7 infographics from the Cisco 2018 Cyber Security Report explained

In our final part of Cisco’s 68 page 2018 Annual Cyber Security Report, we summarise the key findings and highlight the main takeaways contained in the report.
While most of the information is already known, put in context it gives a thorough view of the changing landscape and importantly identifies some of the steps that Information Security teams could take to mitigate the growing risk.
The reports highlights include;
  • Self-propagating ransomware is a growing trend
  • Legitimate cloud platforms are increasingly being exploited for cyber attacks
  • Cyber attackers are exploiting gaps in security coverage as organisations move to the cloud
  • Lack of skilled cyber security staff is a growing problem
  • Security is more effective when policies governing technology, processes and people are synced
  • Scalable cloud security, advanced endpoint protection and threat intelligence can be deployed to reduce the cyber threat risk
According to the Cisco report, cyber attackers are amassing their techniques and capabilities at an unprecedented scale.
Ransomware is the most profitable form of malware and has evolved into self-propagating network based cryptoworms as witnessed by Nyetya
and WannaCry. These ransomware variants took down whole regions and
sectors of infrastructure such as the Ukraine and the NHS.
Cyber attackers are weaponizing the cloud and using legitimate cloud services from well known vendors such as Google, Amazon, Twitter to host and conduct malware attacks. They are in fact capitalising on the benefits of cloud platforms such as security, agility, scalability and good reputation, oftentimes repurposing their sites before they are detected.
Cyber attackers are exploiting gaps in security coverage including IoT and cloud services especially where the organisation has not extended their security controls to include securing users and data in the cloud. Another growing obstacle to more effective cyber security is lack of skilled cyber security personal and inadequate budgets.
Cisco’s report also provides some essential guidance that organisations
should adopt in order to meet the growing challenge and provide more effective cyber security protection. Some of these measures include;
  • Implementing scalable cloud security solutions
  • Ensuring alignment of corporate policies for technology, applications and processes
  • Implementing network segmentation, advanced endpoint security and incorporating threat intelligence into security monitoring
  • Reviewing and practising security response procedures
  • Adopting advanced security solutions that include AI and machine learning especially where encryption is used to evade detection
While the security report is essential reading for all personnel responsible for an organisations information assets, in many areas it reiterates what we have been hearing about in the news and trade publications. The essential call to action is really to make a good start by doing the essentials. If you have already done this, then keep testing, refining and improving your cyber security posture.

5 Takeaways from the Cisco 2018 Annual Cyber Security Report

Cisco Annual Cybersecurity Report 2018

Cloud abuse on the rise according to Cisco Security Report

Cisco’s Annual Cyber Security Report 2018 provides an insightful account into the changing cyber security landscape. This article summarises some findings of the report pertaining to cloud security.
Some main take aways from the report that will be discussed in this blog include:
  • Legitimate cloud services such as Twitter and Amazon being used by attackers to scale their activities
  • Machine-Learning is being used to capture download behaviour
  • Cloud Security is a shared responsibility between organisations and its provider
  • There is an increase of belief in the benefits of cloud security
  • Cloud abuse is on the rise
According to the report, increased security was the principle reason security professionals gave for organisations deciding to host corporate applications in the cloud.
Fifty seven percent believe the cloud offers better data security
Organisations who have a security operations team are likely to have a well defined cloud security approach that may include the adoption of Cloud Access Security Broker (CASB) as they deploy to the cloud.
Many smaller organisations however are adopting cloud services without a clear security strategy, there is therefore a blurring of the security boundaries where many organisations are not certain about where their responsibilities end and where the responsibility of the cloud provider starts.
Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas
Security in the cloud is a shared responsibility
Cyber attackers are increasingly taking advantage of this blurring of the boundaries to exploit systems.
An increasing trend amongst cyber attackers is to use legitimate cloud services to host malware and command and control infrastructure. Public clouds that have been used for malware activity include Amazon, Google, DropBox and Microsoft.
This makes it doubly difficult for security teams to identify bad domains and take protective measures without risking significant commercial impact caused by denying user access to legitimate business services.
Examples of legitimate services abused by malware for C2
The misuse of legitimate services is attractive to cyber attackers for a number of reasons;
  • Easy to register a new account and set up a web page
  • Adopt use of legitimate SSL certificate
  • Services can be adapted and transformed on the fly
  • Reuse of domain and resources for multiple malware campaigns
  • Less likely that infrastructure will be ‘burned’ (service can just be taken down) with little evidence of its purpose
  • Reduce overhead for attacker and better return on investment
Cyber attackers are effectively using legitimate and well known cloud infrastructure with their attendant benefits; ease of scale, trusted brand and secure features such as SSL. This enables them to scale their activity with less likelihood of detection if current protection methods are retained.
The challenges posed for the security teams defending organisations from these new threats call for a more sophisticated approach because in effect you need to block services that users are trying to access for legitimate work such as Amazon or Dropbox. Furthermore, the legitimate services are encrypted and so malware will be encrypted and evade most forms of threat inspection techniques– the threat will only become apparent after it has been activated on a host.
Intelligent cloud security tools will need to be deployed to help identify malware domains and sub-domains using legitimate cloud services. Such tools can also be used to further analyse related malware characteristics such as associated IP addresses, related domains and the registrant’s details.
An emerging and valuable approach to detect anomalous behaviour is machine learning.
Machine learning algorithms can be used to characterise normal user activity, unusual activity can be identified, and action taken automatically.
Machine-learning algorithms capture user download behaviour 2017
To meet the range of challenges presented by cloud adoption,
organisations need to apply a combination of best practices, advanced security technologies, and some experimental methodologies especially where they need to overcome the use of legitimate services by cyber attackers.

