## Cisco 2011Annual Security Report ###### Highlighting global security threats and trends ----- ###### The Cisco[®] Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and November 2011. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2012. ----- ###### PART 1 3 Welcome to the Connected World 5 Your Future Workers: Loaded with Devices, and Not Overly Concerned About Security 8 Social Media: Now, It’s a Productivity Tool 10 Remote Access and BYOD: Enterprises Working to Find Common Ground with Employees 16 The Influence of Mobile Devices, Cloud Services, and Social Media on Security Policy in the Enterprise PART 2 22 Cyber Threat Outlook for 2012: The Hacktivism Factor 23 Geopolitical Trends: Social Media Wields “Gathering” Power 24 Announcing the 2011 Winners of the Cisco Cybercrime Showcase 26 The Cisco Cybercrime Return on Investment (CROI) Matrix 28 2011 Vulnerability and Threat Analysis 29 Global Spam Update: Dramatic Decline in Spam Volume 31 The Cisco Global ARMS Race Index 32 The Internet: A Fundamental Human Necessity? 35 Cisco Security Intelligence Operations ###### PART 2 ----- # 1 ----- #### Welcome to the Connected World #### Welcome to the Connected World For instance, most college students (81 percent) surveyed globally believe they should be able to choose the devices they need to do their jobs—either by having their employers pay for them or bringing their own personal devices to work. In addition, almost threequarters of students surveyed believe they should be able to use such devices for both business and personal use. Multiple devices are becoming commonplace: 77 percent of surveyed employees worldwide have multiple devices in use, such as a laptop and a smartphone or multiple phones and computers. (See “Your Future Workers: Loaded with Devices, and Not Overly Concerned About Security,” page 5.) ###### A Balanced, Flexible Approach to Security Trends such as the influx of consumer devices in the workplace will require more flexible and creative solutions from IT staff for maintaining security while enabling access to collaborative technologies. Given the desire of workers to bring the devices they use at home into the workplace, enterprises need to adopt a “bring your own device” (BYOD) vision—that is, securing the network and data regardless of how workers access information. (See “Remote Access and BYOD: Enterprises Working to Find Common Ground with Employees,” page 10.) Imagine the 1960s office of the fictional advertising agency portrayed on the American television show “Mad Men”: When it came to technology, workers could avail themselves of typewriters and telephones (both operated largely by the secretarial pool)—which were basically all they had in the way of productivityenhancing equipment. Employees attended perhaps one or two meetings a day; work began when people arrived at the office, and stopped when they went home. Today’s workers get more done over breakfast or during the morning commute than their 1960s predecessors accomplished in an entire day. Thanks to the array of technology innovations flooding into the workplace— everything from tablets to social networking to videoconferencing systems such as telepresence—employees can work almost anywhere and anytime they need to, provided the right technology is there to support connectivity and, even more importantly, provide security. In fact, the modern workplace may differ from its 1960s counterpart most dramatically in terms of the lack of actual people: Showing up at the office is less and less necessary. Along with the onslaught of technology innovations, there’s also been a shift in attitude. Today’s workers have become so accustomed to the productivity benefits and ease of use of their devices, social networks, and web applications that they see no reason why they can’t use all these tools for work as well as for play. The boundaries between work and home are nearly nonexistent: These workers chat with their supervisors on Facebook, check work email on Apple iPads after watching a movie with the kids, and turn their own smartphones into mini-workstations. Unsurprisingly, many enterprises are questioning the impact of technology innovation and flexible work habits on corporate information security—and sometimes, take the drastic step of banning devices or restricting access to web services that workers say they need (and do need, in most cases). But organizations that don’t allow workers this flexibility—for instance, allowing them to use only a given company-owned smartphone—will soon find they can’t attract talent or remain innovative. [Research conducted for the Cisco Connected World](http://www.cisco.com/en/US/netsol/ns1120/index.html) _[Technology Report study (www.cisco.com/en/US/netsol/](http://www.cisco.com/en/US/netsol/ns1120/index.html)_ [ns1120/index.html) documents changing attitudes toward](http://www.cisco.com/en/US/netsol/ns1120/index.html) work, technology, and security among college students and young