phishing attacks, botnets, and so on) evolved with the intent to steal money and personal information. This ‘stealth-and-wealth’ approach subsequently evolved into a more worldwide phenomenon that frequently features more than one of the seven risk categories.

According to Stewart, information security is no longer just a battle against a virus or spam attack. There are oftentimes legal, identity-based and geopolitical factors involved. As examples he points to identity theft at major retailers and a recent distributed denial-of-service attack allegedly launched by politically motivated hackers within Russia  on its neighbor Estonia this spring. The cyber attack, which reportedly stemmed from outrage over Estonian authorities’ decision to move a Soviet-era war memorial from a park, shut down many of the country’s government Web sites.

“Cybercrime is evolving before our eyes, oftentimes using well-known techniques seen before only in electronic form,” offers Stewart. “You just can't afford to view information security threats as a standalone duel against a virus or a phishing attack; threats involve social engineering and technology, trust and pervasive use. Today, the effort to secure businesses, personal identities and countries requires a greater level of coordination among parties that have not traditionally worked together as closely as they’ll need to. IT security teams, businesses, government, law enforcement, consumers, citizens: they’re all targets, yet they’re also allies. The effectiveness of national, enterprise and personal security will depend on the collaboration and communication among all of these constituencies.”

Stewart and Goddard reckon the key to this collaboration is education. The Cisco report offers several recommendations for each of the seven risk-management categories. Some of the noteworthy recommendations include:
·         conduct regular audits within organisations of attractive targets and evaluate the avenues that can be used to attack them. “Exploits are too often successful because of not following security basics: host-based intrusion prevention, patches and upgrades with security fixes, and regular audits,” Stewart notes
·         understand the notion that threats follow usage patterns. “Where the majority goes, attackers will follow,” says Goddard. “Every time a new application or device enters the fold, new threats will emerge”
·         change the mindset of employees, consumers and citizens who consider themselves innocent bystanders and empower them to become active influencers with shared ownership over security responsibilities. IT teams should help lead this charge, but it’s not solely their problem
·         make security education a priority. Businesses, security vendors, and government agencies need to invest in security education and awareness-building. This effort should include industry-wide collaboration among partners and competitors
·         institutionalise IT security education by incorporating it into school curricula
·         consider more than just performance when building a secure network. Focus on the network’s ability to collaborate, inspect, adapt and resolve security issues end to end, from gateways and servers to desktops and mobile devices
·         security vendors need to provide comprehensive security solutions that extend throughout the network infrastructure, application mix and data itself

The free Cisco report can be accessed at: http://www.cisco.com/web/about/security/cspo/docs/Cisco2007Annual_Security_Report.pdf

And in another new IT security analysis e-mail and Web security appliance specialist Barracuda Networks has released its ‘Annual Spam Report’ The findings of this document include:
·         the majority of business professionals view spam e-mail as the worst form of junk advertising - worse than postal junk mail and telemarketing calls
·         spam e-mail accounted for 90% to 95% of all e-mail in 2007, up from an estimated 5% of e-mail in 2001

The Barracuda study, based on an analysis of more than 1bn daily e-mail messages sent to its more than 50,000 customers worldwide, found that 90% to 95% of all e-mail sent in 2007 was spam, increasing from an estimated 85% to 90% of e-mail in 2006.

“The spam war is a continuous battle between spammers and security vendors,” states Dean Drako, president and ceo of Barracuda Networks. “Security vendors now require 24-by-7 defense operations to continuously monitor the Internet for new spam trends and distribute new defensive solutions immediately. This combination can block a new spam attack within minutes of its start – virtually at zero hour.”
John Williamson