Cisco Security Report: Malware, Social Media are Top Risks
These are the headlines from the latest Cisco Annual Security Report. Patrick Peterson, Cisco senior fellow, offers highlights of the report, discussing:
Peterson, Chief Security Researcher, is also a Cisco Fellow -- a position that is reserved for individuals whose technical contribution has made a material impact not only within Cisco, but also in the industry as a whole. As a security technology evangelist, Peterson leads research projects to understand cutting-edge criminal attacks and business models and developing the technologies to combat them. Peterson chairs the technical committee for the Messaging Anti-Abuse Working Group (MAAWG) and the authentication committee for the Authentication and Online Trust Alliance. He is a frequent speaker at industry conferences, including RSA, Gartner, Networkers and AusCert.
TOM FIELD: Cisco is out with its annual security report. What are the headlines for 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about Cisco's annual security report, and we are talking with Patrick Peterson, Cisco's Senior Fellow. Patrick, thanks so much for joining me today.
PATRICK PETERSON: It's great to be here, Tom. Thanks a lot for the opportunity.
FIELD: Patrick, just to give our audience some context, why don't you tell us a little bit about yourself and your role with Cisco, but also tell them about the security report and what you have been doing over the years and what it really has come to mean?
PETERSON: You bet. I would be happy to. I came to Cisco in 2007, when Cisco was nice enough to buy my company, Ironport Systems. I had been there since the inception seven years earlier, focused on email security/web security. But really in the last couple of years I have moved out of that realm to focus on 'What are the bad guys doing? What are they up to, how are they making money and how are they causing us pain?' These annual reports are a big part of my work.
The context of the report is we basically reach out to about 500 people here at Cisco; they are security evangelists, security researchers, people who develop our security products, people who work closely with customers. And every year, starting about six months ago, we start surveying them - 'What are you seeing, and what's going on?' We reach out to people in the labs who are doing research,, and then we really try to put together what our customers are asking for, which is 'What are the bad guys doing? What do I have to worry about? What should be at the top of my radar?' Because of course, as we know in the security profession, if you don't know what the bad guys are doing, it is pretty hard to know that you are stopping them from doing it.
FIELD: Well, given that, Patrick, what would you say are this year's top headlines? What are the bad guys doing?
PETERSON: You know, we saw two particular headlines that stood out above all others. One was the real rise of the banking trojan and Zeus as the poster child for that family of malware. And the second one is that social media is really a playground for cyber crime, and the criminals have responded and followed those 350 million people on Facebook, those 80 million people on Linked In to attack them where they are doing their social media activities.
FIELD: Patrick, I want to ask you both about the threats and the trends that you are seeing; let's break it down that way. You talked about a couple of the threats here. What would you say is sort of the common nature of the threats against organizations, agencies, consumers?
PETERSON: I think there are two that really lead the pack. One is just the increasing sophistication. So if we look at the banking trojans, they have come about in direct response to the security features that have been added by financial services and consumers in the last five years. We put in two-factor authentication; they programmed the banking trojans to work around two-factor authentication. Now that is merely one example, but in case after case we see quite sophisticated security solutions, which two or three years ago really put a stop to certain attacks. And what do you know? The criminals didn't give up; they didn't go get day jobs at McDonalds or somewhere else, making less money than they could attacking us, and they have really been innovating and getting very sophisticated.
The second thing that really rises in terms of the trends around the threats is how many of them center around botnets and malware. The creation of an infected computer with malware and then leashing that into an assemblage of computers as a botnet is truly ground zero for cyber crime, and we see -- whether it's the social media attacks, whether it's the banking trojans, whether it is DDoS -- all of these rely on malware in the botnet, and that is a common thread that is universal.
FIELD: So a couple of things here strike me. One that strikes me is that the criminals obviously are going where consumers are going. Consumers want more online banking, the criminals are going there; the consumer wants to be active in social networks, the criminals are going there.
FIELD: The other thing that strikes me, and I have heard this from other people as well, is that they have got good resources.