Would you like to learn more? Claim your Free copy of our latest eBook “A View of the Cyber Threat Landscape”. Click here.

I made a call, the customer said no, but I loved it

 

We have been doing our cloud security blog now for a couple of weeks and decided to start to speak directly to some of the contacts who had been reading the blogs. I spoke to one contact from the legal sector (who shall remain nameless) who gave some very interesting feedback.

 

The bad news is that the call did not end up in a sale or a trial of the software, and they didn’t want to meet with us or try out any of our services so there is no fairy tale ending here.

 

What was more interesting was that the customer said about Umbrella cloud security and his current IT partner.

 

On the subject of Cisco Umbrella, he said they had been using it for over a year now and “it was absolutely brilliant”. The ability to automatically block bad domains and to investigate suspected threats was extremely good and he was very happy that they had decided to deploy the product.
Furthermore, he said it was introduced to him by their IT provider whom they have worked with for nearly 10 years now. He said it was a very strong partnership where they had offered an exceptional quality of service, they weren’t the cheapest but it would just be silly for them to look elsewhere at this stage because you get what you pay for and they certainly were getting very good value for money. He felt it would be silly of them to be looking to change under such circumstances. I said to him I hoped my customers felt the same way about the service we provide as we certainly strive to differentiate ourselves in this way. He thanked me for the call and we went t our separate ways.

 

Wow this is what I have been banging on about for what seems a lifetime, it’s not about being the cheapest or biggest, but rather about providing good value for money.

 

What was even more satisfying is the fact that he appreciated what we had been writing about in terms of cloud security and the importance of DNS security. He was totally happy with the Umbrella product and now couldn’t see them operating without it.

 

So I am really happy that though this customer said no to us, they endorsed what we believe and what we have been banging the drum about.

 

Protect yourself against 92% of malware threats that can be stopped at source via secure DNS. The free trial is waiting for you to just click the link and be up and running in 5 minutes. It will be the best cyber security click you’ve ever made.

Test the solution yourself! Free 14 day trial 

In the Cloud you need CASB: How to Secure the Cloud

We introduce another acronym yesterday, CASB (Cloud Access Security Broker) and we now expand on the features and benefits of deploying a CASB solution as we continue in our approach to cloud security. We noted in our previous blog that cloud security was a shared responsibility between service user and service provider. Gartner analysis indicates that by 2021, 27% of corporate data will bypass perimeter security. In addition by 2020, 95% of cloud security failures will be the customer’s fault.

 

Cloud Umbrella, DNS, Firewall, Cloud Security, Data Breach

 

Securing the cloud will need a robust security approach which includes features such as the ones outlined below;

 

Cloud User Security

Attackers are defeating today’s security controls that rely on the network perimeter, firewalls, or a specific platform. Activities across platforms are not correlated, making it difficult to identify suspicious behavioural patterns. At the same time, security teams are inundated with alerts that lack priority, useful information, or context. Faced with a flood of unhelpful notifications, the legitimate security breaches get overlooked. This problem is magnified with the use of cloud applications and platforms, as organisations often have little visibility into the activities of their users in their cloud environments.
A CASB can analyse user and entity behaviour, using the analytics to profile behaviour and detect and respond to anomalies in real time, while alerting security teams.

