WIXLIB

8Cisco 2014 Midyear Security ReportTo some, it might seem far-fetched to thinksomething as mundane as a wearable device fortracking fitness or a digital video recorder (DVR)could pose a significant security risk or wouldbe of any interest to a hacker. But as cars andother nontraditional computing devices start toresemble standard computing platforms moreand more, they could be vulnerable to the samethreats7 that target traditional computing devices.IntroductionThere will always be one more new thingbeing added to the Internet ecosystem. At thesame time, the population of abandoned andunmanaged Internet-connected devices willgrow as well. Like the countless long-forgottenor neglected websites on the Internet today (seeWordPress Vulnerabilities: Who Is Minding theStore?, page 37), these devices, from kitchenappliances to surveillance cameras to personalprinters, will be weak links in the security chain,Leading vendors are aware of security issuesproviding enterprising hackers with almostin Internet of Things devices and have thelimitless doorways that can be unlocked andbackground and experience to make sure security potentially lead to the data center.is architected into their products. Emergingcompanies can use lessons learned by theCybercriminals’ capabilities and motivations arecybersecurity industry over the past 20 yearsunderstood; their growing focus on the Internet ofand try to avoid making similar mistakes as theyThings is a natural progression. Unlike the globalinnovate. Many of the same best practices thatcommunity’s first foray into an Internet-connectedapply to general purpose computers do and willworld, we all have the benefit of foresight: Weapply to Internet of Things devices: installing theknow from experience that the Internet of Thingslatest software, for example. But in the Internetenvironment presents risk and that organizationsof Everything world to which the Internet ofand users will be targeted. A greater risk,Things is leading us, security will be managednow, is underestimating the industriousness oflargely by systems, not users, so industry willadversaries and just how quickly the Internet ofalso need to take that into consideration whenThings—and Internet of Everything—are beginningdesigning secure technology for this emergingto take shape.environment. This includes ensuring transparencyfor users so they can be assured that Internetof Things devices are maintaining their securityautomatically or will know when manual actionmight be required.

Threat IntelligenceCisco security researchers have assembled and analyzed security insights forthe first half of 2014 based on the largest set of telemetry data available. Ciscosecurity experts perform ongoing research and analysis of discovered threats,such as malware traffic, which can provide insights on possible future criminalbehavior and aid in the detection of threats.

10Cisco 2014 Midyear Security ReportThreat IntelligenceSHARE THE CISCO 2014MIDYEAR SECURITY REPORTA Paradigm Shift in Compromise:Looking Inside OutThreat intelligence presented in the Cisco 2014 Annual SecurityReport included a key finding from a recent “Inside Out” project inwhich Cisco security researchers reviewed DNS lookups originatingfrom inside corporate networks.8Cisco security researchers found that malicious traffic wasvisible on 100 percent of the networks sampled.9Based on the activity they observed, Cisco researchers also determined that this particular groupof corporate networks reviewed likely had been penetrated for some time and that the coreinfiltration had not been detected.Cisco presents some additional findings in this report from the ongoing Inside Out project. Theinformation is based on Cisco threat researchers’ review of data analytics collected from selectcustomer networks since the beginning of 2014. The researchers closely examined 16 largemultinational organizations that collectively controlled more than US 4 trillion in assets withrevenues in excess of US 300 billion in 2013. This analysis yielded three compelling securityinsights tying those enterprises to malicious traffic.

11Cisco 2014 Midyear Security ReportThreat IntelligenceRequests for DDNSThreat DescriptionDDNS is a system normallyused for legitimate purposes,namely, home users whoneed the ability to map astatic fully qualified domainname (FQDN)—for example,homeserver.isp.com—to anumber or pool of IP addressesdynamically assigned by theirInternet service provider (ISP).Unfortunately, DDNS, like manytechnologies and featuresdeveloped for legitimateuse, has become popularwith adversaries becauseit allows botnets and otherattack infrastructure to beresilient against detectionand subsequent destruction.Unusually large volumes ofrequests for domains usingDDNS service providers, suchas name-services.com, mightindicate potential compromiseon an organization’s network.Although many, and sometimesall, of an organization’s queriesfor DDNS providers arelegitimate, these requests alwaysshould be vetted to make surethat they are, in fact, legitimate.networks analyzed increases.Cisco has only started trackingthis new category as a potentialindicator of compromise [IOC];an IOC is an event or artifactobserved on a system, oftensubtle, that, when correlatedwith other IOCs for a system,points to a likely compromise.)As indicated earlier, this doesnot by any means translate toeach of these customers beingcompromised by malware that isusing DDNS providers; however,Cisco has advised that thesecustomers look more closely atthese DDNS requests to makesure they are being performedfor business-legitimate reasons.FindingsNearly 70 percent (66.67percent) of customer networksample queries observed in2014 as part of this “Inside Out”project have been identifiedas issuing DNS queries forDDNS. (Note: Cisco securityresearchers expect to see thispercentage increase over timeas the sample size of customer

