Successfully reported this slideshow.

Security annual report_mid2010


Published on

The Cisco 2010 Midyear Security Report includes:

* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security annual report_mid2010

  1. 1. Cisco 2010 Midyear Security Report The impact of global security threats and trends on the enterprise
  2. 2. Web 2.0, mobility, virtualization, and other dramatic shifts in how we communicate and collaborate are carving out a new landscape for business and for enterprise security. The Cisco® Midyear Security Report examines these changes and their impact on the enterprise, and highlights other significant trends and threats creating security challenges for organizations worldwide. The report also includes recommendations from Cisco security experts designed to help enterprises strengthen their security.
  3. 3. 2 Enterprises and the Tectonic Forces of Change Cisco Study: Collaboration Critical to Employee Success 4 The Technologic Shift: The Proliferation of Mobile and Connected Devices The Mobile Device Onslaught What’s Disrupting the Enterprise? Consumerization of IT Risk Alert: IP-Addressable Devices: Who’s Listening to Your Network? What’s Disrupting the Enterprise? Mobility 8 The Economic Shift: Virtualization of Operations What’s Disrupting the Enterprise? Virtualization 10 The Demographic Shift: The Role of Collaboration and Social Networks Social Media for Enterprises: Upside and Downside It’s 3 p.m.—What Are Your Employees Doing? Tending Their Virtual Fields What’s Disrupting the Enterprise? Social Media 13 Worldwide Government Trends: The Impact on Business Multiple Governments, Multiple Stances on Security Global Security Guidelines: Should Business Become a Player? U.S. Government Update Privacy Issues Moving to the Forefront 16 Taking Action to Reduce Innovation Gaps Criminals Now Protecting Their Intellectual Property The Spread of IPv6 and Domain Name System Security Risk Alert: A “Perfect Storm” of Technological Change Explosive Growth in Connected Devices and Applications—Along with New Threats 20 Insight from the Security Researchers: Hackers Are Choosing Their Own Adventure Risk Alert: Advanced Persistent Threats Risk Alert: The Downside of Being a VIP (or Just Working for One) Small Targets, Big Rewards What Keeps Your IT Security Team Awake at Night? 25 Five Ways Enterprises Can Strengthen Their Security by 2011 30 Security Trends: Midyear Notes 32 Cisco Security Intelligence Operations Cisco Security IntelliShield Alert Manager Service All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 1
  4. 4. Enterprises and the Tectonic Forces of Change The business world continues to evolve due to spectacular revolutionary forces that are changing the way we work, live, learn, and play, and how we communicate and share information. These changes aren’t something enterprises can choose to take part in or ignore; in fact, they’re already having a profound impact on your business and your life at this very moment, whether you are unaware of or welcome the change. These changes are part of the dramatic They likely would be most surprised about How do these changes affect an enterprise’s shifts—“tectonic forces”—that are making not having to go to a specific location, such plans to protect its data? Since workers it essential for businesses to rethink their as an office, to get their work done. People now collaborate and share vital information approach to enterprise security. Gone are are increasingly dependent on smart- outside of the workplace, security that’s the days when a network firewall would phones and other mobile devices for limited to the network edge is bound to deter teenagers looking to hack into everyday communication, collaboration, fail. The emerging “borderless network” corporate databases for the challenge, and work, and are using this technology has no defined edge or boundary; instead, notoriety, or for the fun of it. Now, serious more often beyond the traditional office it has many borders that are constantly and well-resourced criminals with and network boundaries. changing. And for the most part, enterprises business plans are intent on stealing both Users also are relying on social network- cannot effectively control the myriad personal data and business intelligence ing services such as Facebook and devices/endpoints on the network. they can sell—and perimeter-based Twitter, online collaborative work tools like This hastens the need for a new model security alone cannot stop them. Google Docs, and software-as-a-service for security that acknowledges the move- What are these forces? Primarily, the (SaaS) applications that don’t live on the ment of corporate data among offices, rise of social networking, the enthusiastic company’s servers. Even if an organization smartphones, workers’ home computers, adoption and proliferation of network- attempts to ban access to certain web laptops, Internet cafes, and any other connected devices, and the embrace services or sites, savvy users will find a place where employees choose to work. of virtualization are altering the threat way around these attempts to continue to Workers want access to customer lists landscape. Time travelers from the 1970s access the services they find useful—and and project data from their iPhones and would barely recognize today’s workplace. believe are necessary to do their jobs. BlackBerry devices, whether they are sitting in the coffee shop near their office 2 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  5. 5. or waiting at an airport gate halfway across defense against security threats, instead Businesses are a prime target for today’s the world. The enterprise is tasked with of on the offense with long-range plans for online criminals, which is why the Cisco granting them this “borderless” access, managing security. 2010 Midyear Security Report is tailored while ensuring the data stays safe. In addition, employees are too often for the business community. In particular Effective controls are needed to address categorized as “part of the security focus are the three “tectonic forces” of the potential security and productivity problem” and not willing participants change, which are dramatically altering issues that can arise from uncontrolled who can play a key role in improving an the cybersecurity landscape: access to social networking services. New organization’s security process. Fearful • The technologic shift: The proliferation data from Cisco shows that employees of data loss or theft, enterprises may of mobile and connected devices accessing interactive games via Facebook unilaterally bar employees from accessing • The economic shift: Virtualization of can spend an hour or more a day playing webmail or social networking sites, or will operations these games (see graphic on page 11 forbid any smartphone that’s not approved for details). To manage security and for use by management. This way of thinking • The demographic shift: The role of productivity, organizations should enact does little to improve security—as stated, collaboration and social networks clear policies regarding access to social workers will figure out how to circumvent This report also examines another networking sites; in addition, they can rules—and makes for a resentful workforce. significant challenge organizations must consider limiting access to social While some businesses may not see the face in the midst of all this dramatic networking to those employees whose value in making the technological and cul- change: responding to the demands of jobs require it (for example, PR and tural shifts necessary for modern security, still-evolving security regulations and marketing functions). today’s threat landscape demands expectations in