 

Cloud Data Security

The number one cloud security concern for organisations is storing sensitive data in the cloud. 53% of organisations rated this top of their list. A CASB is an effective solution to address this by enabling tuneable policies to be deployed to monitor and provide data loss prevention. In the event of a policy violation, a CASB can initiate an automated response mechanism that can notify users, encrypt connections and quarantine data as necessary.

 

Cloud Applications Security

Unauthorised cloud applications is now a major security hole being exploited by cyber attacks. Discovery and security rating of cloud applications are therefore another essential feature that is needed to determine compliance with the organisations security policy. The ability to also block or whitelist applications may also be a necessary measure for compliance.

 

Correctly configured the CASB solution should provide the following benefits;

  • Detect and respond to compromised accounts
  • Detect and respond to malicious insiders
  • Monitor and secure privileged accounts
  • Protect sensitive data in the cloud
  • Enable compliance with cloud data
  • Gain full visibility into cloud app usage
  • Block cloud malware
  • Secure cloud marketplace apps

Securing SaaS Applications: How to Secure the Cloud

Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas

 

More organisations are adopting a cloud strategy to leverage cloud services and enjoy the associated speed of development and deployment. One of the biggest challenges, however, is creating the balance that provides an appropriate level of governance over the use of cloud applications that still empowers users to leverage these services.

 

We recently highlighted a news article (read it here) about a tool that was able to trawl through Amazon Web servers and access potentially sensitive data hosted by a number of organisations. The tool highlighted flaws in the configuration of servers in the cloud. This is a good example possibly of a rush to deployment that left good cyber security practices behind.


In this blog series, we have discussed the need for a pervasive cloud centric cyber security approach that not just protects the user but also the data.

 

Cloud service providers are responsible for the security of their infrastructure, while organisations that use those services are responsible for user activities on top of that infrastructure. Cloud service providers will build security into their platforms and environment, however, if the data is being accessed by the wrong person or used inappropriately, they will not be aware of that. Additionally, they do not know what applications an organisation has approved or disallowed. 

 

The cloud centric security approach, therefore, needs to have extensive visibility of who is accessing applications and data and how they are using it. The security approach must have the ability to identify malicious infrastructure and protect sensitive data from it. Compromised accounts need to be identified as well as potential malicious insiders. The emerging security tool that addresses this security concern is the cloud access security broker (CASB).

 

A cloud access security broker helps organisations address a range of cloud security vulnerabilities by providing visibility into the applications in use, profiling them from a risk perspective, and enforcing policies especially around data loss prevention (DLP) and user activity.

 

A good CASB implementation will also provide for the retrospective discovery of sensitive data and malware in cloud applications. The CASB should also integrate with network based entities to give visibility into real time data, threats in motion, as well as preview historical use of cloud applications.

 

In our next episode, we will take a deeper look at CASB and how they can work more effectively with other security tools to secure the cloud.

Free eBook: A View of the Cybercrime Threat Landscape

 

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.

The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.

That’s why business owners and executives are asking one question:

  • Is our internet safe?

If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.

In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download the eBook here!

What Next?

 

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it? 

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what have you got to lose? 

Click here to start your trial! 

See how easy Umbrella is to installwatch this video 

A View of the Cybercrime Threat Landscape

Download: A View of the Cybercrime Threat Landscape

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.

 

The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.

 

That’s why business owners and executives are asking one question:

  • Is our internet safe?

 

If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.

 

In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download: A View of the Cybercrime Threat Landscape

Block 82% of cyber threats before they get you: How to secure the cloud

Cloud Security DNS

In our previous blogs, we looked at the changing IT landscape and how cyber security protection needs to change to meet the new challenges and threats.

 

  • We know that cloud adoption in the form of SaaS is pervasive.
  • Remote working is the norm providing increased flexibility, costs savings, higher productivity and generally a happier workforce.
  • More power is being devolved to branch locations as they contribute more to an organisation’s success.
  • Branches need more speed and direct internet access to more efficiently support the adoption of cloud.
  • IoT connectivity is growing apace as is mobile device connectivity which is outpacing fixed devices.
  • Cyber threats are increasing in scale and sophistication and we have experienced a number of attacks on a global scale, this trend is likely to increase and accelerate.