professionals around the globe, who are driving the next waves of change in the enterprise. (Workers of all ages have been responsible for increasing adoption of consumer devices in the workplace and anytime/anywhere information access, but younger workers and new graduates are drastically speeding up the pace of change.) This year’s edition of the Cisco _Annual Security Report highlights many key findings from_ this research, exploring the impact on enterprises and suggesting strategies for enabling innovation. ----- Workers must be part of this compromise: They need to see the value of cooperating with IT so they can use the tools they have come to rely on—and help lay the groundwork for a process that will enable faster adoption of new technologies in the workplace as they emerge. Another fundamental adjustment by enterprises and their security teams is the acceptance of the public nature of business. According to the Connected World study, young professionals and students see far fewer boundaries between work life and personal life: 33 percent of college students say they don’t mind sharing personal information online. “The older generation assumes everything is private, except what they choose to make public,” explains David Evans, chief futurist for Cisco. “To the younger generation, everything is public, except what they choose to make private. This default position—that everything is public—goes against how enterprises have worked in the past. They’ve competed and innovated based on protecting their information from being exposed. However, they need to realize that the benefits they receive from sharing information are greater than the risks of keeping information within their walls.” The good news for IT is that their role as enablers of collaboration and sharing should lead to greater responsibility—and hopefully, more budget—for the enterprise’s growth and development. “Success is when IT can enable these dramatic changes in the workplace, not inhibit them,” says John N. Stewart, vice president and chief security officer for Cisco. “We should not focus on specific issues, like whether to allow people to use their iPads at work, because it’s a foregone conclusion. Rather, focus on solutions to the bigger business challenge: enabling technology for competitive advantage ” “Today’s IT departments need to enable the chaos that comes from a BYOD environment,” says Nasrin Rezai, Cisco’s senior director of security architecture and chief security officer for the Collaboration Business Group. “This doesn’t mean accepting high levels of risk, but being willing to manage some risks in exchange for attracting talent and delivering innovation. It’s about moving to a world in which not every technology asset can be managed by IT.” A willingness to balance risks and benefits is a hallmark of IT’s new posture toward security. Instead of outright bans on devices or access to social media, enterprises must exchange flexibility for controls that workers agree to. For instance, IT staff may say, “You can use your personal smartphone to read and respond to company email, but we need to manage that asset. And if you lose that phone, we’ll need to erase data remotely, including your personal apps and pictures of your family.” ----- ### Your Future Workers: #### Loaded with Devices, and Not Overly Concerned About Security ----- ###### Ten years ago, employees were assigned laptops and told not to lose them. They were given logins Prefers an unconventional work schedule, to the company network, and told not to tell working anytime and anywhere anyone their password. End of security training. Today, your “millennial” employees—the people you Believes he should be allowed to access social media want to hire because of the fresh ideas and energy and personal websites from company-issued devices they can bring to your business—show up to their first day on the job toting their own phones, tablets, and laptops, and expect to integrate them into their work Checks Facebook page at least once a day ###### life. They also expect others—namely, IT staff and chief information officers—to figure out how they can use their treasured devices, anywhere and anytime T H E A N Y T I M E , A N Y W H E R E Y O U N G W O R K E R they want to, without putting the enterprise at risk. Security, they believe, is not really their responsibility: Doesn’t believe he needs to be in the office ###### They want to work hard, from home or the office, on a regular basis using social networks and cloud applications to get the job done, while someone else builds seamless security into their interactions. Believes that IT is ultimately responsible for security, not him ###### Research from the Connected World study offers a snapshot of how younger workers and college students about to enter the workforce view security, Will violate IT policies if it’s access to information, and mobile devices. Here’s a necessary to get the job done snapshot of who you’ll be hiring, based on findings from the study: Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one) ----- Would hesitate to work at a company that banned access to social media Wants to choose devices to bring to work— even her personal laptop and gadgets Doesn’t want to work in the office all the time—believes she’s more productive when she can work from anywhere, anytime ###### T H E C O N N E C T E D C O L L E G E S T U D E N T If forced to choose, would pick Internet access over having a car Not very concerned about protecting passwords Source: Cisco Connected World Technology Report Checks Facebook page at least once a day Allows other people—even strangers— to use her computers and devices ----- #### Social Media: Now, It’s a Productivity Tool #### Social Media: Facebook and Twitter long ago moved beyond mere novelty sites for teens and geeks, and became vital channels for communicating with groups and promoting brands. Young professionals and college students know this, and weave social media into every aspect of their lives. (And while Facebook and Twitter are the dominant players in much of the world, many other regional social networks are becoming just as essential to online interaction—for instance, Qzone in China, VKontakte in Russia and former Soviet-bloc countries, Orkut in Brazil, and Mixi in Japan.) However, enterprises may not understand the extent to which social media has made inroads into the public and private lives of their employees, especially younger workers—and therefore, do not feel the need to yield to growing demand in their workforce for unfettered access to social networks like Facebook or content-sharing sites such as YouTube. Unfortunately, this inertia may cost them the talent they need to grow and succeed. If access to social networks isn’t granted, young professionals who expect to have it are likely to seek work at companies that do provide such access. These attitudes are even more prevalent among college students, who have been using social media from a young age. According to research for the Connected World study, college students and young workers center their social and business interactions around Facebook. Eightynine percent of college students surveyed check their Facebook page at least once a day; seventy-three percent of young professionals do so as well. For young workers, their social media connections often extend into the workplace: Seven out of 10 employees said they have friended managers or co-workers on the social media site. Given their level of activity on Facebook—and the lack of distinction between personal and business use of the social media site—it stands to reason that young workers want to carry their Facebook use into the office. Among college students surveyed, almost half (47 percent) said they believe companies should maintain flexible social media policies, presumably to allow them to stay connected in their work and personal lives at any time. If students encounter a workplace that discourages social media usage, they may avoid these companies altogether—or if they’re stuck working in these environ– ments, they may try to subvert the rules blocking access to their favorite sites. More than half of college students surveyed globally (56 percent) said if they encountered a company that banned access to social media, they would either not accept a job there, or would join and then find a way to access social media despite corporate policies. Two out of three college students (64 percent) said they plan to ask about social media usage policies during job interviews, and one in four (24 percent) said such policies would be a key factor in their decision to accept a position. ###### The Upside of Social Media Access Since social media is already so entrenched in the daily lives of young professionals and future workers, enterprises can no longer view it as a passing nuisance or a negative, disruptive force. In fact, companies that block or narrow access to social media likely will find themselves at a competitive disadvantage. When enterprises accept social media use by the workforce, they are providing their employees with the tools—and the culture—they need to be more productive, innovative, and competitive. For example, hiring managers can use social networks to recruit new talent. Marketing teams can monitor social media channels to track the success of advertising campaigns or consumer sentiment about brands. And customer service teams can respond to consumers who use social media to ask questions and provide feedback to companies. Fears around security and data loss are a leading reason why many businesses don’t embrace social media, but these concerns are likely out of proportion with the true level of risk (see “Myth vs. Reality: Social Media Is Dangerous to the Enterprise” on facing page); in any case, risks can be mitigated through the application of technology and user controls. For instance, web traffic controls can halt malware such as Koobface[1] that