the countries where they There are technical challenges—and more comprehensive security to protect conduct business. solutions—for this emerging environment. against criminals who operate online and Some enterprises may find that meeting For a security solution to be effective, a are armed with the same sophisticated today’s security challenges is a daunting change in mindset must take place. Too software tools (and talents) claimed by task, but many will find it’s worth the effort: often, enterprises view security as an the most tech-savvy businesses. Effective security practices are an asset add-on, rather than a business enabler. Criminal enterprises are entirely that can strengthen a company’s reputation IT departments tend to operate on the professional in their approach to stealing and competitive edge. The good news is sensitive information. They are driven to that viable solutions do exist. succeed and receive the payoff. They also have key advantages that most network security administrators do not: plenty of time and resources to accomplish their tasks. Cisco Study: Collaboration Critical to Employee Success Today’s employees expect to collaborate The study divided respondents into intend to champion collaborative work extensively with their colleagues—and four categories. Workers identified as processes, they must welcome the use believe it’s not just beneficial, but essential “Collaboration Enthusiasts”—those who of tools and solutions that may feel to their careers and to the business. In a believe collaboration is a key business uncomfortable, from a security standpoint. recent study, Cisco surveyed employees differentiator—use an average of 22 tools, at midmarket and enterprise businesses including social networking sites, blogs, in the United States and found that when and wikis, to connect with colleagues. workers embrace collaboration, they do Respondents in the “Collaboration so wholeheartedly. More than 75 percent Laggard” group use far fewer such tools, said collaboration is critical to their success often because their company doesn’t on the job; more than 90 percent said make them available. collaboration makes them more productive. Competitive, entrepreneurial businesses should consider the type of work environ- ment they want to foster and employees they would like to attract. If businesses All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 3
  6. 6. The Technologic Shift: The Proliferation of Mobile and Connected Devices Workers are reaching unprecedented levels of productivity because they are more connected to each other and the information they need than ever before. In the past, individuals were first exposed to “cutting-edge” technology in the workplace, and it took years for business-world innovations such as computers and copiers to become fixtures in the home environment. But the consumerization of IT—where new technology is adopted by consumers even before it is introduced into the enterprise—has changed the direction of technological innovation. In fact, many individuals today have more computing power in their homes than in the workplace. While having a more efficient workforce idea that they can’t use the same devices The Mobile Device is obviously a positive for businesses, the and applications at work—even if their proliferation of not only mobile, wireless company’s security policy and the IT Onslaught devices—but also connected devices— department enforcing these rules forbid it. It was only a few years ago that the typical in the enterprise creates security chal- consumer or office worker had only one However, the trend toward consumerization connected device—and, in most cases, lenges for IT departments. Unsupported of IT is not just about workers demanding laptops and smartphones (such as RIM it was a Microsoft Windows PC. But that they be allowed to use trendy new dramatic advancement in both com- BlackBerry devices, Google Android devices for business instead of bland, phones and the Palm Pre), consumer munications technology and consumer corporate-issued mobile phones or laptops. electronics means that we are living and devices (such as Apple iPods and iPads), This is about employees bringing a range and IP-addressable devices (ranging working in an infinitely more complex of devices into the enterprise that they environment surrounded by a diverse from digital cameras to digital printers) believe they must have access to for are being pushed aggressively into the range of devices that can easily connect optimal productivity. Consider what the to the Internet, to each other, and, quite workplace by employees at all levels, average young adult (a member of the from recent college graduates to C-level possibly, to your company’s network. future workforce) will “need” to take to executives. Users embrace new technol- college this fall: a laptop or netbook, a IT groups struggle with mobile device ogy in their personal lives and resist the smartphone, an MP3 player, gaming management because there are so console, digital video recorder, video many devices in a variety of form factors camera, and digital camera. And all these in employees’ hands—and with them devices can connect to the Internet—and comes an endless array of software more often now to each other, as well. platforms, mobile applications, and 4 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  7. 7. service providers. Users also constantly Enterprises can expect smartphones to To be sure, serious threats—such as switch devices to take advantage of the be a primary focus for attackers because worms and malicious code—are in the latest technology development. And of their popularity—and the fact that they future for mobile devices. The first iPhone inevitably, they lose devices—or allow are becoming the productivity and com- worm, “Ikee,” appeared late last year, them to be compromised or stolen. It munications device of choice for many written by an unemployed programmer would be ideal, of course, if IT could workers. Infonetics Research anticipates as a prank. It was a small-scale incident: manage all mobile devices in use in the that smartphones will be the only mobile The worm targeted only Australian users enterprise through their entire life cycle, phone segment to post double-digit with “jailbroken” smartphones (phones but due to the consumerization of IT, they annual revenue growth over the next modified to run unauthorized software), don’t have that control. Nor does IT have five years. And according to Gartner, replacing the device’s wallpaper with the resources to even attempt to micro- “Most users in 2010 will use a PC as their an image of 1980s pop star, Rick Astley.4 manage each individual device that is not primary Web access device and their But more sinister actions are likely not issued or supported by the enterprise. phone as a secondary access device. far behind: Researchers at Rutgers There is no questioning IT’s challenge: However, as take-up of smartphones University recently warned of rootkits that The number of mobile and wireless- spreads globally, there will come a point in can undermine a smartphone’s operating enabled devices in use worldwide is 2015 when the mobile phone will overtake system and allow criminals to eavesdrop growing exponentially—as are the number the PC as the most common primary of remote and mobile workers. In the device for Web access worldwide.”3 United States alone, more than 257 million data-capable devices were in circulation 1 “CTIA-The Wireless Association Announces Semi-Annual Wireless Industry Survey Results,” media release, at the end of 2009, compared with 228 March 23, 2010, million at the end of 2008, according 2 “IDC: 1 Billion Mobile Devices Will Go Online by 2013,” by Agam