12Cisco 2014 Midyear Security ReportThreat IntelligenceRequests for Sites Associated with MalwareThat Incorporates MiTB FunctionalityThreat DescriptionPalevo, SpyEye, and Zeus aremalware families that incorporateman-in-the-browser (MiTB)functionality. DNS lookupsfor hosts compromised byPalevo, Zeus, and SpyEye areconsidered a very high threat.These botnets spread throughinstant messaging, peer-topeer (P2P) networks, andremovable drives. They areused to perform distributeddenial of service (DDoS)attacks and steal informationentered into fields createdin real time and added to anexisting form. Palevo, Zeus,and SpyEye are highlightedbecause they represent aspecific class of malware thattargets financial and otherinformation entered into onlineforms in browsers using theWindows operating system.FindingsMore than 90 percent (93.75percent) of customer networksobserved in 2014 have beenidentified as having trafficgoing to websites that hostmalware. Specifically, thenetworks have been identifiedas issuing DNS requestsfor hostnames where the IPaddress to which the hostnameresolves is reported to beassociated with the distributionof, or is infected by, Palevo,Zeus, or SpyEye malware.SHARE THE CISCO 2014MIDYEAR SECURITY REPORT

13Cisco 2014 Midyear Security ReportThreat IntelligenceDNS Requests for FQDNs, Sites, andHosts Associated with Administrative ProtocolsThreat DescriptionMalicious entities might use secure, encryptedcommunication channels or data transferprotocols to cover their tracks when stealinginformation; some examples are IP Security(IPsec) VPN, Secure Sockets Layer (SSL) VPN,Secure Shell (SSH) Protocol, Simple File TransferProtocol (SFTP), FTP, and FTP Secure (FTPS).Organizations should regularly monitor andvalidate these communications. These typesof sites can be used to exfiltrate data usingencrypted channels to avoid detection.FindingsMore than 40 percent (43.75 percent) of customer networks observed in 2014 have been identifiedas issuing DNS requests for sites and domains associated with devices that provide services such asIPsec VPN, SSL VPN, SSH, SFTP, FTP, and FTPS.Cisco researchers used DNS lookups emanating from enterprise networks to create a snapshotof possible data compromises and vulnerabilities. Cisco security experts analyzed the informationbased on blocklists and observed trends in cyber compromises, unique vulnerabilities facing specificverticals, and geopolitical factors that might affect actors and targeted information. Cisco customersthat take part in the Inside Out project receive an External Cyber Threat Report prepared anddelivered by Cisco.

14Cisco 2014 Midyear Security ReportThreat IntelligenceGeopolitical Trends to WatchGeopolitical events in Eastern Europe and the Middle East are creating new trends in the cyber realmthat are expanding the risk landscape for businesses, governments, and other organizations andindividual users around the globe, according to Cisco cybersecurity experts:Political instability in Ukraine ushered ina series of DDoS attacks and websitedefacements apparently calculated tocomplement actions on the ground. Thedisruptions in Crimea and Kiev led to thediscovery of sophisticated espionagemalware on Ukrainian networks (dubbedOuroboros, or Snake), which had goneundiscovered for months or years.In the Middle East, the overrunningof entire sections of northern andwestern Iraq by the Islamic State of Iraqand the Levant (ISIL, or ISIS) is beingaccompanied by a social media campaignfor sabotage and psychological warfare.Looking forward, long-standing ethnic and religious divisions are deepening in a part of the world thatis already leading the way in the use of cyber tactics by both state and nonstate actors. In the secondhalf of 2014, contentious presidential elections in Turkey and midterm elections in the United States,and the drawdown of Western military operations in Afghanistan are likely to create new ripple effectsacross the global cyber landscape.SHARE THE CISCO 2014MIDYEAR SECURITY REPORT

15Cisco 2014 Midyear Security ReportThreat IntelligenceWeb Exploits: Java ExploitsContinue to DominateJava programming language exploits remain the leader among IOCs monitored by the Cisco FireAMP advanced malware detection platform. These exploits have extended their seeminglyuncatchable lead in the first half of 2014.SHARE THE CISCO 2014MIDYEAR SECURITY REPORTFIGURE 12014 Midyear Application Compromise ShareSOURCE: Cisco FireAMP10Java exploits represented 91percent of IOCs in November 2013,according to the Cisco 2014 AnnualSecurity Report; that figure roseslightly to 93 percent as of May2014. Java’s extensive attack surfaceand high return on investmentare what make it a favorite foradversaries to exploit. (For moreinsight on the Java problem and tipsfor mitigating it, see the Cisco 2014Annual Security Report11).