finds ----- don’t inhibit workers from browsing social media and using it to connect with colleagues, customers, and business partners. They are stopped from social media activity only when they are in danger of downloading an infected file or clicking on a suspicious link. The protection is invisible to users, and is built into the network, not computers or devices. Workers get the social media access they demand, and businesses get the information safety they require. (See more on social media protections in “The Future for Acceptable Use Policies,” page 19.) Social media sites themselves have responded to requests to offer greater levels of control over what users can see within a network. For example, a business can allow workers to access YouTube to view videos related to its industry or product, but block access to adult content or gambling sites. And technology solutions can filter social media traffic for incoming malware or outgoing data (for instance, company files that should not be emailed via social media or other web-based services). To protect a business’s users against unauthorized access to their accounts, Facebook has steadily introduced privacy features. While these are individual user controls as opposed to network controls, businesses can engage in discussion with workers and offer training about the most useful privacy features for maintaining information security. Before limiting access to social media, enterprises should consider the business value of social media versus the risk of allowing it. Considering the findings of the Connected World study and the passion young workers have for social media and its collaborative powers, businesses are likely to discover the benefits outweigh the risks—provided they find the right balance between acceptance and security. ###### Myth vs. Reality: Social Media Is Dangerous to the Enterprise **Myth:** Allowing employees to use social media opens the door wide to malware in the company network, and will cause productivity to plummet. In addition, employees will divulge company secrets and inside gossip on Facebook and Twitter, damaging the enterprise’s competitive position. ###### Social Media Is Dangerous to the Enterprise **Myth:** Allowing employees to use social media opens the door wide to malware in the company network, and will cause productivity to plummet. In addition, employees will divulge company secrets and inside gossip on Facebook and Twitter, damaging the enterprise’s competitive position. **Reality:** There’s no doubt that criminals have used social media networks to lure victims into downloading malware and handing over login passwords. But the fear of threats delivered via social media may be overblown. Email messages remain the most popular way to get malware into networks. Certainly, enterprises should be concerned about loss of intellectual property, but social media doesn’t deserve full blame for such losses. Employees who haven’t been trained to protect their employer’s information can unleash secrets by indiscreet chats in public places or via email as fast as they can tweet, and they can download company documents onto thumb drives as easily as trading information over Facebook email. The answer to IP leakage is not an outright ban on social media. It’s imbuing trust in the workforce so workers don’t feel compelled to disclose sensitive information. “The loss of productivity due to social networking has been the subject of many media scare stories,” says Jeff Shipley, manager of Cisco Security Research and Operations. “However, the truth is that employees can do more work, and do so better and faster, when they use tools that let them rapidly collaborate on projects and talk to customers. Today, social media networks are those tools. The productivity gains make up for the occasional downtime inherent in social networking.” ###### “The truth is that employees can do more work, and do so better and faster, when they use tools that let them rapidly collaborate on projects and talk to customers.” —Jeff Shipley, manager of Cisco Security Research and Operations ----- #### Remote Access and BYOD: ###### Enterprises Working to Find Common Ground with Employees #### Remote Access and BYOD: As for today’s college students, most can’t even imagine a future work experience that did not include the ability to access work remotely. According to the Cisco Connected _World Technology survey, nearly two in three college_ students expect that, when they are in the workforce, they will be able to access their corporate network using their home computer. Meanwhile, about half of college students expect to do the same using their personal mobile devices. And more than likely, if the enterprise does not allow them to do these things, these future workers will find a way to overcome obstacles to access. The report also reveals that most college students (71 percent) share the view that company-issued devices should be available for both work