Shah,, December 9, 2009, to CTIA, a nonprofit wireless industry organization.1 Research firm IDC predicts 3 Gartner’s Top Predictions for IT Organizations and Users, 2010 and Beyond: A New Balance, G. Gammage, that by 2013, the number of mobile Gartner, Inc., December 29, 2009. devices—smartphones and wireless 4 “Jailbroken iPhones: set free to get mugged,” by John Cox, John Cox on Wireless, Community, devices—accessing the Internet will November 10, 2009, surpass 1 billion.2 What’s Disrupting the Enterprise? consumerization of iT Devices and applications that are first adopted by users outside the work environment have made great inroads within businesses—but not without raising tough questions about their impact on enterprise security. Use of technology that is not supported by the enterprise may violate corporate security policies and may pose a risk to the organization’s compliance with regulations related to data security. AcTion iTem: Set strict controls for access to business data. For many organizations, refusing to allow employees to use the technology they prefer in the workplace is not a sustainable approach to security. Still, not all devices are appropriate for everyone in the enterprise. Do all employees, from the C-suite down through the organization, need access to all business data on their smartphones? It is unlikely. Businesses should should be accessible to everyone using an approved ask tough questions about who truly needs such access, since smartphone, while certain customer relationship management there is benefit in limiting borderless access to information. (CRM) applications should not be accessible at all through Start conservatively by restricting as much access as this vector. Talk with your security vendor about solutions possible, and then relax requirements on a case-by-case designed to help protect the company’s network and data, basis. In addition to restricting access by users, consider regardless of what device an employee uses to gain access limiting access by data—for example, some intranet pages to the corporate network. All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 5
  8. 8. on conversations, steal personal These ad hoc connections are convenient the corporate network. The data being information from phone directories, and for end users, but they create obvious soft passed between wireless devices is also even track a user’s whereabouts.5 spots for data security—and underscore vulnerable, and could easily be hijacked Many criminals will likely spend little time IT’s challenge in maintaining adequate and used inappropriately. on individual users, though, and instead visibility into and control of the highly The variety of endpoints that are capable focus on using their mobile devices populated and active endpoint landscape of being connected, or are already as a way to gain access to corporate in the enterprise. It should be noted that connected, is astonishing. networks, compromise hosts, and harvest the Wi-Fi Direct specification contains security features to prevent peer-to-peer This interconnectedness will escalate, as sensitive business data (see Insight from will the effects it will have on our networks. the Security Researchers: Hackers Are devices from compromising corporate networks.6 Still, the onus is on enterprises In just a few years, every door lock, card Choosing Their Own Adventure, page reader, video camera, vehicle, power meter, 20). Cybercriminals are more focused to make sure that WPA2, an encryption technology that protects data flowing and light switch will have an IP address— today on overcoming network security at least in the business world. Therefore, than simply defeating a device—the goal between Wi-Fi radios and access points, is enabled on the network.7 from a security standpoint, it will become is to get into the network and stay there for increasingly important—within the as long as necessary or possible. Risk AleRT: enterprise and within our homes (since Mobile devices represent just one IP-Addressable Devices: many of us are now mobile or remote potential inroad into the network for those Who’s Listening to Your Network? workers, too)—to segment and firewall intent on doing harm. There are more different classes of devices in a network. The concept of a “networked refrigerator” worries for businesses than smartphones: Enterprises also should keep in mind that’s connected to the Internet may seem Every connection point is vulnerable— that their “smart” office devices can be like a running joke among watchers of the from rogue hotspots to insecure service sources for data loss in other ways— Internet’s infiltration onto a host of devices, providers, including webmail, application, no wireless connectivity required. For but at a time when cars with Internet- portal, and cloud service providers. instance, data thieves may only need to enabled dashboard screens are being Complicating matters is that many make a small investment in a few used introduced, the idea of more and more devices are now capable of sharing data digital copiers to reap a big return in their business devices that can communicate with each other wirelessly, and with little hunt for sensitive data: An investigative on a network doesn’t seem so far-fetched. effort on the part of users to make a report by CBS News showed how easy And as wireless devices beyond the connection. it is to retrieve tens of thousands of usual desktop and laptop computers start Wi-Fi Direct technology, for example, connecting to corporate networks, the documents from digital copiers that have built into many consumer devices now threat window only grows: Criminals need not had their hard drives sanitized prior entering the market, allows consumer to find only a single unguarded “in” to to resale. Among the information found: devices to establish connectivity through begin snooping into a network. Design plans for a building near “Ground Wi-Fi, other devices (including peripheral Zero,” the site of the 9/11 terrorist attacks It is not difficult to find the open doors. devices, like printers), or another network in Manhattan, and 95 pages of pay stubs Wireless printers, for example, which are without any setup—or even to create a with names, addresses, and Social now commonplace in the enterprise, can Wi-Fi “hotspot.” Essentially, every sup- Security numbers for employees of a retain digital images—a potential boon for ported device becomes a mini access New York construction firm.8 data thieves. And what about the digital point that can connect with other Wi-Fi- camera that can seek a connection to a enabled devices within a 300-foot range. laptop that happens to be connected to a corporate network? The camera and the laptop establish a wireless connection, making it possible for the user of the digital camera to “leapfrog” directly into 5 “Smart phone under threat of attacks,” by Alexey Kushnerov,, March 1, 2010, 6 “New Wi-Fi Direct Gets Peer-to-Peer Connections,” by David Coursey,, October 14, 2009, peertopeer_connections.html. 7 Wi-Fi Alliance FAQs, 8 “Digital Photocopiers Loaded with Secrets,” by Armen Keteyian, CBS News, April 15, 2010, 6 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  9. 