Silverlight exploits up, Java down, Cisco reports

And Flash malware using JavaScript to cover its tracks, according to the Cisco 2015 Annual Security Report

Attempts to exploit Silverlight soared massively in late 2014 according to research from Cisco. However, the use of Silverlight in absolute terms is still low compared to the use of Java and Flash as an attack vector.

Java-based security exploits declined in 2014, partly due to a lack of new zero-day exploits, according to Cisco security researchers. The automatic patching of newer versions of the Java Runtime Environment and steps by browser vendors to block vulnerable versions of the JRE also helped, according to the Cisco 2015 Annual Security Report, which was released this morning.

"Java’s reign as the top attack vector has been on a steady downward trend for more than a year," the report states.

"The use of Flash to launch exploits has been somewhat erratic, with the biggest spike occurring in January 2014. PDF use has been constant, as many malicious actors appear to remain focused on launching highly targeted campaigns through email using PDF attachments.

"Silverlight attacks, while still very low in number compared to more established vectors, are on the rise—especially since August."

The report's assessment of the 2014 threat landscape also notes that Cisco researchers observed Flash-based malware that interacted with JavaScript.

"The exploit is shared between two different files—one Flash, one JavaScript. Sharing exploits over two different files and formats makes it more difficult for security devices to identify and block the exploit, and to analyze it with reverse engineering tools," the report states.

"This approach also helps adversaries to be more efficient and effective in their attacks. For example, if the first stage of an attack is entirely in JavaScript, then the second stage, the payload transmission, would not occur until after the JavaScript executes successfully. This way, only users who can run the malicious file receive the payload."

"From an attacker's perspective, some of the findings from previous reports are carried through in this one — notably that 100 per cent of the organisations whose data we have access to show indicators of a compromise," Anthony Stitt, Cisco's general manager, security, for Australia and New Zealand, told Computerworld Australia.

"What's different is the methods that attackers are using constantly evolve, which is to be expected."

Perception gap

A global survey of chief information security officers and security operations mangers, the results of which were included in the report, found a perception gap between the two functions when it came to assessing the maturity of security processes in their organisations.

"CISOs are notably more optimistic than their SecOps colleagues about the state of their security," the report states.

"For example, 62 percent of CISOs said they strongly agree that security processes in their organization are clear and well understood, compared to only 48 percent of SecOps managers. CISOs also view their security processes in a more favorable light. Fifty-nine percent of those surveyed strongly agree that these processes are optimized, and that they now focus on process improvement, compared to 46 percent of SecOps managers."

The report speculated that the difference reflected the fact that SecOps staff are more likely to have a more accurate understanding of the state of security in an organisation based on their hands-on role, while a CISO might be "more removed from day-to-day security activities".

"Certainly what we can see from the traffic that we have access to is that there are vulnerabilities in commonly used browsers and applications that there patches available for that haven't been patched, and that might explain some of the delta between the way SecOps feel about their level of security versus the way CISOs think about it," Stitt said.

"There's some correlations there between what we see from a qualitative standpoint in discussing it with organisations and what we see from a quantitative perspective in what we measure in the real world," he added.

In 2014 there were a number of headline-making vulnerabilities in widely used software products, including the 'Heartbleed' OpenSSL vulnerability, the 'Shellshock' vulnerability in the Bash shell, and the Drupal SQL injection flaw.

Despite a temptation to consider them 'black swan events', vulnerabilities like Heartbleed revealed that many organisations could still improve their basic security controls such as their patching regime, Stitt said.

"There are still quite a lot of unpatched OpenSSL servers on the Web," he said. Organisations are failing when it comes to "things as basic as Internet Explorer patching", he added.

"Clearly there's a call out there that organisations do need to remain vigilant when it comes to patching and having a maybe being a little bit less risk averse when it comes to patching."

"The vast majority of attacks that are going on at the moment are concentrating on a very small percentage of CVE [common vulnerabilities and exposure alerts] vulnerabilities and there are resources like the [US National Institute of Standards and Technology National Vulnerability Database] that prioritises those on the basis of the ones that are being used," Stitt added.

"So organisations can maybe be a little bit more efficient with their patching regime by concentrating on the ones that are being exploited."

"People are averse to taking an action that might break something versus the potential of being compromised by doing nothing," he added.

"There have been countless studies that have shown this, but there is a basic human failing when it comes to understanding probabilities and risks and how that relates to action versus inaction."

Something that CISOs and CSOs should take away from the report is putting greater emphasis on the remediation process following security breaches, he added.

"Cisco talks about the threat continuum before during and after attacks, and one of the things we see being borne out time and again is a lot of investment and a lot of time is spent on 'before' activities, which are how you effectively reduce your attack surface — so things like firewalls and VPNs and encryption," Stitt said.

"The 'during' is all about how do you detect things as they happen in real time and that's intrusion prevention and to some extent antivirus programs. And then the 'after' piece is how do you scope, contain and remediate issues as they occur.

"One of the trends that's persisted in the market for decades is the focus has largely been on before, less on during and not much on after. We've been advocating a rebalancing of that portfolio a little bit so that organisations invest a little bit more money in the after piece. And after for us is how do I — as a BAU activity — how do I detect when my has been compromised? How do I detect that in a reasonable time frame, understand what's happened — in other words, scope it — and how do I clean up from it quickly and efficiently?"

"When you're looking at statistics that say that 100 per cent of organisations are compromised and then you look at the very high profile attacks that we're seeing where criminals have been persistent in the environment for weeks or months it's clear that organisations could do a lot by having a capability in scope, containment, remediation as a BAU activity," he added.

Follow Rohan on Twitter: @rohan_p