PETERSON: They do. And so if you look for example at Zeus, those guys have deployed very sophisticated systems and they have taken two-factor authentication, Certs, site key, machine identification used by financial services, and for each one of those they figured out 'How do we build the solution to get around that?'
And then of course they have a bigger problem, which is even if I can get, let's say hypothetically, Tom, your banking credentials, moving money out of your account, especially overseas, which is where they really want it. So then if you look at the resources they have got, they partner with organizations who do nothing but recruit innocent, unsuspecting U.S. citizens to be their money mules and actually to receive these stolen funds and then to send them out via another payment mechanism, like a Western Union or some other type of system.
And so those examples that we see from Zeus and the banking trojans, and personally it really knocked my socks off to see the kind of resources and innovations that they are capable of.
FIELD: Well, let's talk about the good guys as well. What sorts of trends are you seeing on the white-hat side of the battlefield here in the fight against some of these threats to bolster security? What are the top trends?
PETERSON: That's a great question. To give some context to that maybe I should talk briefly about some of the awards that we gave away as part of our security report. So we highlighted the Cisco Cyber Crime Awards Ceremony, and we gave Zeus an award for the most audacious criminal organization for what they were doing.
But if you look at the good guys, we have a couple of trends going on there that I think are really represented by the awards that we gave for the good guys. One of them was for the Conficker Working Group, and they won an award because they really banded together a whole host of organizations - Cisco, but lots of other security companies, infrastructure providers, DNS registrars and registries -- to put an end to the massive Conficker infection botnet's ability to get updates and commands from the command and control. And to us that is a great example of good guy trends where our ability to work together, to come together to solve a problem on a global scale has increased tremendously in the last three years.
Now, I don't mean to say that we are where we need to be or that we are winning the war and that the criminals are going to be out of business next year, but that was a great example of the trend of us working together much more effectively. And the other one we highlighted was the award for Brian Krebs of the Washington Post because he really reported and did a lot of great investigatory work on the Zeus botnet, and I think that is another example where in time past it would have taken maybe two or three years for this story to really be understood by the security community at large, and his reporting shows how much more quickly this information is getting out and enabling us to respond more quickly.
FIELD: Well, that's excellent. Now, you talked about banking and the banking trojans and the push into mobile services. What is some of the news for specific industries beyond financial services -- perhaps healthcare, government, other industries -- that you see are particularly targeted?
PETERSON: Let's talk about healthcare and government; I think those are great ones. I think one of the challenges that we see for healthcare is they have a lot of relatively unmanaged shared systems. And so backing up a step, if we study, let's say consumer computers and enterprise computers, the infection rates between them is normally in orders of magnitude different. You know your cousin's, your uncle's, your aunt's old PC from six years ago running XP without antivirus that the kids are clicking on every link tends to be fairly unsecured and fairly heavily infected. On the other hand, a well-managed PC in the enterprise is not safe, but the infection rates on those are way less than one percent.
Healthcare, though, tends to really stand out and we saw examples of this from the Conficker worm where a lot of healthcare organizations got hit hard because they are an enterprise computer, they have access to enterprise payment information, healthcare personal information. On the other hand, this may be a computer which is one of thousands at a healthcare organization that has medical assistants, nurses, and doctors who are using it, and those tend to be the ones that have high value information, high value targets, but don't have the kind of care and feeding and attention that most other enterprise PC's do. And so we feel the importance to secure them has been overlooked, and again some of the downside of that was seen by some of the headlines in 2009 where healthcare fell victim to some of the botnets.
When it comes to government, I think that the challenge facing government is really around pushing toward an open government, pushing IT and government to really respond differently, especially with the Obama Administration. It is offering up opportunities to do a lot of things differently, but of course the security folks are really trying to figure out how to deal with that new paradigm, and those are some of the major trends that we see in government, along with tremendous increases in cyber attacks.
