Spam is making a surprising resurgence as a threat to corporate security and becoming a more significant carrier of attacks as varied as spear phishing, ransomware and bots, according to Cisco’s 2017 Annual Cybersecurity Report.
The company’s 10th such report says spam is way up. It accounts for 65% of all corporate email among customers who opted in to let the company gather data via telemetry in Cisco gear.
Whereas spam had been knocked down as a threat in 2010 and kept at relatively low levels through 2015, it made a surge in 2016. In 2010, Cisco recorded 5,000 spam messages being sent per second. That number stayed generally below 1,500 for the next five years, spiking to about 2,000 briefly in 2014. But in 2016 it leaped to more than 3,000.
That attack vector is increasing in scope and that is something CISOs should pay attention to, Cisco says. “I should start to double-check my security technologies that are supposed to be intercepting and monitoring for that particular attack vector,” says Franc Antes, an architect for Cisco’s security business group.
The problem is that 8% of that spam is malicious, but with the total volume roughly tripling over the course of 2016, that 8% represents a significant increase in total attempts. That’s something that might fly under the radar of CISOs unless they look for it or CIOs point it out, he says.
When end users fall for these attempts and click on a malicious link or attachment, “It almost always works on the workstation because the end user is executing the binary,” Antes says. Clicking on attachments or links can turn those endpoints into bots nearly instantaneously, he says, or could lead to ransomware infections.
Adware and other threats
Another growing problem is adware, whose primary purpose is to display ads on Web pages or pop-ups to the benefit of advertisers. In the hands of malicious actors, though, they can carry malicious payloads that change settings in browsers and operating systems, undermine security products and even gain full control of the host. So rather than being an annoyance, adware is a threat. “Which means the focus is going to have to come onto adware from the corporate side to defend whereas historically it was more of a nuisance,” Antes says.
The report looked at adware in 130 organizations distributed across vertical industries for a year and found that 75% had adware infections.
On the upside, Adobe Flash is declining as an attack vector because of heightened awareness of its vulnerabilities and because even Adobe is urging sites to move to HTML5.
There’s been some progress in combating exploit kits, but that is more a game of whack-a-mole. Last year’s leading kits were Angler, Nuclear and Neutrino, which, for a variety of reasons, dramatically declined in use or disappeared entirely. But look for the growth of newer exploit kits such as Sundown, Sweet Orange, and Magnitude as they replace last year’s leaders, the report says.
Bad actors are seeking new attack vectors. With an increased use of SaaS and cloud services, servers are becoming targets via vulnerabilities in the applications they host or weaknesses in their operating systems. They are the No. 1 target for those criminals hunting down new vulnerabilities, with attacks showing a 34% increase in 2016. As a result, client and network attacks are down because it is easier and more profitable for attackers to hit the servers.
What security pros say
In addition to drawing on telemetry metrics, the report surveyed about 3,000 security pros in organizations ranging from small businesses to corporate enterprises.
The results found that 44% of all security alerts are not being investigated, and 54% of legitimate alerts don’t get remediated. So the technology is catching security incidents but security teams can’t keep up with responding to them. Teams are overloaded and may have issues getting gear from multiple vendors to interoperate.
Respondents blamed insufficient budgets and lack of trained personnel as part of the problem. They also pointed to interoperability problems among security platforms and certification requirements that might dictate where spending is directed.
When it came to data breaches, those who answered the survey said their effect on operations included downtime, damage to the reputation of the company brand and loss of customers.
The upside of breaches is that 38% of respondents say such fissures – their own or others - helped promote improved security. These include separating the security team from the IT team and, increasing security awareness training among end users. They are promoting risk mitigation strategies and planning for more effective responses to breaches.