 

The rapidly changing IT landscape characterizes a new era of digitisation where IT adoption and automation of business processes is happening at a scale rarely seen before. The changes are bringing about a paradigm shift in our approach to providing cyber security where we need to essentially provide continuous, pervasive protection for known and unknown threats. As we continue in this series we discuss some technological approaches to delivering pervasive cloud centric security.

 

Securing DNS

We are aware of the pivotal role of DNS in getting us connected to literally any service we need to access, whether via email, web or a bespoke application. DNS is a service we always make use of. So how can securing a simple background process like DNS have a dramatic effect on an organisation’s cyber security posture?

 

DNS security can act as a form of perimeter security where the perimeter is pushed back to the source of the cyber threat. So the threat is initially blocked at the source or its point of origin. How this works is that the DNS points to a secure DNS service with up to date threat domain intelligence and machine learning that discovers and protects against emerging threats. Remember that 100% of organisations interact with known malware domains. Securing DNS will instantly block these connections as they are requested, as well as blocking future domains that have been identified as malware hosts.

 

If a previously infected device connects to the network or service, secure DNS will block the command and control call back to the malware domain and notify the security team.

 

This level of security is highly scalable in that it can be provided for an individual roaming client, a branch site or the organisation’s principle location.

 

Another useful feature is the ability to track normal behaviour for your organisation in terms of the rate and volume of requests over time. Anomalous behaviour can then be detected by comparing significant changes in normal behaviour.

 

A secure DNS solution will also provide detailed information about the malware domain such as IP addresses, associated domains and attacks associated with these domains. A robust, secure DNS solution could also provide a data feed into other security components in the organisation, thus sharing security updates that can be actioned elsewhere in the security stack.

 

In our next blog, we will take a look at how SaaS applications can be used in conjunction with secure DNS.

 

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it?

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what have you got to lose?

Click here to start your trial! 

See how easy Umbrella is to instalwatch this video 

Covering the Cloud: How to Secure the Cloud

We have discussed the changing IT landscape as the age of digitisation gains traction and growth in connectivity continue apace. The cyber attack surface is increasing and so is the scale and sophistication of attacks as identified by Cisco in it’s latest annual cyber security report.

Security breaches will continue to happen because there is too much going on in the organisations’ systems to provide complete protection especially with the growing sophistication of threats. The approach to security needs to embrace an approach that provides not only for known but also unknown threats. The approach needs to address cyber security before, during and after a cyber attack.

Some of the key features that need to be addressed with this new cyber security approach include;

Visibility Control

Users will try to use whatever they can to get the job done. Organisations need visibility and control of what applications are being used in the cloud and remotely, especially with the growth of new SaaS applications. Visibility enables an understanding of what is being used in line with policy, what is out of policy and what is a threat. Visibility is the first step to controlling and securing the organisations environment based on what services should be provided.

Securing Cloud applications

As SaaS applications are increasingly being deployed in public clouds such as Amazon Web Services and Azure, it is vital to ensure that the cloud platform is secure. Even though the cloud providers will deploy their own security solutions, organisations also need to implement independent security systems to secure the user and the data as this is not the responsibility of the cloud provider.

Extend protection to the edge

As remote connectivity and branch networking trends increase in popularity, the security solution should be adaptable to extend the necessary features such as firewalling, threat management and anti-malware capabilities to the edge of the network as opposed to the current centralised deployment.

Virtualise the security architecture

The need for security is now pervasive at the client, the branch, the HQ as well as public and private clouds where SaaS applications are located. This necessitates the capability for a virtualised security architecture where the panoply of security functionality can be deployed easily at any location.

Threat intelligence

Most organisations deploy security components from multiple vendors. An intelligent approach to securing information and systems in the emerging environment must make use of threat intelligence. This is the ability to take intelligence feeds from other sources such as other security vendors feed and make context based threat assessments relating to your organisation and what it means for you. This assessment can naturally feed into automated protection mechanisms.

This roundup of security requirements and features is a summary of what we need to look for in our security approach as we hurtle towards digitisation and a predominantly cloud based environment. In our next installment, we will discuss some practical solutions and explain what is now being termed the Secure Internet Gateway.

 

How To Secure The Cloud – The Here and Now

In our series exploring the changing IT security landscape, we look at the drivers behind cloud adoption and some of the challenges it presents.

 

Cloud adoption has gathered pace to become the dominant form of user access with Software as a Service (SaaS) applications becoming the norm. This growing trend means that direct branch access to the Internet is more common as organisations try to reduce barriers to good user experience and increased efficiency. In many instances organisations also seek to save money by replacing expensive WAN circuits in favour of direct Internet access.