and play because “work time often blends with personal time … It’s the way it is today and the way it will be in the future.” That latter statement is very true, which is why more enterprises are moving to implement a BYOD practice. Other factors, including workforce mobility, the proliferation of new While the question of whether to allow employees to access social media during work hours and with company assets is top of mind for many organizations, a more pressing concern is finding the right balance between allowing their employees to have access to the tools and information they need to do their jobs well—anytime, anywhere—while also keeping sensitive corporate data, such as intellectual property and employees’ personal information, secure. Enterprises across industries are starting to understand they must adapt soon to “consumerization of IT” (employees’ introduction and adoption of consumer devices in the enterprise) and the remote working trends already under way in their organizations. It is becoming increasingly clear that if they don’t change, they cannot stay competitive, innovate, maintain a productive workforce, and attract and keep top talent. At the same time, they are realizing that maintaining **INTERNAL** ###### Figure 1. The Stages of ACCESS Workforce Access Along the Any Device Journey previously defined security borders is no longer possible. “IT organizations, particularly those in large companies, have not been able to keep pace with the Internet-speed growth of new devices and the immediate adoption of those devices by employees—especially younger workers,” says Gavin Reid, Computer Security Incident Response Team (CSIRT) manager for Cisco. There clearly is an expectation among tomorrow’s young professionals—as well as many of today’s—that they will be able to access whatever they need from wherever they are in order to do their jobs. And if they aren’t provided with that access, the consequences for the enterprise are potentially significant. As an example, the _Connected World study revealed that three in 10 young_ professionals globally admit that the absence of remote access would influence their job decisions, such as leaving an existing job sooner than later or declining job offers outright. They also indicate they would be more likely to slack off while on the job and experience lower morale. **INTERNAL** **ACCESS** Had to come into the office to access resources **ANY DEVICE,** **ANYWHERE** Access resources from anywhere with any device **VIRTUAL** **ENTERPRISE** Enterprise becomes virtual, fully location- and service-independent **MARKET** **TREND** Consumerization of Services ----- ###### Technology Making a Safer Journey to BYOD for Cisco As part of the decision to allow employees to use determines whether to allow or reject the entire any device for work, including unmanaged personal website, or individual objects on the website, based devices, Cisco IT, along with CSIRT, sought a tool [on a reputation score from the Cisco IronPort](http://www.senderbase.org) that would block malicious websites before they [SenderBase® Security Network (www.senderbase.](http://www.senderbase.org) loaded onto browsers. In short, they wanted protection [org) cloud-based email and web traffic monitoring](http://www.senderbase.org) devices, and acquisition integration and management against zero-day threats—specifically those without a service. SenderBase assigns each website a of offshore and offsite outsource relationships, are also known signature. However, the solution also needed reputation score ranging from –10 to 10. Websites key drivers. to preserve the user experience—not only to ensure with scores from –6 to –10 are blocked automatically, productivity, but also to prevent employees from without scanning. Websites with scores from 6 to Cisco is one organization already making the transition changing their browser settings. 10 are allowed, also without scanning. to BYOD—and is learning quickly that this transformation requires both long-term commitment and cross- Cisco IT and CSIRT achieved their goal by deploying Cisco deployed the Cisco IronPort S670 WSA functional engagement in the organization. Depicted the Cisco IronPort® S670 Web Security Appliance throughout its organization in three phases, which in Figure 1 on the previous page are the five stages (WSA), a web proxy that inspects and then either began with a six-month proof-of-concept program in of workforce access along what Cisco calls its “Any forwards or drops web traffic based on reputation one building of the Cisco campus in Research Triangle Device” journey toward becoming a “virtual enterprise.” filters or the outcome of inline file scanning. (Cisco Park (RTP), North Carolina, followed by a two-year By the time Cisco reaches the last stage of its planned does not use the WSA’s web-filtering capabilities to pilot program (2009–2011) in which the solution was journey, which will take several years, the organization block entire website categories because its policy is extended to all 3000 employees at the RTP campus. will be increasingly location- and service-independent— to trust employees to use their time productively.) In 2011, the WSA was rolled out to other large and enterprise data still will be secure.