Cisco has used its massive internet footprint of globally installed security devices and sensors to provide the raw data behind its 2013 'Cisco Annual Security Report'. Many of the findings are not unexpected, but the report adds considerable detail – and still unearths a few surprises.
The fall in spam volumes continues, moving toward more targeted shorter runs “based on world events and particular subsets of users.” Adding detail to this trend, Cisco notes that India remains the main source of spam, with the US moving from sixth to second; spam drops by 25% over the weekends (probably because the targets tend not to check their email so frequently); and 79% of spam is in English. Cisco also notes that spammers have moved away from malicious attachments toward malicious links, with only 3% of spam carrying an attachment.
“In modern email,” notes the report, “links are king. Spammers design their campaigns to convince users to visit websites where they can purchase products or services (often dubious). Once there, users’ personal information is collected, often without their knowledge, or they are compromised in some other way.”
As expected, mobile malware shows a huge increase, growing by 2,577% during 2012 – and as expected, Android is the most targeted (95%). But Cisco points out that this still represents only 0.5% of all malware encounters – so the malware aspect of the mobile threat should not be over-hyped. “While some experts are claiming Android is the ‘biggest threat’ or should be a primary focus for enterprise security teams in 2013 – the actual data shows otherwise... organizations should be more concerned with threats such as accidental data loss, ensuring employees do not ‘root’ or ‘jailbreak’ their devices, and only install applications from official and trusted distribution channels.”
Attitudes toward privacy are both interesting and anomalous. Gen Y users – the first generation to have grown up with computers, and probably the driving force behind BYOD – are happy to trade their privacy for online socializing; but they are less happy to give up privacy to their employers. This may be because people have two separate identities – online and offline – and like to keep them separate (only 8% believe that the two identities are the same). Employers are too associated with users’ offline identity to be granted access to their online identity. Furthermore, “91 percent of young consumers surveyed say that the age of privacy is over and believe they can’t control the privacy of their information, with one third of respondents reporting they are not worried about the data that is stored and captured about them.”
This contradiction comprising a lack of trust with a do it anyway attitude can have serious consequences if translated to the wider context of security. This is aggravated by Gen Y’s awareness of company policy. 90% of IT professionals say they have a BYOD policy, but only 40% of Gen Y is aware of that policy – and 80% of those ignore the policy.
One counter-intuitive revelation is that overall, criminal sites are less malware-ridden than legitimate sites. “Web malware encounters occur everywhere people visit on the Internet – including the most legitimate of websites that they visit frequently, even for business purposes,” says Mary Landesman, senior security researcher with Cisco. “Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred.” The two primary causes are compromised legitimate sites delivering drive-by or water hole attacks, and malvertising.
“It is worth repeating,” says the report, “that web malware encounters most frequently occur via normal browsing of legitimate websites that may have been compromised or are unwittingly serving malicious advertising. Malicious advertising can impact any website, regardless of the site’s origin.”