Download - Raportul Cisco pe Securitate 2013
-
7/29/2019 Raportul Cisco pe Securitate 2013
1/41
-
7/29/2019 Raportul Cisco pe Securitate 2013
2/41
2013 Cisco Annual Security Report2
Cybercriminals are taking advantage o the rapidly expanding attack surace ound
in todays any-to-any world, where individuals are using any device to access
business applications in a network environment that utilizes decentralized cloud
services. The 2013 Cisco Annual Security Reporthighlights global threat trends
based on real-world data, and provides insight and analysis that helps businesses
and governments improve their security posturing or the uture. The report
combines expert research with security intelligence that was aggregated
rom across Cisco, ocusing on data collected during the 2012 calendar year.
-
7/29/2019 Raportul Cisco pe Securitate 2013
3/41
2013 Cisco Annual Security Report4
The Nexus o Devices, Clouds, and Applications 6
Endpoint Prolieration 12
Services Reside in Many Clouds 18
Blending o Business and Personal Use 22
Millennials and the Workplace
Big Data 28
A Big Deal or Todays Enterprises
State o the Exploit 32
Danger Lurks in Surprising Places
Evolutionary Threats 50
New Methods, Same Exploits
Spam the Ever Present 58
Security Outlook 2013 70
About Cisco Security Intelligence Operations 74
Contents
-
7/29/2019 Raportul Cisco pe Securitate 2013
4/41
2013 Cisco Annual Security Report6
The Nexusof Devices,
Clouds, andApplications
While this evolution is not unexpected,
todays enterprises may be unprepared
or the reality o navigating an any-
to-any worldat least, rom a security
perspective.
The crux o the any-to-any issue is
this: Were quickly reaching the point
where it is increasingly less likely that
a user is going to access a business
through an enterprise network, says
Chris Young, Senior Vice President o
the Security and Government Group at
Cisco. More and more, its about any
device in any location coming over any
instantiation o the network. Internet-
enabled devicessmartphones, tablets,
and moreare trying to connect to
applications that could be running
anywhere, including in a public SaaS
cloud, in a private cloud, or in a
hybrid cloud.
At the same time, another evolution
is underwaya steady movement
toward the ormation o the Internet
o Everything. This is the intelligent
connection o:
People: Social networks, population
centers, digital entities
Processes: Systems, business
processes
Data: World Wide Web, inormation
Things: Physical world, devices
and objects
More and more, its about anydevice in any location comingover any instantiation o the
network. Internet-enableddevicessmartphones, tablets,and moreare trying to connectto applications that could berunning anywhere.
-
7/29/2019 Raportul Cisco pe Securitate 2013
5/41
2013 Cisco Annual Security Report8
The Internet o Everything builds on
an Internet o Things1 oundation
by adding network intelligence that
allows convergence, orchestration,
and visibility across previously
disparate systems. Connections in
the Internet o Everything arent just
about mobile devices or laptops anddesktops, but also the rapidly growing
number o machine-to-machine (M2M)
connections coming online each day.
These things are oten objects we
take or granted or rely on each day,
and dont traditionally think o as being
connectedsuch as a home heating
system, a wind turbine, or a car.
The Internet o Everything is a
uture state, to be sure, but is not
so distant when the any-to-anyissue is considered. And while it,
too, will create security challenges
or enterprises, it will bring new
opportunities as well. Amazing things
will happen and be created as the
Internet o Everything grows, says
Nancy Cam-Winget, a distinguished
engineer, Cisco. The growth and
convergence o people, processes,
data, and things on the Internet will
make networked connections more
relevant and valuable than ever beore.Ultimately, the Internet o Everything
will create new capabilities, richer
experiences, and unprecedented
economic opportunities or countries,
businesses, and indiv iduals.
How the CloudComplicates SecurityThe challenge o securing a wide
range o applications, devices, and
userswhether in an any-to-any or
Internet o Everything contextis madetougher by the popularity o the cloud
as a means o managing enterprise
systems. According to data compiled
by Cisco, global data center traic is
expected to quadruple over the next
ive years, and the astest-growing
component is cloud data. By 2016,
global cloud traic will make up nearly
two-thirds o total data center traic.
Piecemeal security solutions, such
as applying irewalls to a changeable
network edge, dont secure data thatis now constantly in motion among
devices, networks, and clouds. Even
among data centerswhich now
house organizations crown jewels
(big data)virtualization is becoming
more the rule than the exception.
Addressing security challenges
presented by virtualization and the
cloud requires rethinking security
postures to relect this new paradigm
perimeter-based controls and old
models o access and containment
need to be changed to secure the new
business model.
Connected Workersand Data PrivacyAnother complicating actor in
the any-to-any equation is young,
mobile workers. This group believes
they should be able to do business
wherever they happen to be and on
whatever devices they have at hand.
Featured in this years 2013 CiscoAnnual Security Reportare indings
rom the 2012 Cisco Connected World
Technology Reportwhich build on
research conducted in 2011 about
the changing attitudes that college
students and young proessionals
around the globe have toward work,
technology, and security.
The latest study shines even more
light on these workers attitudes
toward security, with a special ocus
on privacy and how much or howoten a company can intrude on an
employees desire to reely roam the
Internet while at work. The 2012 Cisco
Connected World Technology Report
study also examines whether online
privacy is still something that all users
actively worry about.
Data Analysis andGlobal Security TrendsThe 2013 Cisco Annual Security
Reportincludes in-depth analysis o
web malware and spam trends, based
on research conducted by Cisco.
While many who operate in the
The growth and convergenceo people, processes, data, andthings on the Internet will makenetworked connections morerelevant and valuable than
ever beore.Nancy Cam-Winget, Distinguished
Engineer, Cisco.
Another complicating actor inthe any-to-any equation is young,mobile workers. This groupbelieves they should be ableto do business wherever they
happen to be and on whateverdevices they have at hand.
Global data center traic isexpected to quadruple over the
next ive years, and the astest-growing component is clouddata. By 2016, global cloud traicwill make up nearly two-thirds ototal data center traic.
-
7/29/2019 Raportul Cisco pe Securitate 2013
6/41
2013 Cisco Annual Security Report10
shadow economy have centered theireorts in recent years on developing
increasingly sophisticated techniques,
Ciscos research makes clear that
cybercriminals are oten turning to
well-known and basic methods to
compromise users.
The rise in distributed denial o
service (DDoS) attacks over the past
year is just one example o the trend
toward whats old is new again in
cybercrime. For several years, DDoSattackswhich can paralyze Internet
service providers (ISPs) and disrupt
traic to and rom targeted websites
have been low on the list o IT security
priorities or many enterprises.
However, recent campaigns against
a number o high-proile companies
including U.S. inancial institutions2
serve as a reminder that any
cybersecurity threat has the potential
to create signiicant disruption,
and even irreparable damage, ian organization is not prepared or
it. Thereore, when creating their
business continuity management
plans, enterprises would be wise to
consider how they would respond to
and recover rom a disruptive cybereventwhether that event takes the
orm o a DDoS attack directed at the
company; a critical, Internet-enabled
manuacturing acility suddenly going
oline; an advanced multistage attack
by the criminal underground; or
something else never beore seen.
While the IT security discussion has
suered more than its air share
o alarmism over the years, we are
seeing some disturbing changesin the threat environment acing
governments, companies, and
societies, says John N. Stewart,
Senior Vice President and Chie
Security Oicer at Cisco. Cybercrime
is no longer an annoyance or another
cost o doing business. We are
approaching a tipping point where
the economic losses generated
by cybercrime are threatening to
overwhelm the economic beneits
created by inormation technology.Clearly, we need new thinking and
approaches to reducing the damage
that cybercrime inlicts on the well-
being o the world.
We are seeing some disturbing changes in the threat environmentacing governments, companies, and societies.
John N. Stewart, Senior Vice President and Chie Security Oicer at Cisco.
-
7/29/2019 Raportul Cisco pe Securitate 2013
7/41
2013 Cisco Annual Security Report12
EndpointProliferation
Considering that less than 1 percent
o things in the physical world are
connected today, there remains
vast potential to connect the
unconnected.4 It is projected that
with an Internet that already has
an estimated 50 billion things
connected to it, the number o
connections will increase to
13,311,666,640,184,600 by the
year 2020. Adding just one more
Internet-connected thing (50 billion
+ 1) will increase the number o
connections by another 50 billion.5
As or the things that will eventually
comprise the everything, they will
range rom smartphones to home
heating systems to wind turbines
to cars. Dave Evans, Ciscos Chie
Futurist with the Internet Business
Solutions Group, explains the concept
o endpoint prolieration like this:
When your car becomes connected
to the Internet o Everything in the
near uture, it will simply increase the
number o things on the Internet by
one. Now, think about the numerous
other elements to which your car could
be connectedother cars, stoplights,
your home, service personnel, weather
reports, warning signs, and even the
road itsel.6
When your car becomesconnected to the Internet oEverything in the near uture, itwill simply increase the numbero things on the Internet by one.Now, think about the numerousother elements to which your carcould be connectedother cars,stoplights, your home, service
personnel, weather reports,warning signs, and even theroad itsel.