 

Another trend that is also shaking up the provision of IT services and is the major benefit of cloud proliferation is the adoption of remote working. The flexibility that anytime anywhere access provides for both staff and business is well understood. Remote working does however pose its own significant security challenges. Surveys have indicated that over 80% of remote workers disable their VPN client in order to be able to surf the web without the restrictions of corporate policy. There is also the threat of people using compromised USB devices or connecting via unsecured public Wi-Fi.

 

There is a natural assumption that cloud application providers have secured their applications and therefore no additional security may be necessary as organisations migrate applications to the cloud. The reality is that there will always be the potential for cloud services and applications to be breached. Cloud applications are run on similar platforms and operating systems to those on premises, therefore many of the vulnerabilities still apply in the cloud environment.

 

 

Businesses need to approach cloud security with the same level of diligence that should be applied to corporate on premise IT services. The same type of protection for users and their devices is necessary wherever they are working.

 

What’s different about a cloud environment is that organisations are moving away from a HQ centric model where protection was centralised to include perimeter security such as firewalls, anti malware protection and maybe web or email security. The new cloud centric model is decentralised and virtualised which means our traditional approach is no longer valid.

 

In the next part of this blog we will discuss some of the other factors that need to be considered as we look ahead at how we address security in the new cloud environment.

Want a Quick Win? Secure your DNS

 

Ransomware is currently the number one form of cyber attack due to its profitability and simplicity in execution. It is now evolving as a business model where any ‘Joe Bloggs’ can buy ransomware code for a monthly fee – ransomware as a service. Ransomware thrives partly because of bitcoin and the associated anonymity of attackers who get paid via an untraceable cryptocurrency transaction. The stages of a typical ransomware attack include;

 

  • Stage 1 – Infection

Ransomware always starts with some host infection of malware via phishing attacks, or a website hosting malware

 

  • Stage 2 – Command and control setup stage

This handles the key exchange process to encrypt the files on the infected host

 

  • Stage 3 – Extortion stage

Payment of the ransom and then ‘hopefully’ getting the key to decrypt the encrypted files.

 

Ransomware is constantly evolving and not being breached yet is no guarantee that it won’t happen in the future.

 

Many organisations are using hope and anonymity as a risk mitigation strategy against ransomware – assuming they are small and have not been attacked yet. The fact is that the supply chain is now an increasing focus of malware attacks as a means of accessing valuable data through the back door of larger enterprises.

 

 

Anti-Ransomware Best Practices

 

As with every effective security approach you need a policy and a risk assessment of the threats so this is a given before we get into the type of approach and solutions that need to be in place. Please see some of our previous blogs or check out the NCSC website for some invaluable resource.

 

Phishing can be very sophisticated making it hard to tell if a link is bad or not. Effective protection cannot rely solely on end users, it must be engineered into the system with the right protection mechanisms correctly configured.

 

To start off with you need good anti-spam, anti-phishing and web controls to control the Internet traffic, this could be incorporated into a good endpoint protection solution. Use an email and malware analysis gateway to inspect executables for malware. The gateway should be configured to block files if there is any doubt about it’s authenticity. It is better to stop/delay web downloads so that they can be inspected and properly classified than to run the risk of infection.

 

78% of attacks exploit phishing so it is a good thing to correlate known exploits to the vulnerabilities in your organisation and prioritise patching based on known exploits.

Use network analysis and visibility tools to analyse traffic on the network so you can see what is changing and be alerted to abnormal behaviour.

 

If you do get infected, have effective Backup and DR policies and processes, and ensure that the recovery procedure has been tested and works.

 

DNS Security is the Quick Win

 

92% of cyber attacks make use of DNS at some stage or another through the execution of the attack. DNS is therefore the greatest opportunity to secure your network while having an immediate impact.

 

What if your systems know that a website url a client is trying to access via DNS resolution is a bad site, hosting malware. You could just block it and prevent any interaction with the malware in the first place. This form of protection can be immediate with no impact on client or application performance.

 

A web based infection is usually a 2 step process –  which redirects your web browser to another domain created using an exploit kit which finds a vulnerability in say Flash or Silverlight. The malware will then do a command and control (CnC) call back using DNS resolution to get an encryption key. Until the CnC connection happens there is no damage created.

 

Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.

 

An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.

 

An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the  minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.

 

Another challenge is the decentralised nature of organisations due to remote working and the increasing importance of branch offices. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web. A DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.

 

Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.