16Cisco 2014 Midyear Security ReportThreat IntelligenceFIGURE 2Java Web Malware Encounters(January–May 2014)SOURCE: CiscoCloud Web %5%6%4%6%9%9%5%7%Java web malware encounters peakedin March 2014, at nearly 10 percent of allweb malware encountered.7%8%FIGURE 3Java, PDF, and Flash Encounters(January–May 2014)source:Cisco Cloud Web SecurityJava, Flash, and Adobe PDF are all popularvectors for criminal yJanFebMarchAprilMay0%FIGURE 4Java Encounters by Version(January–May 2014)SOURCE: CiscoCloud Web SecurityAdversaries continue to excel at exploiting olderversions of Java, particularly Java 6 and 7. Therewas a surge in web malware encounters withJava 8 in March, the month the new versionwas released. However, encounters for Java 8dropped off significantly by April and remainedvery low through May. With increases in exploitkits that rely first and foremost on non-Javavectors, such as Microsoft Silverlight, we mightbe seeing a shift away from Java 8 (which hasstronger security controls) to other software thatis more conducive to attacks.Java 1.6Java 1.7Java 1.8Other50%Java 1.6Java 1.7Java 1.8Other50%40%Java 1.6Java 1.7Java ilMay0%

17Cisco 2014 Midyear Security ReportThreat IntelligenceVulnerabilities Update: Focusingon the Most Common ExploitsFIGURE 5Alert Metrics (January–June 2014)Intellishield Adversaries cluster around commonvulnerabilities or “weak links” that they proveeasy to exploit through their “research anddevelopment” efforts; successful exploits arethen incorporated into exploit kits sold in theunderground economy. Java and Silverlightprogramming languages are examples ofvulnerabilities that can be found in a numberof popular exploit kits. (See Web Exploits: JavaExploits Continue to Dominate on page 15 andExploit Kits: The Field Opens Up to Competitionon page 33.)28 exploitedwNe3638952528Total alertsJanuaryeddatUpFrom January 1, 2014, to June 30, 2014, Ciscopublished thousands of multivendor alerts aboutknown security vulnerabilities. Although thatnumber might sound intimidating, the extremelycritical vulnerabilities number about 1 percentof that total. Of the 2528 new vulnerability alertspublished during that time period, only 28 werebeing actively exploited soon after publishedreports, according to Cisco’s research.1SOURCE: CiscoJuneAs vulnerability reports are published, securitypractitioners and the media tend to focus onzero-day vulnerabilities because there is aseemingly urgent need to react to such highprofile news. However, organizations shouldprioritize their investments of time and moneyinto patching the small number of vulnerabilitiesthat criminals are most actively exploiting.Other vulnerabilities can be managed bymore routine processes.SHARE THE CISCO 2014MIDYEAR SECURITY REPORT

18Cisco 2014 Midyear Security ReportFIGURE 6Top ProductsBeing ExploitedSOURCE: CiscoIntelliShield 31% Application18% Infrastructure13% CMS9% End User6% ICS-SCADA6% Malware6% Web Server6% Network4% TLSThreat IntelligenceIt is good practice for organizations to have a“high-urgency patching process” that wouldrun in tandem with their standard patchingprocesses. By addressing targeted priorityvulnerabilities quickly, other, less-urgentvulnerabilities can be integrated into theregularly scheduled maintenance and patchingprocess. The result is more accurate riskmanagement: better than trying to install allpatches or not installing them until regularlyscheduled maintenance periods. Strongsecurity intelligence to identify high-urgencyvulnerabilities is necessary to maintain a highurgency patching process effectively.Figure 6 shows the top products that attackerswere exploiting in the first quarter of 2014.Figure 7 illustrates some of the most commonlyexploited vulnerabilities, according to theCommon Vulnerability Scoring System (CVSS).The “Urgency” score in the CVSS chartis useful because it indicates that thesevulnerabilities are being actively exploited,which corresponds to the “Temporal” scoresindicating active exploits. In addition, byscanning the list of products being exploited,enterprises can determine which of theseproducts are in use and therefore need to bemonitored and patched.It is important to understand that thevulnerabilities in Figure 7 were those showinginitial signs of exploit activity during the periodobserved. The majority of these vulnerabilitieshad not yet gone “mainstream,” meaning theyhad not made their way into exploit kits for sale.