David Evans, Chie Futurist, Cisco
-
7/29/2019 Raportul Cisco pe Securitate 2013
8/41
2013 Cisco Annual Security Report14
People toMachine (P2M)
People toPeople (P2P)
Machine toMachine (M2M)
People
Data
Process
Things
Business
Home Mobile
Figure 1: The Internet o EverythingThe Internet o Everything is the intelligent connection o people, processes, data,
and things.
In the Internet o Everything,
connections are what matter most.
The types o connections, not the
number, are what create value
between people, processes, data, and
things. And eventually, the number
o connections will dwar the numbero things.7 The explosion o new
connections already becoming part
o the Internet o Everything is driven
primarily by the development o more
and more IP-enabled device, but also
by the increase in global broadband
availability and the advent o IPv6. The
security risks posed by the Internet o
Everything are not just related to the
any-to-any endpoint prolieration that
is bringing us closer, day by day, to an
even more highly connected world,but also the opportunity or malicious
actors to utilize even more inroads
to compromise users, networks, and
data. The new connections themselves
create risk because they will generate
even more data in motion that needs
to be protected in real timeincluding
the ballooning volumes o big data that
enterprises will continue to collect,
store, and analyze.
The Internet o Everything is quickly
taking shape, so the security
proessional needs to think about
how to shit their ocus rom simply
securing endpoints and the network
perimeter, says Chris Young. There
will be too many devices, too many
connections, and too many content
types and applicationsand the
number will only keep growing. In this
new landscape, the network itsel
becomes part o the security paradigm
that allows enterprises to extend
policy and control over dierent
environments.
In the Internet o Everything, connections are what matter most.
The types o connections, not the number, are what create valuebetween people, processes, data, and things.
The Internet o Everything isquickly taking shape, so thesecurity proessional needs tothink about how to shit theirocus rom simply securing
endpoints and the networkperimeter
Chris Young
-
7/29/2019 Raportul Cisco pe Securitate 2013
9/41
2013 Cisco Annual Security Report16
Cisco BYOD UpdateEndpoint prolieration is a phenomenon Cisco knows well within its own organization o
70,000 employees worldwide. Since ormalizing its BYOD practice two years ago, the
company has witnessed a 79 percent growth rate in the number o mobile devices in
use in the organization.
The Cisco 2011 Annual Security Report8 irst examined Ciscos unolding BYOD journey,
which is part o the organizations ongoing and broader transition toward becoming avirtual enterprise. By the time Cisco reaches the last stage o its planned journey,
which will take several years, the company will be increasingly location- and service-
independentand enterprise data still will be secure.9
In 2012, Cisco added about 11,000 smartphones and tablet computers companywideor
about 1,000 new Internet-enabled devices per month. At the end o 2012, there were nearly
60,000 smartphones and tablets in use in the organizationincluding just under 14,000
iPadsand all o them were Bring Your Own (BYO), says a Brett Belding, Senior Manager
Overseeing Cisco IT Mobility Services. Mobile at Cisco is now BYO, period.
The device type thats seen the biggest increase in use at Cisco is the Apple iPad.
Its ascinating to think that three years ago, this product didnt even exist, says Belding.
Now, there are more than 14,000 iPads being used at Cisco every day by our employees
or a variety o activitiesboth personal- and work-related. And employees are using
iPads in addition to their smartphones.
As or smartphones, the number o Apple iPhones in use at Cisco has almost tripled in two
years time to nearly 28,600. RIM BlackBerry, Google Android, and Microsot Windows
devices are also included in the BYOD program at Cisco. Employees make the choice to
trade having access to corporate data on their personal device with agreement on security
controls. For example, i you want to check your email and calendar on your device, you
have to take Ciscos security proile that enorces remote wipe, encryption, and passphrase.
Social support has been a key component o the BYOD program at Cisco rom the start.
We rely heavily on [the enterprise collaboration platorm] WebEx Social as our BYOD support
platorm, and its paid huge dividends, says Belding. We have more devices supported
than ever beore and, at the same time, weve had the ewest number o support cases.
Our goal is that someday an employee can simply bring in any device and sel-provision
using the Cisco Identity Services Engine (ISE) and set up our core WebEx collaboration
tools, including Meeting Center, Jabber, and WebEx Social.
The next step or BYOD at Cisco, according to Belding, is to urther improve security by
increasing visibility and control over all user activity and devices, on both the physical
network and virtual inrastructure, while improving the user experience. Caring about theuser experience is a core consumerization o IT trend, says Belding. Were trying to apply
this concept to our organization. We have to. I think what were seeing now is an IT-ization
o users. Were beyond the point o them asking, Can I use this device at work? Now
theyre saying, I understand you need to keep the enterprise secure, but dont interere
with my user experi ence.
Figure 2
We have more devices supported than ever beore and, at thesame time, weve had the ewest number o support cases. Our goalis that someday an employee can simply bring in any device and
sel-provision using the Cisco Identity Services Engine (ISE) and setup our core WebEx collaboration tools, including Meeting Center,Jabber, and WebEx Social.
Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services
I understand you need to keep the enterprise secure, but dontinterere with my user experience.
Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services
IPhone
iPad
BlackBerry
Android
Other
TOTAL
PLATFORM
DEC
2010
DEC
2011
DEC
2012
-
7/29/2019 Raportul Cisco pe Securitate 2013
10/41
2013 Cisco Annual Security Report18
ServicesReside in
Many CloudsO this tremendous growth, the
astest-growing component is cloud
data. Global cloud traic will increase
six-old over the next ive years,
growing at a rate o 44 percent rom
2011 to 2016. In act, global cloud
traic will make up nearly two-thirds o
total data center traic by 2016.11
This explosion in cloud traic
raises questions about the ability o
enterprises to manage this inormation.
In the cloud, the lines o control are
blurred: Can an organization place
saety nets around its cloud data whenthey dont own and operate the data
center? How can even basic security
tools such as irewalls and antivirus
sotware be applied when the network
edge cannot be deined?
No matter how many security
questions are raised, its clear more
and more enterprises are embracing
the beneits o cloudsand those
Global cloud traic will increasesix-old over the next ive years,growing at a rate o 44 percent
rom 2011 to 2016.
-
7/29/2019 Raportul Cisco pe Securitate 2013
11/41
2013 Cisco Annual Security Report20
that have are not likely to return to a
the private data center model. While
the opportunities o the cloud or
organizations are manyincluding
cost savings, greater workorce
collaboration, productivity, and a
reduced carbon ootprintthe possiblesecurity risks that enterprises ace as
a result o moving business data and
processes to the cloud.
Hypervisors
I compromised, this sotware that
creates and runs virtual machines
could lead to mass hacking or
data compromise against multiple
serversapplying the same ease
o management and access that
virtualization provides to a successul
hack. A rogue hypervisor (taken
control o by hyperjacking) can take
complete control o a server.12
Lowered cost o entryVirtualization has lowered the cost o
entry to provide services like a vir tual
private server (VPS). Compared to
older hardware-based data center
models, we are seeing a growth in
quick, cheap, and easily availableinrastructure or criminal activities.
For instance, there are many VPS
services available or instant sale
(with the ability to purchase using
Bitcoin or other hard-to-trace payment
types) that are targeted to the criminal
underground. Virtualization has made
inrastructure much cheaper and
easier to providewith little to no
policing o activities.
Decoupling o virtualized
applications
Because virtualized applications are
decoupled rom the physical resources
they use, it becomes more diicult
or enterprises to apply traditional
security approaches. IT providers
seek to minimize cost with a very
elastic oering in which they can move
resources as neededcontrasted with
the security group seeking to collocate
services o like security posture and
keep them apart rom others that may
be less secure.
Virtualization and cloud computing
create problems just like those o
BYOD, but turned on their head,
says Joe Epstein, ormer Chie
Executive Oicer o Virtuata, a
company acquired by Cisco in 2012
that provides innovative capabilitiesor securing virtual machine-level
inormation in data centers and
cloud environments. High-value
applications and high-value data are
now moving around the data center.
And the notion o virtual workloads
makes enterprises uncomortable.
In the virtual environment, how do
you know you can trust what youre
running? The answer is that you
havent been able to so arand that
uncertainty has been a key barrier tocloud adoption.
But Epstein notes that it is becoming
increasingly diicult or enterprises
to ignore virtualization and the
cloud. The world is going to share
everything, he says. Everything
will be virtualized; everything will
be shared. It will not make sense to
continue running only private data
centers; hybrid clouds are where IT
is heading.
The answer to these growing cloud
and virtualization challenges is
adaptive and responsive security.
In this case, security must be a
programmable element seamlessly
integrated into the underlying data
center abric, according to Epstein. Inaddition, security needs to be built in
at the design phase, instead o being
bolted on post-implementation.
A rogue hypervisor (taken controlo by hyperjacking) can takecomplete control o a server.
Virtualization and cloudcomputing create problemsjust like those o BYOD, butturned on their head... High-valueapplications and high-value
data are now moving aroundthe data center.
Joe Epstein, Former Chie Executive
Oicer o Virtuata
-
7/29/2019 Raportul Cisco pe Securitate 2013
12/41
2013 Cisco Annual Security Report22
Blending ofBusiness and
Personal UseMillennials and
the Workplace
According to the 2012 CiscoConnected World Technology Report
study, two-thirds o respondents
believe employers should not track
employees online activities on
company-issued devices. In short,
they do not think employers have any
business monitoring such behavior.
Only about one-third (34 percent) o
workers surveyed say they dont mind
i employers track their online behavior.
Only one in ive respondents saytheir employers do track their online
activities on company-owned devices,
while 46 percent say their employers
do not track activity. Findings or the
latest Connected Worldstudy alsoshow that Millennials have strong
eelings about employers tracking the
online activity o workerseven those
who report they work at organizations
where such tracking does not occur.
Only one in ive respondentssay their employers do tracktheir online activities on
company-owned devices,while 46 percent say theiremployers do not track activity.
-
7/29/2019 Raportul Cisco pe Securitate 2013
13/41
2013 Cisco Annual Security Report24
Compounding the challenges or
security proessionals, there appears
to be a disconnect between what
employees think they can do with
their company-issued devices and
what policies IT actually dictates
about personal usage. Four out o 10respondents say they are supposed
to use company-issued devices or
work activity only, while a quarter
say they are allowed to use company
devices or non work activity. However,
90 percent o IT proessionals
surveyed say they do indeed have
policies that prohibit company-issued
devices being used or personal
online activityalthough 38 percent
acknowledge that employees break
policy and use devices or personal
activities in addition to doing work.
You can ind inormation about Ciscos
approach to these BYOD challenges
on page 16.
Privacy and MillennialsAccording to the 2012 Cisco
Connected World Technology Report,
Millennials have accepted the act
that, thanks to the Internet, personal
privacy may be a thing o the past. 91
percent o young consumers surveyedsay that the age o privacy is over and
believe they cant control the privacy
o their inormation, with one third o
respondents reporting they are not
worried about the data that is stored
and captured about them.
In general, Millennials also believe their
online identity is dierent rom their
oline identity. 45 percent say these
identities are oten dierent depending
on the activity in question, while 36percent believe these identities are
completely dierent.
Only 8 percent believe these identities
are the same.
Young consumers also have high
expectations that websites will keep
their inormation private, oten eeling
more comortable sharing data with
large social media or community sites
given the cloak o anonymity the crowd
provides. Forty-six percent say they
expect certain websites to keep their
inormation secure, while 17 percent
say they trust most websites to keep
their inormation private. However,
29 percent say that not only do
they not trust websites to keep their
inormation private; they are very
concerned about security and identitythet. Compare this to the idea o
sharing data with an employer who
has the context about who they are
and what they do.
Millennials are now entering the
workplace and bringing with them
new working practices and attitudes
to inormation and the associated
security thereo. They believe in the
demise o privacythat its simply
deunct in practice, and its in this
paradigm that organizations must
operatea concept that will be
alarming to the older generation in
the workplace, says Adam Philpott,
Director, EMEAR Security Sales, Cisco.
Organizations can, however, look to
provide inormation security education
to their employees to alert them to the
risks and provide guidance on how
best to share inormation and leverage
online tools within the realms o
data security.
There appears to be adisconnect between whatemployees think they can dowith their company-issued
devices and what policiesIT actually dictates aboutpersonal usage.
Millennials are nowentering the workplaceand bringing with themnew working practices andattitudes to inormation and
the associated securitythereo. They believe in thedemise o privacythat itssimply deunct in practice,and its in this paradigmthat organizations mustoperatea concept that willbe alarming to the oldergeneration in the workplace.
Adam Philpott, Director, EMEAR
Security Sales, Cisco
-
7/29/2019 Raportul Cisco pe Securitate 2013
14/41
2013 Cisco Annual Security Report26
Why Enterprises Need to Raise Awarenesso Social Media Disinormationby Jean Gordon Kocienda
Global Threat Analyst, Cisco
Social media has been a boon or many enterprises; the ability to connect directly withcustomers and other audiences via Twitter and Facebook has helped many organizations
build brand awareness via online social interaction.
The lip side o this lightning-ast direct communication is that social media can allow
inaccurate or misleading inormation to spread like wildire. It isnt hard to imagine a
scenario in which a terrorist coordinates on-the-ground attacks by using misleading
tweets with the intent to clog roads or phone line, or to send people into the path o
danger. One example: Indias government blocked hundreds o websites and curbed
texts(ootnote:13) this summer in an attempt to restore calm in north-eastern part o
the country ater photographs and text messages were posted. The rumors prompted
thousands o panicked migrant workers to lood train and bus stations.
Similar social media disinormation campaigns have aected market prices as well. A
hijacked Reuters Twitter eed reported that the Free Syrian Army had collapsed in Aleppo.
A ew days later, a Twitter eed was compromised, and a purported top Russian diplomat
tweeted that Syrian President Bashar Al-Assad was dead. Beore these accounts could
be discredited, oil prices on international markets spiked.14
Security proessionals need to be alert to such ast-moving and potentially damaging
social media posts, especially i they are directed at the enterprise itseland quick
action is needed to deend networks rom malware, alert employees to a bogus phishing
attempt, re-route a shipment, or advise employees regarding saety. The last thing
security executives want to do is alert managers to a breaking story that turns out to be a
hoax.
The irst saeguard against alling or abricated stories is to conirm the story across
multiple sources. At one time, journalists did this job or us, so that by the time we read
or heard the news, it was vetted. These days, many journalists are getting their stories
rom the same Twitter eeds that we are, and i several o us all or the same story,
we can easily mistake re-tweets or story conirmation.
For ast-breaking news requiring quick action, your best bet may be to use the
old-ashioned sni test. I the story seems ar-etched, think twice beore repeating
or citing it.15
For ast-breaking news requiring quick action, your best bet may be to
use the old-ashioned sni test. I the story seems ar-etched, thinktwice beore repeating or citing it.
-
7/29/2019 Raportul Cisco pe Securitate 2013
15/41
2013 Cisco Annual Security Report28
Big DataA Big Deal or
Todays Enterprises
The 2012 Cisco Connected World
Technology Reportexamined the
impact o the big-data trend on
enterprisesand more speciically,
their IT teams. According to the
studys indings, about three-quarters
(74 percent) o organizations globally
are already collecting and storing
data, and management is using
analysis o big data to make business
decisions. Additionally, seven in 10
IT respondents reported that big
data will be a strategic priority or
their company and IT team in the
year ahead.
As mobility, cloud, virtualization,
endpoint prolieration, and other
networking trends evolve or emerge,they will pave the way or even more
big data and analytics opportunities
or businesses. But there are security
concerns about big data. The 2012
Connected Worldstudys indings
show that a third o respondents
(32 percent) believe big data
complicates security requirements
and protection o data and networks
because there is so much data and too
many ways o accessing it. In shor t,
big data increases the vectors and
angles that enterprise security teams
and security solutionsmust cover.
About 74 percent o organizationsglobally are already collecting andstoring data, and management
is using analysis o big data tomake business decisions.
-
7/29/2019 Raportul Cisco pe Securitate 2013
16/41
2013 Cisco Annual Security Report30
Korea (45 percent), Germany
(42 percent), the United States
(40 percent), and Mexico (40 percent)
had the highest percentages o
IT respondents who believe big
data complicates security. To help
ensure security, the majority o IT
respondentsmore than two-thirds
(68 percent)believe the entire IT
team should participate in strategizing
and leading big data eorts withintheir companies. Gavin Reid, Director
o Threat Research or Cisco Security
Intelligence Operations, says Big data
doesnt complicate securityit makes it
possible. At Cisco we collect and store
2.6 trillion records every daythat
orms the platorm rom which we can
start incident detection and control.
As or solutions designed to help
enterprises both better manage and
unlock the value o their big data, thereare barriers to adoption. Respondents
pointed to lack o budget, lack o time
to study big data, lack o appropriate
solutions, lack o IT sta, and lack
o IT expertise. The act that almost
one in our respondents globally
(23 percent) said lack o expertise
and personnel was an inhibitor to their
enterprises ability to use big data
eectively indicates a need or moreproessionals entering the job market
to be trained in this area.
The cloud is a actor in big data
success, as well, according to 50
percent o IT respondents to the 2012
Connected Worldstudy. They believe
their organizations need to work
through cloud plans and deployments
to make big data a worthwhile venture.
This sentiment was prominent in China
(78 percent) and India (76 percent),
where more than three out o our
respondents believed there was a
dependency on cloud beore big
data could truly take o. As a result,
in some cases, the study indicates
cloud adoption will impact the rate o
adoptionand beneitso big-data
eorts.
More than hal o overall IT
respondents also conirmed that
big-data discussions within their
companies are not ruitul yet. That
is not surprising considering the
market is just now trying to understand
how to harness their big data,
analyze it, and use it strategically.
In some countries, however, big-data
discussions are resulting in meaningul
decisions on strategy, direction, and
solutions. China (82 percent), Mexico
(67 percent), India (63 percent), and
Argentina (57 percent) lead in this
regard, with well over hal o the
respondents rom these countries
claiming that big-data discussions
in their organizations are well
underwayand leading to solid
actions and results.
Three out o ive IT respondents to the
2012 Connected World Reportbelieve
big data can help countries and their
economies become more competitive
in the global marketplace.
Korea, Germany, the UnitedStates, and Mexico had thehighest percentages o ITrespondents who believe bigdata complicates security.
There are some countries wherebig-data discussions are resultingin meaningul decisions onstrategy, direction, and solutions.China, Mexico, India, and
Argentina lead in this regard, withwell over hal o the respondentsrom these countries claimingthat big-data discussions intheir organizations are wellunderwayand leading to solidactions and results.
As or solutions that are designedto help enterprises both bettermanage and unlock the value otheir big data, there are barriersto adoption. Respondents pointedto lack o budget, lack o time to
study big data, lack o appropriatesolutions, lack o IT sta, and lacko IT expertise.
-
7/29/2019 Raportul Cisco pe Securitate 2013
17/41
2013 Cisco Annual Security Report32
State ofthe Exploit
Danger Lurks inSurprising Places
The general belie is that sites that
promote criminal activitysuch as
sites selling illegal pharmaceuticals
or countereit luxury goodsare most
likely to host malware. Our data reveals
the truth o this outdated notion, as
Web malware encounters are typically
not the by-product o bad sites in
todays threat landscape.
Web malware encounters occur
everywhere people visit on the
Internetincluding the most legitimate
o websites that they visit requently,
even or business purposes,says
Mary Landesman, Senior Security
Researcher with Cisco. Indeed,
business and industry sites are one
o the top three categories v isitedwhen a malware encounter occurred.
O course, this isnt the result o
business sites that are designed to
be malicious. The dangers, however,
are oten hidden in plain sight through
exploit-laden online ads that are
distributed to legitimate websites, or
hackers targeting the user community
on the common sites they use most.
In addition, malware-inectedwebsites are prevalent across many
countries and regionsnot just in
one or two countries, dispelling the
notion that some countries websites
are more likely to host malicious
content than others. The web is the
most ormidable malware delivery
mechanism weve seen to date,
outpacing even the most proliic
Dangers are oten hidden inplain sight through exploit-ladenonline ads.
-
7/29/2019 Raportul Cisco pe Securitate 2013
18/41
2013 Cisco Annual Security Report34
worm or virus in its ability to reach
and inecta mass audience silently
and eectively, says Landesman.
Enterprises need protection, even i
they block common bad sites, with
additional granularity in inspection
and analysis.
Malware Encountersby Company SizeThe largest enterprises (25,000+
employees) have more than 2.5
times the risk o encountering web
malware than smaller companies.
This increased risk may be a relection
that larger companies possess more
high-value intellectual property and
thus are more requently targeted.
While smaller companies have ewer
web malware encounters per user, its
important to note that all companies
regardless o sizeace signiicant
risk o web malware encounters.
Every organization should ocus on
the undamentals o securing its
network and intellectual property.
Malware Encountersby CountryCiscos research shows signiicant
change in the global landscape or
web malware encounters by country
in 2012. China, which was second
on the list in 2011 or web malware
encounters, ell dramatically to
sixth position in 2012. Denmark and
Sweden now hold the third and ourth
spots, respectively. The United States
retains the top ranking in 2012, as it
did in 2011, with 33 percent o all web
malware encounters occurring viawebsites hosted in the United States.
Changes in geographical location
between 2011 and 2012 likely relect
both changes in detection and user
habits. For example, malvertising,
or malware delivered via online ads,
played a more signiicant role in
web malware encounters in 2012
than in 2011. It is worth repeating
that web malware encounters most
requently occur via normal browsing
o legitimate websites that may have
been compromised or are unwittingly
serving malicious advertising.
Malicious advertising can impact any
website, regardless o the sites origin.
Overall, the geographical data or
2012 demonstrates that the web is an
equal-opportunity inectorcontrary to
the perceptions that only one or two
countries are responsible or hosting
web malware or that any one country
is saer than another. Just as thedynamic content delivery o Web 2.0
enables the monetization o websites
across the globe, it can also acilitate
the global delivery o Web malware.
Figure 3: Risk by Company SizeUp to 2.5 times more risk o encountering web malware or large organizations.
250 or less
251500
5011,000
1,0012,500
2,5015,000
5,00110,000
10,00125,000
Above 25,000
i i
Number of Employees
All companiesregardless o sizeace signiicant risk o web malwareencounters. Every organization should ocus on the undamentals osecuring its network and intellectual property.
-
7/29/2019 Raportul Cisco pe Securitate 2013
19/41
2013 Cisco Annual Security Report36
Figure 4: Web Malware Encounters by CountryOne-third o all web malware encounters resulted rom domains hosted in the United States.
GAIN FROM 2011 DECLINE FROM 2011
United States
Germany
Netherlands
33.14%
Russia9.79%
2.27%
Denmark
9.55%
Turkey2.63%
Sweden
Ireland
9.27%
6.11%
China5.65%
United Kingdom4.07%
1.95%
1 2
4
3
6
5
8
710
9
Overall, the geographical data or 2012 demonstrates that the web isan equal-opportunity inectorcontrary to the perceptions that onlyone or two countries are responsible or hosting web malware or thatany one country is saer than another.
-
7/29/2019 Raportul Cisco pe Securitate 2013
20/41
2013 Cisco Annual Security Report38
O course, there is a distinct
dierence between where a Web
malware encounter occurs and
where the malware is actually hosted.
In malvertising, or example, the
encounter typically occurs when
visiting a reputable, legitimate website
that happens to carry third-party
advertising. However, the actual
malware intended or delivery is
hosted on a completely dierent
domain. Since our data is based on
where the encounter occurred, it has
no bearing on actual malware origin.
For instance, increased popularity o
social media and entertainment sites
in Denmark and Sweden, coupled with
malvertising risks, is largely responsible
or increased encounters rom sites
hosted in those regions but is not
indicative o actual malware origin.
Top Web MalwareTypes in 2012Android malware grew substantially
aster than any other orm o web-
delivered malware, an important trend
given that Android is reported to hold
the majority o mobile device market
share worldwide. It is important to
note that mobile malware encounterscomprised only 0.5 percent o all web
malware encounters in 2012, with
Android taking over 95% o all these
web malware encounters. In addition,
2012 saw the emergence o the irst
documented Android botnet in the
wild, indicating that mobile malware
developments in 2013 bear watching.
While some experts are claiming
Android is the biggest threat
or should be a primary ocus or
enterprise security teams in 2013
the actual data shows otherwise. As
noted above, mobile web malware
in general makes up less than 1
percent o total encountersar rom
the doomsday scenario many are
detailing. The impact o BYOD and
the prolieration o devices cannot
be overstated, but organizations
should be more concerned with
threats such as accidental data loss,
ensuring employees do not root
or jailbreak their devices, and only
install applications rom oicial and
trusted distribution channels. I users
choose to go outside oicial mobile
app stores, they should ensure, beore
downloading an app, that they know
and trust the apps author and can
validate that the code has not been
tampered with.