FIELD: Patrick, let me take you in a different direction here. We certainly serve a lot of information security professionals at various stages in their careers, and when you look at people that are either beginning a career, restarting a career mid-career, what is the message from this report to the information security professional?
PETERSON: I think two messages stand out for me. One is really the "knowledge is power." So many cases we look at, people are working hard, they are doing good work, but to be honest they may be missing the forest for the trees. They may be stuck in a reactive mode because they don't have enough knowledge and enough of a big picture, kind of "know your enemy."
The second one is it is really all about risk management. I think in the olden days when you said "I'm compliant," the auditor just checked all the boxes, and people know that is not enough anymore. You have got to be compliant, but that does not equal security. Likewise, there are a lot of high priority projects, a lot of business demands, but if you are just running with those as opposed to taking a step back and saying, 'How are the bad guys thinking today? What is going on in my industry? What are the areas where I am at risk, even if I can't fix them tomorrow or next month?' -- if you are not really looking at that from a risk management perspective, you are probably not spending those resources wisely, and you are probably not in a position to really steer the boat where it needs to be steered to stay ahead of the bad guys.
FIELD: Well, Patrick, that said, what would you say is sort of the essential education for an information security professional today that wants to understand what the bad guy is doing and if not stay a step ahead, at least stay in pace?
PETERSON: Yeah, so I would say for one, a lot of good work is done, not just by Cisco but others in our field, on the annual security reports. I think looking at those, from all the vendors, definitely will help highlight, and all of us have different strengths and weaknesses, places to pay attention.
And also, depending on your industry, there are publications like your own and lots of other ones where if you just skim them you will find the reporters, the writers, the bloggers, the researchers who really resonate with you in your industry. And in some cases you can spend a few hours a week. and other cases you can task people on your team to be responsible for different areas and have a brown bag lunch where they report on the latest in banking trojans, information security, securing cloud computing. But whatever it is, you have got to figure out how to get that information.
And the last thing is your education and your knowledge that gives you that power is not complete unless you are looking at your own users. Users are such a critical part of a security solution, and if you don't know how and why they are doing things in your organization, why they are clicking on that link and why they are disabling the antivirus, why they are getting on untrusted networks, you are missing a big part. So I would say definitely look inward at your employees and their practices and understand why they are doing these things and how you need to adapt to serve them better.
FIELD: Patrick, a last question for you. How does this report influence Cisco's strategies going forward?
PETERSON: Great question. One of the things that our customers have really demanded from us in these reports is: I just don't want to know what the threats are; I want to know where the criminals are going and what they are leaving behind. And so one of the things that is really driving us here is our new innovation for the report, which is the Cisco Cyber Crime ROI Matrix. We really tried to look and say where are criminals making money and maybe where their profits are down and maybe they will be divested in those businesses. That is one of the highlights of the report, and that is for example, where you see criminals investing in the social media attacks, investing in the banking trojans and at the same time divesting from old instant messaging attacks, DDoS attacks and things like the old phishing 1.0 of just trying to get someone's credentials with an email and a login site.
So when we look at that, the ROI Matrix clearly shows us securing the PC, stopping the banking trojan, detecting the botnet, God forbid if it occurs in the enterprise. Our high priorities beyond that, you have got to secure the social media and you have got to train your users on what to do.
And I think the last one that fits in there is securing something that we call the "dark web." The amount of sites and content which are some kind of a shared platform, a blog site, a data aggregation, a news site, where you can't really say it is a particular site controlled by a particular person in the content is really the rise of the dark web. And so that is the other one that really stood out for us when you look at some of the security challenges that we need to fix to address the leading problems that we see criminals investing in, in the ROI Matrix.
FIELD: Very good. Patrick, I appreciate your time and your insight today.
PETERSON: Oh, my pleasure. Thanks for the opportunity, and stay safe.
FIELD: The topic has been the Cisco Annual Security Report, and we have been talking with Cisco Senior Fellow, Patrick Peterson. For Information Security Media Group, I'm Tom Field. Thank you very much.