9. What’s Disrupting the Enterprise? mobility Data is on the move like never before. According to the Cisco step 4: educate the workforce. Communicate—and Visual Networking Index (VNI) Global Mobile Data Forecast, enforce—the policy across the organization. But keep in mind 2009–2014, mobile data traffic will continue to double every that secure mobility is not just about enforcing acceptable-use year through 2014 (with video, the bandwidth hog, representing policies from a human resources or legal standpoint: It’s also more than 66 percent of the world’s mobile data traffic).9 about the safety of the network. Moving that data: smartphones and portables (91 percent), step 5: manage the device life cycle. You may not be able according to Cisco research. to manage every mobile device in the enterprise, but you can Data transcending borders and boundaries can undermine inventory every device you do control. Note the level of access even the best-laid plans for corporate security. Currently, of the user. Can the user access sales figures, personnel however, most enterprises mold their mobile security strategies files, or customer data? Through this process, create a record around compliance measures—such as United States (U.S.) of who is accessing what information, with what device (or requirements like the Health Insurance Portability and application), and for what reason. Accountability Act (HIPAA) and Payment Card Industry Data In addition, make sure you have the ability to lock and/or wipe Security Standard (PCI DSS)—relating to how personal clean a device automatically and remotely after employment information, both stored and in motion, is protected by termination or if a device is lost or stolen—a critical security businesses. measure. Consider the example of an HR department staff Government regulations, the lawsuits, fines, and reputational member who loses a device with employees’ personally damage that can result from noncompliance, and security identifiable information saved on it. That data, once exposed, breaches are all significant motivators, of course, but compa- could be used inappropriately by identity thieves and can nies need to think beyond these requirements if they want to create serious legal and disclosure woes for the company. embrace mobility fully as a way of working and exchanging Mobile security also needs a system-level approach that goes information. Compliance does not equal security—nor does beyond setting acceptable-use policies. Enterprises should it take into account all sensitive information that an enterprise implement tools that allow visibility into wireless environments may want and need to protect. and detect security threats as they emerge so they can take swift action. AcTion iTem: Create a formal corporate policy for mobility. step 1: Find out how mobility is happening in the corporate environment—and why—to build appropriate security parameters. Understand what the business value of mobility is for the enterprise. The approach will vary by company and industry (for example, an educational institution’s security concerns around mobility are likely to be quite different from those of an energy company with a nuclear facility). step 2: create an acceptable-use policy that outlines the devices that are supported by the enterprise. Outline what disciplinary actions may result due to noncompliance with corporate policies relating to the use of mobile devices. Explain why certain devices are not permitted in the enterprise (and if/when that policy might change). step 3: When crafting a policy, keep in mind that it should be flexible enough to cover both immediate and future security concerns. Take into consideration what the organization might need to compete in the future and attract top talent—particularly from the very mobile, very connected Generation Y. 9 Cisco Visual Networking Index (VNI): Global Mobile Data Traffic Forecast Update, 2009–2014, white_paper_c11-520862.html. All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 7
  10. 10. The Economic Shift: Virtualization of Operations When news about the virtualization of commonly used business solutions makes the front page of major newspapers’ business sections on a regular basis, it’s time to acknowledge that this trend is having a significant impact on the enterprise. This is largely good news. Businesses However, this type of virtualization does can afford to gain access to services offer some resiliency that may aid security. they might not otherwise be able to For instance, if the workplace is disrupted purchase as on-premises solutions. because of an attack on systems or They can free up capital to use for other structures (at the farthest end of the scale, parts of the business. They can make a terrorist attack), employees can continue greater strides toward “going green,” with day-to-day operations from anywhere reducing office square footage and they happen to be—assuming, of course, travel costs. And workers don’t need to the cloud infrastructure itself wasn’t be in the office to access the systems attacked. Since data is not resident on end they need to be productive. devices, such as laptops or smartphones, The downside of virtualization of business theft or loss of equipment isn’t as dire a solutions lies in the security of the data. scenario for businesses. In addition, building Where is information going and who has scalable policies around upgrades is easier access to it? How strong are access in the cloud environment. (See page 9 for controls? What protections are built-in to key questions to ask when adopting the prevent breaches? use of cloud computing solutions.) 8 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  11. 11. What’s Disrupting the Enterprise? Virtualization As with consumer devices, virtualization invites enterprises to Action Plan for Adopting grant visibility and data access to a wide swath of workers, and often, customers and partners. Enterprises must learn how to Cloud Computing manage this new twist on technology and available assets. Businesses are allowing many audiences—employees, partners, vendors, and customers—to benefit from working The way to mitigate the potential risks of virtualization is to with solutions based on the cloud computing model. Below ensure granular, per-user application and data policies are are some basic steps to take, and questions to ask, when enforced on virtualized systems. Vulnerability management bringing these solutions into your business. can help ensure that easy-to-fix security gaps aren’t ignored, and disaster/continuity planning can help make use of virtual- n Assess your organization’s overall ization’s advantages for keeping an enterprise operational. understanding of cloud computing. From a security and data protection standpoint, virtualization • Discuss functionality and risks. demands that enterprises change their perspectives toward • Assess current policies and operating practices. identity, compliance, and data. To address disruptive trends such as mobile device adoption, the borderless enterprise, n Ask the basics first: Why cloud computing? software virtualization, and the concept of “any device, • Understand business drivers propelling you towards anywhere, anytime,” enterprises must implement: cloud computing. • Identity life-cycle management, “persona” reconciliation, • Will sensitive data or business operations be hosted in and authentication convergence planning capabilities the cloud? If so, why? • Data-centric policy shifts, such as greater focus on • Develop a preliminary risk outline to work and build on. understanding data in motion and data governance • Software and asset management, identity-enabled n outline a solid communication, awareness, networking service/platform cost control and recovery, and education plan. and service management models • Develop custom sessions for executives, plus general • Secure access for partners, as more businesses content for all employees. outsource core business functions to outside organizations • Establish a “Cloud Board” of business and technical leaders to work through adoption strategies. It’s also a good idea to negotiate comprehensive service level agreements (SLAs) with cloud providers and retain • Avoid organic growth models that are cumbersome the capability to audit those services as necessary. to operate, scale, or secure. • Measure consumption trends and determine AcTion iTem: risk tolerance. Invest in tools to manage and monitor cloud activities. Virtualized platforms do allow for new avenues of data loss; for instance, a virtualization administrator can perform certain actions, such as removing data or shutting down virtual machines, without the enterprise being aware. In the old “physical world,” these types of activities would have required the addition of hardware devices, or the installation of software on the operating system itself. While some loss of control over data is inevitable with virtualization, businesses should take advantage of technology that provides some visibility into systems not based entirely on-premises. Solutions on the market include those that offer “health checks” and performance dashboards to help IT manage cloud services. Organizations also should schedule yearly reviews of where data resides. All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 9