Looking at the wider landscape or
web malware, it is not surprising thatmalicious scripts and iFrames
comprised 83 percent o encounters
in 2012. While this is relatively
consistent with previous years,
Figure 5: Top Web Malware TypesAndroid malware encounters grew 2,577 percent over 2012, though mobile malware only
makes up a small percentage o total web malware encounters.
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Android Growth
Malware / Hack Kit 0.057%
Ransomware 0.058%
Scareware 0.16%
Mobile 0.42%
Virus 0.48%
Worm 0.89%
Downloader 1.1%
Infostealing 3.4%
Exploit 9.8%
Malscript/Iframe 83.4%
Android Growth: 2,577%
il l i ll lI ,
-
7/29/2019 Raportul Cisco pe Securitate 2013
21/41
2013 Cisco Annual Security Report40
its a inding worthy o relection.
These types o attacks o ten represent
malicious code on trusted webpages
that users may visit every day
meaning an attacker is able to
compromise users without even
raising their suspicion.
Exploits take the second spot, with
10 percent o the total number o
web malware encounters last year.
However, these igures are largely a
result o where the block occurred
versus actual concentration o exploits
on the web. For example, the 83
percent o malicious scripts and
hidden iFrames are blocks that occur
at an earlier stage, prior to any exploit
rendering; hence, they may artiicially
decrease the number o exploits
observed.
Exploits remain a signiicant cause
o inection via the web, and their
continued presence underscores the
need or vendors to adopt security
best practices in their product
liecycles. Organizations should ocus
on security as part o the product
design and development process,
with timely vulnerability disclosures,
and prompt/regular patch cycles.Organizations and users also need to
be made aware o the security risks
associated with using products that
are no longer supported by vendors.
It is also critical or organizations
to maintain a core vulnerability
management process and or users
keep to their hardware and sotware
up to date.
Rounding out the top ive are
inostealers, with 3.5 percent o the
total web malware encounters in
2012, downloaders (1.1 percent), and
worms (0.8 percent). Once again,
these numbers are a relection o
where the block occurs, generally
at the point in which the malicious
script or iFrame is irst encountered.
As a result, these numbers are not
relective o the actual number o
inostealers, downloaders, or worms
being distributed via the web.
Top MalwareContent TypesMalware creators constantly seek to
maximize their return on investment
(ROI) by inding ways to reach the
largest population o potential victims
with the least eort, and they oten
take advantage o cross-platorm
technologies when possible. Toward
these ends, exploit toolkits generally
deliver exploits in a speciic order;once a successul exploit has been
delivered, no urther exploits are
attempted. The high concentration
o Java exploits87 percent o total
web exploitsshows that these
Figure 6: Top Malware Content Types or 2012Java exploits comprised 87 percent o total web exploits.
J F M A M J J A S O N D
J F M A M J J A S O N D
ApplicationText
Image
Video
Audio
Message
Java
PDF
Flash
Active-X
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
Application
65.05%
Text
33.81%
Image
1.09%
Video
0.05%
Audio
0.01%
Message
0.00%
Monthly Major Content Types
Total Major Content Types
Exploit Content Types
The high concentration o Java exploits shows that these vulnerabilitiesare attempted prior to other types o exploits and also demonstratesthat attackers are inding success with Java exploits.
-
7/29/2019 Raportul Cisco pe Securitate 2013
22/41
2013 Cisco Annual Security Report42
vulnerabilities are attempted prior
to other types o exploits and also
demonstrates that attackers are
inding success with Java exploits.
Additionally, with over 3 billion devices
running Java,16 the technology
represents a clear way or hackers
to scale their attacks across multiple
platorms.
Two other cross-platorm
technologiesPDF and Flashtook
the second and third spots in Ciscos
analysis o the top content types
or malware distribution. Though
Active X is still being exploited, Cisco
researchers have seen a consistently
low use o the technology as a vehicle
or malware. However, as noted earlier
regarding Java, lower numbers o
certain types o exploits are largely a
relection o the order in which exploits
are attempted.
In examining media content, Cisco
data reveals almost twice as much
image-based malware than non-Flash
video. However, this is due, in part,
to the way browsers handle declared
content types, and attackers eorts
to manipulate these controls by
declaring erroneous content types.In addition, malware command-and-
control systems oten distribute server
inormation via comments hidden in
ordinary image iles.
Top Site CategoryAs Cisco data shows, the notion
that malware inections most
commonly result rom risky sites
such as countereit sotware is a
misconception. Ciscos analysis
indicates that the vast majority o webmalware encounters actually occur
via legitimate browsing o mainstream
websites. In other words, the majority
o encounters happen in the places
that online users visit the mostand
think are sae.
Holding the second spot on the list
are online advertisements, comprising
16 percent o total web malware
encounters. Syndicated advertising
is a common means o monetizingwebsites, so a single malicious ad
distributed in this manner can have a
dramatic, adverse impact.
Figure 7: Top Site CategoryOnline shopping sites are 21 times more likely to deliver malicious content than countereit
sotware sites.
Note: The Dynamic Content category is at the top o Ciscos list o top locations or the
likelihood o malware inections. This category includes content-delivery systems such as web
statistics, site analytics, and other non-advertising-related third-party content.
Games 6.51%
Web Hosting4.98%
Search Engines
& Portals 4.53%
Computers &
Internet 3.57%
Shopping 3.57%
Travel 3.00%
Online Communities 2.66%
Entertainment 2.57%
Online Storage &
Backup 2.27%
News 2.18%
Sports & Recreations
2.10%
File Transfer Services1.50%
SaaS &
B2B
1.40%
Web-
Based
Email
1.37%
Education
1.17%
Transportation
1.11%
Health &
Nutrition
0.97%
Dynamic Content
& CDN 18.30%Advertisements16.81%Business &
Industry 8.15%
i l
The vast majority o webmalware encounters actuallyoccur via legitimate browsing omainstream websites. In otherwords, the majority o encountershappen in the places that online
users visit the mostand thinkare sae.
-
7/29/2019 Raportul Cisco pe Securitate 2013
23/41
2013 Cisco Annual Security Report44
Figure 8: Popular Applications by HitsSocial media and online video change how employees spend their time at workand expose
new vulnerabilities.
Looking urther down the list o site
categories through which malware
encounters occurred, business
and industry siteswhich include
everything rom corporate sites to
human resources to reight services
are in third place. Online gaming is in
ourth place, ollowed by web hosting
sites and search engines in ith and
sixth places, respectively. The top20 website categories are absent o
sites typically thought o as malicious.
There is a healthy mix o popular and
legitimate site types such as online
shopping (#8), news (#13), and
SaaS/business-to-business
applications (#16).
Cybercriminals have paid close
attention to modern browsing habits
to expose the latest possible deliver
population to malware. Where the
online users are, malware creators
will ollow, taking advantage o trusted
websites through direct compromise
or third-party distribution networks.
Popular Applicationsby HitsChanges in how people spend
their time online are expanding the
surace or cybercriminals to launch
exploits. Organizations o all sizes are
embracing social media and onlinevideo; most major brands have a
presence on Facebook and Twitter,
and many are integrating social media
into their actual products. As these
web destinations draw massive
audiences and are accepted into
enterprise settings, more opportunities
to deliver malware are also created.
According to data rom Cisco
Application Visibility and Control
(AVC), the vast majority (91 percent)o web requests were split among
search engines (36 percent); online
video sites (22 percent); advertising
networks (13 percent); and social
networks (20 percent).
I the data on the top websites visited
across the Internet is correlated with
the most dangerous category o
website, the very same places online
users have the most exposure to
malware, such as search engines, are
among the top areas that drive web
malware encounters. This correlation
shows once again that malware
creators are ocused on maximizing
their ROIand thereore, they will
center their eorts on the places
where the number o users and ease
o exposure are greatest.
I the data on the top websites visited across the Internet is correlatedwith the most dangerous category o website, the very same placesonline users have the most exposure to malware, such as searchengines, are among the top areas that drive web malware encounters.
Cybercriminals have paid closeattention to modern browsinghabits to expose the latestpossible deliver populationto malware.
Organizations o all sizes areembracing social media andonline video; most major brandshave a presence on Facebookand Twitter, and many areintegrating social media intotheir actual products.
