A patch is the catch: Cisco survey

Even after Heartbleed, most organizations are not patching security holes

Corporate security teams are not patching holes in their software or security tools, according to a Cisco survey released this week. Less than 50% of the respondents at 1,700 companies in nine countries use standard tools such as patching and configuration to help prevent security breaches and ensure that they are running the latest versions of software.

Indeed, even though Heartbleed was the landmark vulnerability last year, 56% of all installed OpenSSL versions are over four years old. And chief information security officers may not even know that – 75% believe their security tools as very or extremely effective.

The survey also found that end-users are unknowingly aiding cyber-attacks. Throughout 2014, Cisco said its threat intelligence research revealed that attackers have increasingly shifted their focus from seeking to compromise servers and operating systems to exploiting users at the browser and email levels.

Users downloading from compromised sites contributed to a 228% increase in Microsoft Silverlight attacks, along with a 250% increase in spam and malvertising exploits, the Cisco survey found.

In addition to shifting attack focus, hackers are adopting techniques that make attacks harder to detect and analyze. Such techniques include snowshoe spam, lesser known web exploits, and combining exploits over two different files.

Snowshoe spam refers to sending low volumes of spam from a large set of IP addresses to avoid detection. With the malicious file combination, attackers deploy exploits which combine the respective weaknesses of Flash and JavaScript.

Sharing exploits over two different files can make it more difficult for security devices to identify and block the exploit and to analyze it with reverse engineering tools, Cisco says.

The craftiness of the attack and the constant wariness of CISOs is further complicated by the geopolitical motivations of the attackers, and the conflicting requirements imposed by local laws with respect to data sovereignty, data localization and encryption, the Cisco study finds.

A copy of the Cisco Annual Security Research report can be found here.

More from Cisco Subnet:

SDN in 2014: a year of non-stop action

Cisco's greatest hits, 2014 edition

In Cisco tiff, Arista taps Gandhi

Sky's the limit for Cisco Intercloud

Suing Arista was always the plan

Cisco was surprised by Arista statements: Chambers

Cisco/SJSU: We Can't Hear You

Cisco lawsuits aside, Arista forges ahead with EOS

Cisco Catalyst 6500 shops adopting Nexus 9000

Arista fires back at Cisco's suits

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

IT Salary Survey: The results are in