More than half of all OpenSSL remains vulnerable to Heartbleed: Cisco

More than half of all OpenSSL remains vulnerable to Heartbleed: Cisco

Cisco annual security report reveals 56 per cent of OpenSSL versions older than 50 months

More than half of all OpenSSL versions still remain vulnerable to the Heartbleed bug, according to the Cisco 2015 annual the security report.

Heartbleed, the dangerous security flaw, critically exposes OpenSSL.

Yet 56 per cent of all OpenSSLversions are older than 50 months and are therefore still vulnerable

This is a strong indicator that security teams are not patching.

The report, which examines both threat intelligence and cybersecurity trends, reveals that organisations must adopt an ‘all hands on deck’ approach to defend against cyber attacks.

It found attackers had become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity.

It warned defenders, namely, security teams, to constantly improve their approach to protect their organisation from increasingly sophisticated cyber attack campaigns.

These issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localisation and encryption, according to the report

It revealed a 280 per cent increase in Silverlight attacks along with a 250 per cent increase in spam and malvertising.

Snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid detection, is also an emerging threat

However, Java exploits have decreased by 34 per cent, as Java security improves and adversaries move to embrace new attack vectors.

Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure.

In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure.

This has led company executive to take not, with 91 per cent of respondents from companies with sophisticated security strongly agreeing that company executives considered security a high priority.

The report also found Widely used exploit kits were being quickly dismantled by security companies.

As a result, online criminals are using other less common kits to successfully carry out their tactics – a sustainable business model as it does not attract too much attention.

Flash and JavaScript have historically been insecure on their own, but with advances in security detection and defences, attackers have adapted by deploying exploits which combine their respective weaknesses.

Sharing exploits over two different files – Flash and JavaScript – can make it more difficult for security devices to identify and block the exploit and to analyse it with reverse engineering tools.

Cisco chief security and trust officer, John N. Stewart, said security needed an all hands on deck approach, where everybody contributes, from the board room to individual users.

"We used to worry about DoS, now we also worry about data destruction," he said.

"We once worried about IP theft, now we worry about critical services failure.

"Our adversaries are increasingly proficient, exploit our weaknesses and hide their attacks in plain sight.

He said security must provide protection across the full attack continuum and technology must be bought, designed and built with that in mind.

Read more: McAfee releases its Heartbleed checker

"Online services must be run with resiliency in mind, and all of these moves must happen now to tip the scales and protect our future," he said.

"It requires leadership, cooperation, and accountability like never seen before in our industry.”

Cisco principal engineer, Jason Brvenik, said attackers had become more proficient at taking advantage of security gaps.

"We observed that 56 per cent of all OpenSSL versions still remain vulnerable to Heartbleed and that major attacks are only leveraging one per cent of high-urgency vulnerabilities at any given time," he said.

"Despite this, we see less than half of the security teams surveyed using standard tools like patching and configuration management to help prevent security breaches.

"Even with leading security technology, excellence in process is required to protect organisations and users from increasingly sophisticated attacks and campaigns.”

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags silverlightOpenSSLJohn N. StewartJason BrvenikCisco chief security and trust officerCisco 2015 annual the security reportmalvertisingCisco principal engineer is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments