Users and IT teams are part of the security problem says Cisco

Careless user behavior and targeted malware campaigns are putting many industry sectors in danger from security breaches with the pharmaceutical and chemical industries at highest risk.

This is among the findings of the latest Annual Security report from networking specialist Cisco. It also finds that attackers are adapting their methods to make their campaigns harder to detect.

Among the changes are the rise of 'snowshoe spam' which involves sending low volumes of spam from a large set of IP addresses to avoid detection, and the use of less common exploit kits so as not to attract attention. There's also an increase in malicious combinations, sharing attacks between two files, for example Flash and JavaScript to make them harder to detect.

Users are the main target though and may also be unknowingly aiding cyber attacks. Throughout 2014, Cisco threat intelligence research has revealed that attackers have increasingly shifted their focus from servers and operating systems as more users are downloading from compromised sites leading to a 280 percent increase in Silverlight attacks along with a 250 percent increase in spam and malvertising exploits.

Users are increasingly targeted using web browser add-ons as a medium for distributing malware and unwanted applications. This approach too is proving successful because many users inherently trust add-ons or simply view them as benign.

"Attackers have become more proficient at taking advantage of security gaps. At any given time, we should expect for one percent of high-urgency vulnerabilities to be actively exploited while 56 percent of all OpenSSL versions are still vulnerable to Heartbleed," says Jason Brvenik, Principal Engineer, Security Business Group at Cisco. "Despite this, we see less than half of the security teams surveyed using standard tools like patching and configuration management to help prevent security breaches. Even with leading security technology, excellence in process is required to protect organizations and users from increasingly sophisticated attacks and campaigns".

The report also reveals that while many defenders believe their security processes are optimized, and their security tools are effective, in truth, their security readiness likely needs improvement. It concludes that corporate boards need to take a role in setting security priorities and expectations.

It sets out some basic principles for achieving security which include that security must be transparent and informative, that it must enable visibility and appropriate action and that it must be viewed as a 'people problem'.

A complete copy of the report is available from the Cisco website.

Image Credit: watcharakun/Shutterstock