36%
9% Search Engine
Ads
Social Network
Other
20%
13%
22%
Online Video
li i i
-
7/29/2019 Raportul Cisco pe Securitate 2013
24/41
2013 Cisco Annual Security Report46
When Gothic Horror Gives Birth to Malwareby Kevin W. Hamlen
Associate Proessor, Computer Science Department, The University o Texas at Dallas
Malware camouflage is an emerging threat that security proessionals may increasingly ace.
While most malware already uses simple mutation or obuscation to diversiy and make itsel
harder to reverse-engineer, sel-camoulaging malware is even stealthier, blending in withthe speciic sotware already present on each system it inects. This can elude deenses that
look or sotware anomalies like runtime unpacking or encrypted code, which oten expose
more conventional malware.
The latest sel-camoulaging malware technologyappropriately dubbed Frankenstein17is
a product o our research this year in the Cyber Security Research and Education Center
at The University o Texas at Dallas. Like the ictional mad scientist in Mary Shelleys 1818
horror novel, Frankenstein malware creates mutants by stealing body parts (i.e., code)
rom other sotware it encounters and stitches the code together to create unique variants o
itsel. Each Frankenstein mutant is thereore composed entirely o non-anomalous, benign-
looking sotware; perorms no suspicious runtime unpacking or encryption; and has access
to an ever-expanding pool o code transormations learned rom the many programs it
encounters.
Under the hood, Frankenstein brings its creations to lie using an array o techniques drawnrom compiler theory and program analysis. Victim binaries are irst scanned or short byte
sequences that decode to potentially useul instruction sequences, called gadgets. A small
abstract interpreter next iners the possible semantic eects o each gadget discovered.
Backtracking search is then applied to discover gadget sequences that, when executed in
order, have the eect o implementing the malware payloads malicious behavior.
17 Vishwath Mohan and Kevin W. Hamlen. Frankenstein: Stitching Malware rom Benign Binaries. In Proceedingsof the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012.
18 Mohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latiur Khan, Jiawei Han, andBhavani Thuraisingham. Cloud-based Malware Detection or Evolving Data Streams.ACM Transactions onManagement Inormation Systems (TMIS), 2(3), October 2011.
Each such discovered sequence is inally assembled to orm a resh mutant. In practice,
Frankenstein discovers over 2,000 gadgets per second, accumulating over 100,000 rom
just two or three victim binaries in under ive seconds. Wit h such a large gadget pool at
their disposal, the resulting mutants rarely share any common instruction sequences; each
thereore looks unique.
In general, our research suggests that next-generation malware may increasingly eschew
simple mutations based on encryption and packing in avor o advanced metamorphic
binary obuscations like those used by Frankenstein. Such obuscations are easible toimplement, support rapid propagation, and are eective or concealing malware rom the
static analysis phases o most malware detection engines. To counter this trend, deenders
will need to deploy some o the same technologies used to develop Frankenstein, including
static analyses based on semantic, rather than syntactic, eature extraction, and semantic
signatures derived rom machine learning18 rather than purely manual analysis.
This article reports research supported in part by National Science Foundation (NSF) award
#1054629 and U.S. Air Force Office of Scientific Research (AFOSR) award FA9550-10-1-
0088. Any opinions, findings, conclusions, or recommendations expressed are those of the
author and do not necessarily reflect those of the NSF or AFOSR.
Like the ictional mad scientist in Mary Shelleys 1818 horror novel,Frankenstein malware creates mutants by stealing body parts
(i.e., code) rom other sotware it encounters and stitches the codetogether to create unique variants o itsel.
In general, our research suggests that next-generation malwaremay increasingly eschew simple mutations based on encryption andpacking in avor o advanced metamorphic binary obuscations likethose used by Frankenstein.
-
7/29/2019 Raportul Cisco pe Securitate 2013
25/41
2013 Cisco Annual Security Report48
2012 Vulnerability and Threat AnalysisThe Vulnerability and Threat Categories chart shows a signiicant increase in threat totals
in 2012, threats increased 19.8 percent over 2011. This sharp increase in threats is placing
a serious strain on the ability o organizations to keep vulnerability management systems
updated and patchedespecially given the shit to virtual environments.
Organizations are also attempting to address the increasing use o third-party and open-
source sotware included in their products and in their environments. Just one vulnerability
in third-party or open-source solutions can impact a broad range o systems across the
environment, which makes it very diicult to identiy and patch or update all those systems,
says Je Shipley, Manager o Cisco Security Research and Operations.
As or the types o threats, the largest group is resource management threats; this generally
includes denial o service vulnerabilities, input validation threats such as SQL injection
and cross-site scripting errors, and buer overlows that result in denial o service. The
preponderance o similar threats rom previous years, combined with the sharp increase in
threats, indicates that the security industry needs to become better equipped at detecting
and handling these vulnerabilities.
The Cisco IntelliShield Alert Urgency Ratings relect the level o threat activity related to
speciic vulnerabilities. The substantial increase in Level 3 urgency ratings indicates that
more vulnerabilities are actually being exploited. This is likely due to the increase in publicly
released exploits either by researchers or test tools, and the incorporation o those exploits
into attack toolkits. These two actors are allowing more exploits to be available and usedacross the board by hackers and criminal groups.
The Cisco IntelliShield Alert Severity Ratings relect the impact level o successul
vulnerability exploits. The severity ratings also show a noticeable increase in Level 3
threatsor the same reasons indicated above relating to the ready availability o
exploit tools.
Figure 10: Vulnerability and Threat Categories
Figure 9: Urgency and Severity Ratings
2012 Monthly
Alert Numbers
2011 Monthly
Alert Numbers
2010 Monthly
Alert Numbers
JanuaryFebruary
March
April
May
June
July
August
September
October
November
December
552 344 208 552551 317 234 1103
487 238 249 1590
524 306 218 2114
586 343 243 2700
647 389 258 3347
514 277 237 3861
591 306 285 4452
572 330 242 5024
517 280 237 5541
375 175 200 5916
376 183 193 6292
403 237 166 403400 176 224 803
501 276 225 1304
475 229 246 1779
404 185 219 2183
472 221 251 2655
453 213 240 3108
474 226 248 3582
441 234 207 4023
558 314 244 4581
357 195 162 4938
363 178 185 5301
417 259 158 417430 253 177 847
518 324 194 1364
375 167 208 1740
322 174 148 2062
534 294 240 2596
422 210 212 3018
541 286 255 3559
357 167 190 3916
418 191 227 4334
476 252 224 4810
400 203 197 5210
Total Ream p NewTotal Reamp NewTotal Ream p New
6292 3488 28045301 2684 26175210 2780 2430
0
1000
2000
3000
4000
5000
6000
7000
8000
J F M A M J J A S O N D
2010 2011 2012
i
i
i
l
l
l
l
l
l
il
l
2010 2011 2012
Severity 3
Severity 4
Severity 5
Urgency 3
Urgency 4
Urgency 5
0 10 20 30 40 50 60 0 500 1000 1500 2000
Rating Rating
Just one vulnerability in third-party or open-source solutions can impacta broad range o systems across the environment, which makes it verydiicult to identiy and patch or update all those systems.
Je Shipley, Manager Cisco Security Research and Operations
-
7/29/2019 Raportul Cisco pe Securitate 2013
26/41
2013 Cisco Annual Security Report50
EvolutionaryThreats
New Methods,Same Exploits
This is not to say that actors in the
shadow economy do not remain
committed to creating ever-more
sophisticated tools and techniques to
compromise users, inect networks,
and steal sensitive data, among many
other goals. In 2012, however, there
was a trend toward reaching back
to oldies but goodies to ind new
ways to create disruption or evade
enterprise security protections.
DDoS attacks are a primary example
several major U.S. inancial institutions
were the high-proile targets o two
major and related campaigns launched
by oreign hacktivist groups in the
last six months o 2012 (or detailed
analysis, see the 2012 Distributed
Denial o Service Trends section.
Some security experts warn that these
events are just the beginning and that
hacktivists, organized crime rings,
and even nation states will be the
perpetrators19 o these attacks in the
uture, working both collaboratively
and independently.
We are seeing a trend in DDoS, with
attackers adding additional context
about their target site to make the
outage more signiicant, says
Gavin Reid. Instead o doing a SYN
lood, the DDoS now attempts tomanipulate a speciic application in
the organizationpotentially causing
a cascading set o damage i it ails.
In 2012, however, there wasa trend toward reaching backto oldies but goodies to ind
new ways to create disruptionor evade enterprise securityprotections.