  12. 12. The Demographic Shift: The Role of Collaboration and Social Networks It’s important to understand how prevalent—and valuable—social networking is to today’s workforce. In particular, the “millennials”—people defined as 30 years old and younger, often referred to as “Generation Y”—may be spending less time using traditional business tools like email in favor of social networks. In its recent report on millennials’ use of technology, management consulting, technology services and outsourcing company, Accenture, found that younger millennials spend slightly more than four hours a week on work-related email, compared to almost seven hours a week for older millennials. (While the study didn’t address older workers, one can reasonably assume that workers in their 30s and 40s spend well over seven hours a week on email.) Instant messaging and texting, often via social networks, are replacing email as the favored communications tool for this generation. Accenture also found that millennials well as employees from organizations 400 million active users, and that number make heavy use of social networking sites around the world. The study reported that is projected to grow to 1 billion by the while on the job, whether their employers 50 percent of end users admitted that end of 2010. Recognizing that the allow them to or not. According to the they ignore company policy prohibiting enterprise market is a lucrative one, social report, 45 percent of employed millennials use of social media tools at least once a media companies are introducing tools use social networking sites when they’re week, and 27 percent said they change specifically designed for this audience. at work, but only 32 percent say that this the settings on corporate devices to An instant-gratification workforce is use of social networks is supported by access prohibited applications. emerging: Generation Y was raised with their IT departments. At the same time, social networks like mobility at their fingertips, and IT needs A similar survey from Cisco also found Facebook, first colonized by college to adapt its strategies accordingly (as that when workers want access to social students, are exploding in population and, online criminals will). networking technologies, they’ll get it— not surprisingly, have become places even if it means circumventing corporate to conduct business. Facebook has policy. The Cisco “Collaboration Nations” an audience that continues to grow at study surveyed IT decision-makers as exponential rates: The site currently has 10 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  13. 13. Social Media for Enterprises: Attempts to steal data launched via rose to 1.4 percent. This likely indicates social media certainly pose enough of that users are more cautious about Upside and Downside a threat to businesses—as any user of responding to suspect email, and that Social media has become both a ground- social networking sites has undoubtedly email filters are doing their job. breaking collaboration tool for enterprises noticed, their friends and family members moving toward the borderless network Many enterprises, fearing the spread of seem to spread malware inadvertently malware and productivity losses, have and a prime venue for the launch of attacks on a regular basis. And as data theft against individuals in the business. The clamped down on use of social media attempts launched via email become less networks (as well as instant messaging) in Enterprise 2.0 trend may be cause for successful, criminals continue to focus cheering from workers who embrace the workplace, even though workers want their attention on social media. According access to them. According to ScanSafe social networking tools, but it can lead to data compiled by ScanSafe, now part to sleepless nights for executives who data, 64 percent of ScanSafe’s customer of Cisco, less than 1 percent of malware base blocks access to social networking believe it opens the door to data loss, encounters in enterprises in 2009 were hacking, and reduced productivity. sites for 50 percent or more of their staff. driven by users clicking links in webmail. In the first quarter of 2010, this number It’s 3 p.m.—What Are Your Employees Doing? Tending Their Virtual Fields According to Cisco data examining how its customers’ While there may not be an immediate security risk in game- employees use Facebook, 7 percent of Facebook users playing, it’s safe to assume that online criminals are developing spend an average of 68 minutes per day playing the popular ways to deliver malware via popular applications. Heavy users interactive game FarmVille. Mafia Wars was the second most love to search the web for cheats and tricks for better play, so popular game; the 5 percent of employees who play Mafia they may fall victim to malware-laden links or spam messages Wars rack up 52 minutes of play daily. Café World, another offering such shortcuts. popular game, is played by 4 percent of Facebook users for However, if enterprises respond to this threat by banning all an average of 36 minutes per day. (See the chart below for access to social networking sites, they may damage workers’ statistics on other applications.) ability to collaborate and communicate in a changing business These numbers raise the question of whether enterprises environment. “Businesses must balance the need to provide should limit access to these interactive games, and by access to collaboration tools with the need to manage association, the social networking sites on which they operate. enterprise security,” says Christopher Burgess, senior security advisor at Cisco. “The smartest solution is to create explicit Facebook Average browse time policies governing the use of Application per user per day (min) certain features, such as games, FarmVille 68 within social networking solutions. Mafia Wars 52 In addition, businesses need to be aware of exactly how and Café World 36 where workers are using such Treasure Isle 19 features.” Zoo World 18 How can enterprises minimize Mind Jolt Games 13 the threats that arise from the introduction of social media into Country Life 11 the business? The best tactic Restaurant City 11 is to develop a corporate social FishVille 10 media handbook that includes information security policies and PetVille 10 codes of conduct. Data from April 2010 Source: Cisco Security Intelligence Operations Interactive games have proven popular with Facebook users. Enterprises should set guidelines for where and how employees may access such games at work. All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 11
