Cisco’s latest report on the state of cybersecurity opens with a lament that would be astonishing if anyone were paying attention. That is, in fact, the lament: The world doesn’t seem to appreciate how bad the cybersecurity threat is getting.
Cisco begins its 2017 Mid-Year Cybersecurity Report noting that it’s been warning about cyberthreats for nearly nine years, striving “to alert defenders to the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption.”
That’s immediately followed by an observation worthy of Cassandra: “With this latest report, however, we find we must raise our warning flag even higher.”
The pace of attacks is accelerating. The sophistication of attacks is increasing. It’s getting cheaper and easier to launch attacks.
What the report glosses over is that the consequences of cyberattacks are getting more severe. Russian hackers meddled in the 2016 U.S. election. A recent malware attack temporarily knocked out parts of Ukraine’s power grid, while another briefly crippled Britain’s National Health Service.
David Ulevitch, vice president of Cisco Security, didn’t cite those or any other examples in the blog post he wrote to introduce the report, but he acknowledged that the situation is getting more dire. Speaking of hackers, he wrote, “Their aim is not just to attack, but to destroy in a way that prevents defenders from restoring systems and data. We’ve coined a name for adversaries’ new goal: destruction of service (DeOS).”
And even though the threat is increasing, the report says, “the number of security professionals who strongly agreed that their executive leadership considers security a high priority was 59% in 2016—down slightly from 61% in 2015 and 63% in 2014.”
That isn’t stopping the security industry from trying to step up to the challenge. Ulevitch noted there is some good news amid all the bad: The median time it takes to detect a hack has dropped from 39 hours in 2015 to 3.5 hours in recent months.
But security has always been a game of measures and countermeasures, and with threats escalating, it’s inevitable that the security industry will to fail to counter a few, and some of those few could be devastating.
Companies seem to be almost deliberately making it harder to guard against cyberattacks by rushing to develop the internet of things. One of the points of the IoT is that attached devices will number in the millions and will be so cheap that they’re not going to include robust security if they’re going to continue being cheap enough to deploy in the millions.
IoT devices are already being exploited to launch DDoS attacks; one such attack last fall knocked out several prominent websites. In the report, Cisco security experts call IoT devices “strongholds for adversaries.”
Ulevitch again: “We’ve entered what we’re now calling the ‘1-TBps DDoS era,’ where IoT-driven DDoS attacks can cause wide-reaching attacks with the potential to disrupt the Internet itself.”
Another conclusion from the report is that business email compromise is becoming popular with hackers. The company cites Internet Crime Complaint Center estimates that $5.3 billion was stolen between late 2013 and late 2016. That figure does not include ransomware, which led to an another $1 billion in losses in 2016 alone.
Spyware is also an increasing threat, and it often flies under the radar. Supply chain attacks remain a threat; here the idea is to infect one vendor, and the infection will spread through the supply chains that vendor participates in.
Cloud computing vendors insist that they can provide adequate security—sometimes they claim they can even provide better security—but a security lapse in the cloud can be particularly damaging.
In its report, Cisco wrote, “Open authorization (OAuth) risk and poor management of single privileged user accounts create security gaps that adversaries can easily exploit. Malicious hackers have already moved to the cloud and are working relentlessly to breach corporate cloud environments.”
The report devotes roughly a third of its length to discussing how companies can assess their risks, breaking down risk evaluations by vertical (retail, manufacturing, utilities, healthcare, etc.) followed by discussions of practical measures to protect against cyberattacks.