-
7/29/2019 Raportul Cisco pe Securitate 2013
27/41
2013 Cisco Annual Security Report52
While enterprises may believe they
are adequately protected against the
DDoS threat, more than likely their
network could not deend against the
type o high-volume and relentless
DDoS attacks witnessed in 2012.
Even against a sophisticatedbut
averageadversary, the currentstate o the art in network security
is oten signiicantly outmatched,
says Gregory Neal Akers, Senior Vice
President or the Advanced Security
Initiatives Group at Cisco.
Another trend in the cybercrime
community revolves around the
democratization o threats. We are
increasingly seeing that the tools
and techniquesand intelligence
about how to exploit vulnerabilities
are being broadly shared in the
shadow economy today. Tradecrat
capabilities have evolved a great deal,
Akers says. Were now seeing more
specialization and more collaboration
among malicious actors. Its a threat
assembly line: Someone develops a
bug, someone else writes the malware,
another person designs the social
engineering component, and so on.
Creating potent threats that will
help them gain access to the large
volumes o high-value assets comingacross the network is one reason that
cybercriminals are combining their
expertise more oten. But like any real-
world organization that outsources
tasks, eiciency and cost savings
are among the primary drivers or
the build-a-threat approach in the
cybercrime community. The reelance
talent hired or these tasks typically
advertise their skills and pay rates to
the broader cybercrime community via
secret online marketplaces.
Even against a sophisticatedbutaverageadversary, the currentstate o the art in networksecurity is oten signiicantlyoutmatched.
Gregory Neal Akers, Senior Vice Presidentor the Advanced Security Initiatives Group
at Cisco
Ampliication and Relection AttacksDNS ampliication and relection attacks21 utilize domain name system (DNS) open recursive
resolvers or DNS authoritative servers to increase the volume o attack traic sent to a
victim. By spooing22 DNS request messages, these attacks conceal the true source o
the attack and send DNS queries that return DNS response messages 1,000 to 10,000
percent larger than the DNS request message. These types o attack proiles are commonly
observed during DDoS23 attacks.
Organizations are inadvertently participating in these attacks by leaving open recursive
resolvers out on the Internet. They can detect the attacks using various tools 24 and low
telemetry25 technologies and can help prevent them by securing26 their DNS server or
rate-limiting27 DNS response messages.
2012 Distributed Denial o Service TrendsThe ollowing analysis is derived rom the Arbor Networks ATLAS repository, which consists
o global data gathered rom a number o sources, including more than 240 IPSs, monitoring
peak traic o 37.8 Tbps.28
Attack Sizes Continue to Trend Upward
Overall, there has been an increase in the average size o attacks over the past year. There
was a 27 percent increase in throughput o attacks (1.23 Gbps in 2011 to 1.57 Gbps in 2012)and a 15 percent increase in the packets per second used in attacks (1.33 Mpps in 2011 to
1.54 Mpps in 2012).
Attack Demographics
The top three monitored attack sources, ater removing 41 percent o sources or which
there is no attribution due to data anonymization, are China (17.8 percent), South Korea
(12.7 percent), and t he United States (8.0 percent).
Largest Attacks
The largest monitored attack was measured at 100.84 Gbps and lasted approximately 20
minutes (source o attack is unknown due to data anonymization). The corresponding largest
monitored attack in (pps) was measured at 82.36 Mpps and lasted approximately 24 minutes
(source o attack is unknown due to data anonymization).
-
7/29/2019 Raportul Cisco pe Securitate 2013
28/41
2013 Cisco Annual Security Report54
Weaponization o ModernEvasion TechniquesCybercriminals are constantly evolving
new techniques to bypass security
devices. Cisco researchers watch
vigilantly or new techniques and
the weaponization o well-knowntechniques.
Cisco Security Research and
Operations runs several malware labs
to observe malicious traic in the
wild. Malware is intentionally released
in the lab to ensure security devices
are eective; computers are also let
intentionally vulnerable and exposed to
the Internet.
During one such test, Cisco Intrusion
Prevention System (IPS) technology
detected a well-known Microsot
Remote Procedure Call (MSRPC)
attack. Careul analysis determined
that the attack was utilizing a
previously unseen malware evasion
tactic in an attempt to bypass security
devices.20 The evasion sent several
bind context IDs inside the initial bind
request. This type o attack can evade
protections unless the IPS monitors
and determines which o the IDs were
successul.
Figure 11: Live Intrusion Prevention System (IPS) Evasions
Cisco Security Research and Operations runs several malware labs toobserve malicious traic in the wild. Malware is intentionally releasedin the lab to ensure security devices are eective; computers are alsolet intentionally vulnerable and exposed to the Internet.
Cybercriminals are constantlyevolving new techniques tobypass security devices. Ciscoresearchers watch vigilantlyor new techniques and theweaponization o well-knowntechniques.
-
7/29/2019 Raportul Cisco pe Securitate 2013
29/41
2013 Cisco Annual Security Report56
CASE STUDY
Operation AbabilDuring September and October 2012, Cisco and Arbor Networks monitored a targeted
and very serious DDos attack campaign known as Operation Ababil, which was aimed
at U.S.-based inancial institutions, known as Operation Ababil. The DDoS attacks were
premeditated, ocused, advertised beore the act, and executed to the letter. Attackers
were able to render several major inancial sites unavailable to legitimate customers or a
period o minutesand in the most severe instances, hours. Over the course o the events,
several groups claimed responsibility or the attacks; at least one group purported to
be protesting copyright and intellectual property legislation in the United States. Others
broadcast their involvement as a response to a YouTube video oensive to some Muslims.
From a cybersecurity standpoint, Operation Ababil is notable because it took advantage o
common web applications and hosting servers that are as popular as they are vulnerable.
The other obvious and uncommon actor used in this series o attacks was that simultaneous
attacks, at high bandwidth, were launched against multiple companies in the same industry
(inancial).
As is oten seen in the security industry, whats old is new again.
On September 18, 2012, Cyber Fighters o Izz ad-Din al-Qassam posted on Pastebin29
beseeching Muslims to target major inancial institutions and commodities trading platorms.
The threats and speciic targets were put up or the world to see and continued or our
consecutive weeks. Each week, new threats with new targets were ollowed up by actions
at the appointed times and dates. By the ith week, the group stopped naming targets
but made it clear that campaigns would continue. As promised, the campaigns renewed in
earnest in December 2012, once again targeting multiple large U.S. inancial organizations.
Phase 2 o Operation Ababil was also announced on on Pastebin.30 Instead o inected
machines, a variety o PHP web applications, including the Joomla Content Management
System, served as the primary bots in the campaign. Additionally, many WordPress sites,
oten using the out-o-date TimThumb plug-in, were being compromised around the same
time. The attackers oten went ater unmaintained servers hosting these applications and
uploaded PHP webshells to deploy urther attack tools. The concept o command and
control did not apply in the usual manner, however; the attackers connected to the tools
directly or through intermediate servers, scripts, and proxies. During the cyber events in
September and October 2012, a wide array o iles and PHP-based tools were used, not just
the widely reported tsoknoproblembro (aka Brobot). The second round o activity also
utilized updated attack tools such as Brobot v2.
Operation Ababil deployed a combination o tools with vectors crossing application-layer
attacks on HTTP, HTTPS, and DNS with volumetric attack traic on a variety o TCP, UDP,
ICMP, and other IP protocols. Ciscos analysis showed that the majority o packets were
sent to TCP/UDP port 53 (DNS) or 80 (HTTP). While traic on UDP port 53 and TCP port
53 and 80 represent normally valid traic, packets destined or UDP port 80 represent an
anomaly not commonly used by applications.
A detailed report o the patterns and payloads o the Operation Ababil campaign can
be ound in Cisco Event Response: Distributed Denial o Service Attacks on FinancialInstitutions. 31
Lessons LearnedWhile they are a critical part o any network security portolio, IPS and irewall devices rely
on stateul traic inspection. Application-layer techniques used in the Operation Ababil
campaign easily overwhelmed those state tables and, in several cases, caused them to
ail. Intelligent DDoS mitigation technology was the only eective countermeasure.
Managed security services and ISPs have their limits. In a typical DDoS attack, the prevailing
wisdom says to deal with volumetric attacks in the network. For application-layer campaigns
that are deployed closer to the victim, these should be addressed at the data center or on
the customer edge. Because multiple organizations were targeted concurrently, network
scrubbing centers were strained.
It is critical to keep hardware and sotware current on DDoS mitigation appliances. Older
deployments are not always able to deal with newer threats. It is also important to have the
right capacity in the right locations. Being able to mitigate a large attack is useless i traic
cannot be channeled to the location where the technology has been deployed.