  14. 14. What’s Disrupting the Enterprise? social media Employees are pushing the boundaries of acceptable use • Only one in seven of the companies participating in the of social networks and are slowly convincing even the most study have established formal processes for adopting conservative enterprises that judicious use of these networks social networking tools for business purposes. can benefit the business. But where, and how, are lines drawn? • Only one in five businesses said they had policies For instance, enterprises may ban employees outright from in place for the use of social networking tools. using social media networks that offer messaging or chat, • Only one in 10 survey respondents said their IT departments even though more and more business takes place via these had direct involvement with social media initiatives. messaging systems. If, for example, a company discovers that its customers and partners routinely use Facebook to AcTion iTem: stay in touch on projects, how does the business allow such Provide employees guidance. access without giving workers free rein to distribute sensitive Ideally, businesses would create policies that cover every corporate information via these networks? possible incidence of social media use (and abuse). However, Businesses are slowly recognizing the power of social creating comprehensive policies may not be realistic, since networking, but they haven’t been quick to establish structures the impact of social networking is still unfolding. for its safe and secure use. A recent study sponsored by At minimum, enterprises should institute a process for allowing Cisco and conducted by leading business schools in Europe questions about social media usage to be directed to the and the United States showed that organizations are lagging correct decision-makers in the organization—in the absence in governance and IT involvement when it comes to their of an environment that welcomes discussion, employees may social networking strategies: make bad decisions that impact corporate security. • Social networking tools are making their way into many parts of organizations, such as human resources, marketing, and customer service. Small- and medium-sized busi- nesses are using social networks for lead generation. 12 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  15. 15. Worldwide Government Trends: The Impact on Business As organizations adapt their security strategies to meet new and emerging technologic, economic, and demographic challenges, they also must acknowledge another powerful force: globalization. This, too, is having a significant impact on how and where business is done, and it’s influencing security practices. Multinational organizations, or those looking of its intellectual property and also said Multiple Governments, to do business on the global stage, must that Gmail accounts of prominent human navigate the complexities and balance rights activists had been attacked. Multiple Stances on Security the demands of differing standards and The differing standards among countries Google executives, also unhappy about for maintaining the security of corporate attitudes toward security issues such as China’s ongoing censorship of search data loss protection and privacy in the data can be a source of frustration for engine results, announced in March that businesses. Many countries are concerned various countries where they conduct— they would begin redirecting Google or want to conduct—business. If an with the effects on economic and national users in China to uncensored search security arising from cybersecurity. enterprise adheres to certain standards results using servers based in Hong Kong. in its primary markets of operation, will Policymakers across the globe are trying As of mid-March, business repercussions to find approaches to security that both it be willing to make the effort to tighten of this decision were becoming evident: the rules if it moves into a market where protect the assets of their citizens and According to The New York Times, China function globally. This conversation will standards are more stringent—or Mobile, the company’s biggest cellular conversely, loosen them, and perhaps continue for some time, but enterprises company, would cancel a promotional should be aware that policymakers put security and privacy at risk, in a deal placing a link to Google on its mobile market where standards are more lax? may issue conflicting requirements. Internet homepage. But the story has no Businesses should recognize this Take, for example, the acts against major clear ending—as this report went to press, challenge and work globally to ensure businesses, including Google, that are Google said it was responding to threats consistent policies that protect and alleged to have occurred mid-to-late last from the Chinese government to revoke encourage innovation. year. These actions, dubbed “Operation its operating license by changing (yet Aurora,” involved a botnet that compro- again) its approach to dealing with mised computers in an effort to steal Chinese users. corporate information and break into email accounts. Google reported theft All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 13
  16. 16. To the extent that enterprises are subject consisting of local government represen- officers from leading San Francisco and to nonstandard requests from the govern- tatives, as well as task forces comprised of Silicon Valley area businesses (including ments of countries with which they do relevant businesses, such as networking Cisco), is already stepping up this business—like the request to use companies and equipment vendors. information sharing. nonstandard encryption—organizations The U.S. federal government is reaching “When an advanced persistent threat must decide if they will consent to these out to the private sector to develop (APT) attack occurs, many members are demands, and how they will protect their standards as well. In March, U.S. Chief on the phone with one another three times customers and employees from possible Technology Officer Aneesh Chopra a week rather than for just their regular data breaches if they do so. emphasized the need for collaboration monthly teleconferences,” reports Dark There are signs that governments may between the government and private Reading. The council is also creating an band together to add some cohesion to sector in a blog post on the Office of online portal where members can record the varying security and privacy standards Science and Technology website. He data about attacks and threats, hopefully across borders—especially since the wrote, “It is more important than ever that correlating information and sharing advice rise of country-specific security require- federal agencies work effectively with the on defensive tactics. ments threatens to fragment the global private sector to ensure that meaningful interoperability of the Internet. Common standards can be in place to meet urgent Criteria is a set of security standards that national needs.” He added, “The right U.S. Government Update many countries and enterprises (including starting point is to ensure that federal Over the past year and a half, businesses Cisco) have adopted to enforce security agencies work closely and effectively of all types have been monitoring the standards while striving to attain global together to define their standards needs, Obama administration’s progress on interoperability. And in March, British define their approach to working with strengthening U.S. national cybersecurity, lawmakers called for a Europe-wide industry and standards organizations, wondering how they might benefit—or approach to cybersecurity instead of and support their meaningful adoption perhaps be affected adversely—by new ad hoc fixes country by country, as “the by markets.”11 rules and expectations set by the govern- collapse in cybersystems in one country One issue to consider when implementing ment. They also wonder what they may can overlap in others.”10 these partnerships: If an enterprise be asked to change or provide to help the partners with one government, it may lose president meet his ambitious goals. out on business from another country There has been concrete progress on Global Security Guidelines: because they may believe the business several fronts since President Barack Should Business Become would relay sensitive information between Obama unveiled his cybersecurity plan countries. In addition, a business’s own a Player? shortly after taking office in 2008. The customers may suspect that the enterprise It’s not only the U.S. government that is administration remains focused on is getting too close for comfort with prioritizing cybersecurity. Governments, cybersecurity issues, and it can be said government officials, and may be sharing aware of the national security implications that cyberdefense in the U.S. government, private customer data. These percep- of critical infrastructure assets owned and in the country at large, is improving. tions need to be managed directly and and operated by the private sector, are There is increasing transparency, for proactively if businesses intend to beginning to encourage more private- example, with more reporting of threats, proceed with certain types of govern- public sector security cooperation. intrusions, and hacking incidents related to ment partnerships. unclassified systems. Just as in the private Private entity assistance is particularly There’s another twist to the security sector, however, the threat of cyberattack valuable for organizations that are working partnership angle: the idea of enterprises remains a significant issue for government. to establish standards across borders. creating information sharing committees For instance, global nonprofit Internet Director of National Intelligence Dennis (ISACs) to share more information about Corporation for Assigned Names and Blair, who stepped down from his post in the threats they encounter. This is not a Numbers (ICANN), which assigns the mid-May, highlighted the issue for the U.S. new concept, but it’s one that should take Internet’s domain names and IP addresses, Congress earlier this year, indicating that on more urgency as threats increase. has a Government Advisory Committee the nation’s computer networks remain After all, the miscreant community is vulnerable to intrusion or disruption, and collaborating. According to the Dark that criminals are stealing information from Reading security news web portal, the the government and private sector every Bay Area CSO Council, whose members day. He told lawmakers, “Malicious comprise chief information and security 10 “Europe ‘vulnerable to cyberattack,’” by Bobbie Johnson,, March 18, 2010, 11 “Providing Leadership on Standards to Address National Challenges,” by Aneesh Chopra, Office of Science and Technology Policy blog post, March 24, 2010, blog/2010/03/24/providing-leadership-standards-address-national-challenges. 14 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  17. 17. cyberactivity is occurring on an 2010 and given a fourth star. His Privacy Issues Moving unprecedented scale with extraordinary appointment officially established the sophistication.” Blair also referenced the initial operating capability for the new to the Forefront Operation Aurora incident in 2009 (see command, which should be fully In the year ahead, expect the discussion page 13) as a “wake-up call” for U.S. operational by the end of this year. around civil liberties and privacy issues to officials. He emphasized that “cyberspace About 2500 personnel are expected to intensify in the United States, in particular, [cannot be protected] without a be hired and positioned, primarily at Ft. as the country takes a more defensive coordinated and collaborative effort Meade, Maryland, where U.S. CYBERCOM posture with its cybersecurity. Why that incorporates both the U.S. private is located and the NSA is based. should the private sector pay attention? sector and…international partners.”12 Because they may end up doing the One concern expressed when General “heavy lifting” on these issues, with the While the Obama Administration’s efforts Alexander was nominated to lead U.S. Congress and the American public to create a national cybersecurity plan CYBERCOM was that he is also the asking what companies are doing to help have been considerable, continued devel- director of the NSA, and would therefore protect against the erosion of citizens’ opment has slowed as debate continues assume a “triple-hatted” role because he privacy, while also doing their part to help over authorities, roles, and responsibilities also leads the Central Security Service. strengthen national cybersecurity. between the public and private sectors. However, General Alexander told the Senate Armed Services Committee in Meanwhile, businesses have been airing There has been increasing dialogue their concerns to the government about between private industry and the April 2010 that if confirmed for the top role at CYBERCOM, he would not try to privacy, but from a different angle— government about improving U.S. specifically, how disclosure about an cybersecurity—both domestically and “militarize cyberspace” and would focus on safeguarding the integrity of the attack can undermine their competitive globally. Cybersecurity coordinator edge and damage their reputation. At the Howard Schmidt wrote on the White House military’s critical information systems. In addition, he pledged that he would work to RSA Conference in March 2010, U.S. website in March 2010: “In order to be Federal Bureau of Investigation (FBI) successful against today’s cybersecurity protect the privacy rights of Americans.13 Director Robert Mueller pledged “minimal threats, we must continue to seek out Meanwhile, cybersecurity-related hiring disruption to business with protective innovative new partnerships—not only at the Department of Homeland Security orders and increased privacy for U.S. within government, but also among (DHS) has been slowly increasing, as corporations who suffered data breaches, industry, government, and the American last fiscal year it was given more than in order to avoid loss of reputation and public.” President Obama appointed US$385 million for new personnel. The brand—despite the momentum of federal Schmidt as the first White House cyber- DHS has been working to locate available and state data breach disclosure laws.”14 security coordinator in December 2009. talent and has been aggressively seeking His choice of Schmidt, who has 40 years candidates from outside the government He said, “Notifying the authorities may of experience in government, business, because there simply aren’t any existing harm your competitive position. We and law enforcement, was well received personnel to spare—and getting clearance will minimize the disruption into your by cybersecurity professionals. for those they do hire is a lengthy process business. We [will] work together to limit (as long as 12–18 months for certain the breadth and scope of [the] attack. Another high-profile initiative by the For every investigation in the news, there Obama administration starting to take positions). The DHS is also exploring hiring existing contractors for full-time are hundreds that will never make the shape is the U.S. Cyber Command (U.S. headlines. Disclosure is the exception, CYBERCOM). Part of the Department of cybersecurity roles. not the rule.”15 Defense, CYBERCOM’s purpose is to protect military networks against malicious cyberattacks. President Obama’s nominee “The government is not going to secure the private sector. for the first U.S. CYBERCOM commander, [But] we are making sure our private sector partners have Army General Keith B. Alexander—who also leads the U.S. National Security more security as part of what we are doing.” Agency (NSA)—was appointed in late May —Howard Schmidt, U.S. cybersecurity coordinator 12 “Annual Threat Assessment of the U.S. Intelligence Community for the Senate Select Committee on Intelligence,” testimony to the U.S. Congress by Dennis C. Blair, Director of National Intelligence, February 2, 2010, 13 “NSA Director Says Cyber Command Not Trying to Militarize Cyberspace,” by Brian Prince,, April 15, 2010, Not-Trying-to-Militarize-Cyberspace-602442/. 14 “RSA: FBI Director Calls for Action Against Cyber Threat,” by Stefanie Hoffman, ChannelWeb, March 5, 2010:;jsessionid=QXDPJJJQFNI0VQE1GHRSKH4ATMY32JVN. 15 Ibid. All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 15