19Cisco 2014 Midyear Security ReportThreat IntelligenceFIGURE 7Most Commonly Exploited VulnerabilitiesIntelliShield VulnerabilitiesInitial Exploit ActivityRamping ActivityLoaded Exploit KitsStrutsC VSSBaseC VSSTemporal4.33.6Word.rtfC VSSBaseC VSSTemporal9.37.7InternetExplorerC VSSBaseC VSSTemporal9.37.7JAVASEC VSSBaseC VSSTemporal9.37.7AdobeFlashC VSSBaseC VSSTemporal9.36.9WordPressC VSSBaseC VSSTemporal6.85.6SHARE THE CISCO RCE: Cisco

20Cisco 2014 Midyear Security ReportThreat IntelligenceSHARE THE CISCO 2014MIDYEAR SECURITY REPORTHeartbleed: Not the Only Cause for WorrySome organizations were not exposed to the“Heartbleed bug”—a security vulnerability inthe OpenSSL cryptography library—becausethey were using an older version of OpenSSLthat did not include that vulnerability.12 Thevulnerability involves the implementation ofthe Transport Layer Security (TLS) heartbeatextension (RFC6520) and could allowsecret key or private information leakagein TLS encrypted communications.13However, it is importantfor these organizations tonote that from January toApril 2014, there were 16TLS and certificate validationvulnerabilities not relatedto Heartbleed.These vulnerabilities might put them at risk.Cisco security experts also recommend thatall users consider that they have likely beenexposed to risks as a result of Heartbleed andshould therefore take appropriate action, such aschanging passwords or closing web accounts.14Since Heartbleed was discovered, the OpenSSLproject (OpenSSL.org) has reported severalother discovered defects in OpenSSL software,some of which “can allow an attacker to createa denial of service condition, or in certainsituations, remote code execution.”15 Some ofthese defects are long-overlooked weaknesses:for example, the CCS injection vulnerability,discovered by a security researcher in Japan, isa 16-year-old security flaw in OpenSSL softwarethat allows an adversary to intercept and decryptencrypted data traveling across the Internet.16

21Cisco 2014 Midyear Security ReportThreat IntelligenceIndustry Vertical Risk Report:Unusual Upticks for Some SectorsFor the first half of 2014, the pharmaceutical andchemical industry, a high-profit vertical, onceagain places in the top three high-risk verticalsfor web malware encounters; it topped the listof verticals in 2013.17 The aviation industry alsoappears again in the top five, this time assumingthird place on the list.18 This is not surprisinggiven the value of the intellectual property thatcompanies in the aviation industry hold.Meanwhile, the media andpublishing industry, whichcurrently ranks first, isexperiencing significantlyhigher than normal rates ofweb malware encounters thanpreviously observed by Ciscosecurity researchers, whohave been compiling thisdata since 2008.Adversaries launching exploits and other scamsaround high-profile events, such as the 2014Winter Olympic Games and the AcademyAwards, and big news stories, such as theMalaysia Airlines Flight 370 mystery and theSouth Korean ferry disaster, are likely reasonsfor the increase in encounters for the media andpublishing industry. Their scams are designedto prey on the human “weak link”: that is, usersinduced to click through to sites that hostmalware because they are tempted by attentiongetting headlines.Media and publishing sites, large and small,can attract a wide range of traffic from individualconsumers and organizations across the globe.They also rely largely on advertising for revenue.For that reason in particular, it is likely that growthin malvertising is partly responsible for thesurge in web malware encounters for the mediaand publishing industry in the first half of 2014.(See Malvertising: A Disruptor for the InternetEconomy, page 35.)

22Cisco 2014 Midyear Security ReportThreat IntelligenceFIGURE 8Vertical Risk of Web Malware Encounters, 1H14SOURCE: CiscoCloud Web SecurityMedia and PublishingPharmaceutical and ChemicalAviationTransportation and ShippingManufacturingInsuranceAgriculture and MiningProfessional ServicesElectronicsFood and BeverageRetail and WholesaleUtilitiesIT and TelecommunicationsLegalEngineering and ConstructionReal Estate and Land MgmtEnergy, Oil, and GasIndustrialHealthcareAccountingHeating, Plumbing, and A/CEntertainmentCharities and NGOAutomotiveGovernmentBanking and FinanceTravel and LeisureClubs and OrganizationsEducationLow Risk0%High Risk100%200%300%400%To determine sector-specific malware encounter rates, Cisco security researchers compare themedian encounter rate for all organizations that proxy through Cisco Cloud Web Security to themedian encounter rate for all companies in a specific sector that proxy through the service

The Cisco 2014 Midyear Security Report examines threat intelligence and cybersecurity trends for the first half of 2014. Cisco's research helps to underscore just how many different types of weak links exist in the systems we use, including the Internet itself, and what can be done to reduce their