While cloud or network DDoS mitigation typically has much higher bandwidth capacity,
on-premise solutions provide better reaction time against, control o, and visibility into the
attacks. Combining the two makes or a more complete solution.
In conjunction with cloud and network DDoS technologies, and as part o the collateral
produced or the Operation Ababil events, Cisco has outlined detection and mitigation
techniques in the Identiying and Mitigating the Distributed Denial o Service Attacks
Targeting Financial Institutions Applied Mitigation Bulletin.32 These techniques include
the use o Transit Access Control List (tACL) iltering, NetFlow data analysis, and unicast
Reverse Path Forwarding (uRPF). In addition, there are a number o best practices that
should be regularly reviewed, tested, and implemented that will greatly help enterprisesto prepare or and react to network events. A library o these best practices can be ound
by reerencing the Cisco SIO Tactical Resources33 and Service Provider Security Best
Practices.34
-
7/29/2019 Raportul Cisco pe Securitate 2013
30/41
2013 Cisco Annual Security Report58
Spam theEver Present
However, despite the perception
that malware is typically deployed
through spam email attachments,Ciscos research shows that very ew
spammers today rely on this method;
instead, they turn to malicious links
within the email as a ar more eicient
distribution mechanism.
Spam is also less scattershot than
in the past, with many spammers
preerring to target speciic groups
o users with the hope o generating
higher returns. Name-brand
pharmaceuticals, luxury watch brands,and events such as tax season top the
list o things that spammers promote
most in their campaigns. Over time,
spammers have learned that the
quickest way to attract clicks and
purchasesand to generate a proitis
to leverage spooed brands and takeadvantage o current events that have
the attention o large groups o users.
Global Spam TrendsSince the large-scale botnet
takedowns o 2010, high-volume
spam isnt as eective as it once
was, and spammers have learned
and changed their tactics. There is a
clear evolution toward smaller, more
targeted campaigns based on world
events and particular subsets o users.
High-volume spam is also more likely
to be noticed by mail providers and
shut down beore its purpose can
be ulilled.
-
7/29/2019 Raportul Cisco pe Securitate 2013
31/41
2013 Cisco Annual Security Report60
Figure 12: Global Spam TrendsGlobal spam volumes down 18 percent, with most spammers keeping bankers hours
on weekends.
United States
Saudi Arabia
Brazil
11.38%
3.60%
Poland2.72%
Taiwan2.94%
Vietnam4.00%
3.60%
India12.3%
Russia3.88%
China
4.19%
Korea
4.60%
10
9
8
7
6
5
432
1
GAIN FROM 2011 DECLINE FROM 2011
Russian
5%
Catalan
3%
Japanese
3%
Danish
2%
French
1%
Romanian
1%
Spanish
1%
German
1%
English
79% Chinese
1%
Spam Language
High-volume spam is more likely to be noticed by mail providers andshut down beore its purpose can be ulilled.
-
7/29/2019 Raportul Cisco pe Securitate 2013
32/41
2013 Cisco Annual Security Report62
In 2011, overall global spam volumes
were down 18 percent. This is ar rom
the dramatic drop in volume seen in
2010 ollowing the botnet takedowns,
but the continued downward trend is a
positive development nonetheless.
Spammers continue their ocus on
minimizing eort while maximizing
impact. According to Ciscos research,
spam volumes all by 25 percent onweekends, when users are oten away
rom their email. Spam volumes rise
to the highest levels on Tuesday and
Wednesdayan average o 10 percent
higher than on other weekdays. This
heightened activity in the middle o
the week and lower volumes on the
weekend allow spammers to live
normal lives.
It also gives them time to spend
crating tailored campaigns based onworld events early in the week that
will help them to generate a higher
response rate to their campaigns.
In 2012, there were several examples
o spammers using news about world
eventsand even human tragedyto
take advantage o users. During
Superstorm Sandy, or example, Cisco
researchers identiied a massive
pump and dump stock scam based
around a spam campaign. Using
a pre-existing email message that
urged people to invest in a penny
stock ocused on natural resource
exploration, the spammers began
attaching sensational headlines about
Superstorm Sandy. An unusual aspect
o this campaign is that the spammers
utilized unique IP addresses to send a
batch o spamand have not activated
those addresses since.
Spam OriginationIn the world o spam, some countries
remain the same while others
dramatically change their rankings. In
2012, India retains the top spot as a
source o spam worldwide, with the
United States moving up rom sixth in
2011 to second in 2012. Rounding out
the top ive spam-originating countries
are Korea (third), China (ourth) and
Vietnam (ith).
Overall, the majority o spammers
ocus their eorts on creating spam
messages that eature the languages
In 2012, there were severalexamples o spammers usingnews about world eventsandeven human tragedyto takeadvantage o users.
Figure 13: Spam OriginationIndia retains spam crown, and United States skyrockets into second position.
-25%
+10%MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
SUNDAY
GAIN FOR MIDDLE
OF THE WEEK
DECLINE FOR WEEKENDS
-18%DECLINE FROM 2011 TO 2012
SPAM VOLUMES
I
spoken by the largest audiences
who use email on a regular basis.
According to Ciscos research, the
top language or spam messages in
2012 was English, ollowed by Russian,Catalan, Japanese, and Danish. O
note, there are gaps between where
spam is being sent rom and the
languages that are being used in
the spam message; or example,
while India was the number one
spam-originating country in 2012,
local dialects did not break the top10 in terms o languages used in spam
sent rom India. The same was true
or Korea, Vietnam, and China.
-
7/29/2019 Raportul Cisco pe Securitate 2013
33/41
2013 Cisco Annual Security Report64
Email AttachmentsSpam has long been thought o as
a delivery mechanism or malware,
especially when an attachment is
involved. But Ciscos recent research
on the use o email attachments in
spam campaigns shows that thisperception may be a myth.
Only 3 percent o total spam has an
attachment, versus 25 percent o
valid email. And in the rare cases
when a spam message does include
an attachment, it is an average o
18 percent larger than a typical
attachment that would be included
in valid email. As a result, these
attachments tend to stand out.
In modern email, links are king.
Spammers design their campaigns
to convince users to visit websites
where they can purchase products
or services (oten dubious). Once
there, users personal inormation
is collected, oten without their
knowledge, or they are compromised
in some other way.
As the Spooed Brands analysis that
appears later in this section reveals, a
majority o spam comes rom groups
who seek to sell a very speciic group
o name-brand goodsrom luxury
watches to pharmaceuticalsthat are,
in most cases, ake.
IPv6 SpamWhile IPv6-based email remains a very
small percentage o overall traic, it is
growing as more email users move to
IPv6-enabled inrastructure.
However, while overall email
volumes are growing at a rapid
clip, this is not the case with IPv6
spam. This suggests that spammers
are hedging against the time and
expense to migrate to the new
Internet standard. There is no driving
need or spammersand little to no
material beneitto cause such a shit
at present. As IPv4 addresses are
exhausted and mobile devices and
M2M communication drive explosive
growth in IPv6, expect spammers
to upgrade their inrastructure and
accelerate their eorts.
Figure 15: IPv6 SpamWhile IPv6-based email remains a very small percentage o overall traic, it is growing as
more email users move to IPv6-enabled inrastructure.
Figure 14: Email AttachmentsOnly 3 percent o spam has an attachment versus 25 percent o valid email,
but spam attachments are 18 percent larger.
In modern email, links are king. Spammers design their campaigns toconvince users to visit websites where they can purchase products orservices. Once there, users personal inormation is collected, otenwithout their knowledge, or they are compromised in some other way.
l li il
3% 25%
18%
Valid EmailSpam Email
Spam attachments are 18% larger
JUN JUL AUG SEP OCT NOV DEC
IPv6 Email Growth: 862%
IPv6 Spam Growth: 171%
-
7/29/2019 Raportul Cisco pe Securitate 2013
34/41
2013 Cisco Annual Security Report66
Spooed BrandsWith spooed-brands spam email,
spammers use organizations and
products to send their messages in
hopes that online users click on a link
or make a purchase. The majority o
spooed brands are prescription drugs,such as anti-anxiety medication and
painkillers. In addition, luxury watch
brands orm a constant layer o noise
that retains consistency across the
entire year.
Ciscos analysis shows that spammers
are also skilled at tying their
campaigns to news events. From
January to March 2012, Cisco data
shows a spike in spam relating to
Windows sotware, which coincided
with the release o the Windows 8
operating system. From February to
April 2012, during the U.S. tax season,
analysis shows a