  18. 18. Taking Action to Reduce Innovation Gaps To date, governments and law enforcement worldwide have been making slow progress on improving cybersecurity and increasing the fight against cybercrime. Meanwhile, cybercrime continues to grow: Last year, in the United States, the total loss linked to online fraud was US$559.7 million— up from US$265 million in 2008.16 Why are cybercriminals so successful? cybercriminals were early adopters of There is also another type of “innovation In their shadow economy, just as in the these innovations and are using them gap”: the gap between how quickly criminals commercial business world, those who not only to commit crime, but to enhance can innovate to exploit vulnerabilities move fastest and use technological their communication, refine and promote and the speed by which businesses can innovation to their advantage succeed or their areas of expertise, and speed their innovate to protect their systems. It is displace the competition (see Criminals transactions with each other. critical to recognize just how rapid the Now Protecting Their Intellectual In Russia, for instance, social networks cybercriminals’ development and Property, page 17). It’s simple Darwinism: were used to create an online marketplace deployment cycle is. They don’t have The most agile survive. for stolen credit cards. This has allowed to answer to shareholders, laws, or For all the innovation in adopting technology the “sellers” to specialize in areas such as regulations. In fact, a major part of their in the private sector, in some areas acquisition, while the “buyers” focus their role is to find ways around established criminals move even faster. While many efforts in exploitation. In addition, terrorists systems, policies, and protective controls. legitimate businesses are still weighing worldwide are using social networks to There is no need to spend hours in the the benefits of embracing social networking organize, recruit, and learn; military research and development phase making and peer-to-peer technologies, analysts call this “open-source warfare.” sure their results are proof-positive. If something works, they will run with it. 16 “IC3 2009 Annual Report on Internet Crime Released,” media release, March 12, 2010, The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), 16 Cisco 2010 Midyear Security Report All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  19. 19. Malicious technology often can be landscape—instead of staying on top of know exactly what type of information to deployed in hardware or software products old and current problems that remain provide to law enforcement to help them as soon as it’s developed. (Consider popular paths of attack for criminals.” track down and prosecute cybercriminals. how many times we have witnessed the To reduce the innovation gap, Stewart While many leading companies are taking compromise of a product on the day it is recommends that enterprises: a more proactive approach to security, released.) For the software industry, others continue to view it as an afterthought. specifically, closing the innovation gap • Move faster to implement new technol- ogy when needed instead of hanging Too often, C-level executives are allowed means making sure security is factored to label security as “IT’s problem.” into the development cycle, with every on to outdated technology, hardware, effort made to detect and eliminate and software, simply because it’s But in the enterprise, security is everyone’s vulnerabilities in products before they already in place. problem. If business organizations don’t are released so they are as secure as • Measure the efficacy of security embrace that mindset, the innovation gap possible when introduced to the market. controls: not only the technology, but can never be bridged. “Malicious actors the combination of people, processes, only need to get it right once. But we have For enterprises, an important first step to be right all of the time,” says Stewart. toward bridging the innovation gap is to and technology in the organization. harden their security through a renewed In addition, businesses should take the focus on security basics, says John time to build a working relationship with Stewart, vice president and chief security law enforcement, such as nonprofit officer of Cisco. “One reason why many organization InfraGard ( hacking scenarios succeed is because a in the United States, a private-public critical element of a network or an indi- partnership with the U.S. FBI, and in the vidual within a network is trivially compro- United Kingdom, the Police Central mised,” he explains. “Part of the ‘innovation e-Crime Unit of the Metropolitan Police gap’ is that organizations are just fighting ( Enterprises the latest threats—focusing on whatever need a “go-to” team in the event of a is the shiniest object in the security threat cybersecurity incident, and they should Criminals Now Protecting Their “Intellectual Property” However cutting-edge and entrepreneurial you believe your also includes a hardware lock, using VMProtect, a Russian business is in terms of technology and security, remember commercial software protection package,” reports the Krebs one thing: The criminals who prey on business online are On Security blog. trying to always be a few steps ahead of you. Witness the It’s sobering news that criminals are quickly meeting and even trend of creators of malicious software placing tough exceeding the safeguards that legitimate enterprises build anti-piracy protections on their creations, in a bid to keep into their products—yet another sign that the sophistication other criminals from stealing their intellectual property. and business acumen of online criminals knows no bounds. The latest version of the builder kit for the Zeus banking Also of concern is the fact that protected malware code and Trojan, which has long been a threat to financial institutions software can be harder to reverse-engineer, and therefore, and delivers lucrative personal information back to a botnet more challenging for enterprises and their security vendors command-and-control server, includes the type of copy to develop ways to halt it. protection one would normally find on a sophisticated piece of enterprise software. The creators of Zeus have added a hardware-based licensing system to the Trojan builder kit, which only allows the kit to be copied on a single computer. The creators of a competing malware kit, SpyEye, which appears to be trying to gain market share from Zeus, have also decided to protect their technology. “Not to be outdone [by Zeus], the SpyEye author now claims his malware builder All contents are Copyright © 2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Midyear Security Report 17