[2] campus sites worldwide and tens of thousands of When a Cisco employee clicks a link or enters a employees. As of November 2011, Cisco’s global The specific demands of an organization’s industry URL, the request is sent by way of Web Cache WSA deployment is 100 percent complete. segment (regulatory demands) and corporate culture Communication Protocol (WCCP) to a load-balanced (risk tolerance versus innovation) drive BYOD decisions. pool of Cisco IronPort S670 WSAs. The WSA “Cisco is now experiencing its highest-ever level “I think for many organizations today, the BYOD issue is of protection from web-based threats,” says Jeff less a matter of ‘No, we can’t do it’ and more a question Bollinger, senior information security investigator for of ‘How do we do it? What positive, responsive actions Cisco. “We average 40,000 blocked transactions should we take to manage the mobile device situation per hour. And in just one day, the WSAs blocked in our organization?’” says Nasrin Rezai, Cisco’s senior 7.3 million transactions, including 23,200 Trojan director of security architecture and chief security officer downloader attempts, over 6800 Trojan horses, for the Collaboration Business Group. 700 worms, and nearly 100 phishing URLs.” One common theme among organizations moving Learn more about Cisco’s deployment of the Cisco toward the practice of BYOD is that there is buy-in [IronPort S670 WSA at: www.cisco.com/web/about/](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) from top executives who are helping not only to bring [ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) the matter to the forefront in the company, but also [case_study_wsa_executive_summary.pdf.](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) 2 F dditi l ti i t d th BYOD d l d t l b t th fi t f Ci ’ “A D i ” j _Ci_ _A_ _D_ _i_ _Pl_ _i_ _P_ _d_ _ti_ _S_ _d C_ _titi_ _F t_ As part of the decision to allow employees to use determines whether to allow or reject the entire any device for work, including unmanaged personal website, or individual objects on the website, based devices, Cisco IT, along with CSIRT, sought a tool [on a reputation score from the Cisco IronPort](http://www.senderbase.org) that would block malicious websites before they [SenderBase® Security Network (www.senderbase.](http://www.senderbase.org) loaded onto browsers. In short, they wanted protection [org) cloud-based email and web traffic monitoring](http://www.senderbase.org) against zero-day threats—specifically those without a service. SenderBase assigns each website a known signature. However, the solution also needed reputation score ranging from –10 to 10. Websites to preserve the user experience—not only to ensure with scores from –6 to –10 are blocked automatically, productivity, but also to prevent employees from without scanning. Websites with scores from 6 to changing their browser settings. 10 are allowed, also without scanning. Cisco IT and CSIRT achieved their goal by deploying Cisco deployed the Cisco IronPort S670 WSA the Cisco IronPort® S670 Web Security Appliance throughout its organization in three phases, which (WSA), a web proxy that inspects and then either began with a six-month proof-of-concept program in forwards or drops web traffic based on reputation one building of the Cisco campus in Research Triangle filters or the outcome of inline file scanning. (Cisco Park (RTP), North Carolina, followed by a two-year does not use the WSA’s web-filtering capabilities to pilot program (2009–2011) in which the solution was block entire website categories because its policy is extended to all 3000 employees at the RTP campus. to trust employees to use their time productively.) In 2011, the WSA was rolled out to other large campus sites worldwide and tens of thousands of When a Cisco employee clicks a link or enters a employees. As of November 2011, Cisco’s global URL, the request is sent by way of Web Cache WSA deployment is 100 percent complete. Communication Protocol (WCCP) to a load-balanced pool of Cisco IronPort S670 WSAs. The WSA “Cisco is now experiencing its highest-ever level of protection from web-based threats,” says Jeff Bollinger, senior information security investigator for Cisco. “We average 40,000 blocked transactions per hour. And in just one day, the WSAs blocked 7.3 million transactions, including 23,200 Trojan downloader attempts, over 6800 Trojan horses, 700 worms, and nearly 100 phishing URLs.” Learn more about Cisco’s deployment of the Cisco [IronPort S670 WSA at: www.cisco.com/web/about/](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) [ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) [case_study_wsa_executive_summary.pdf.](http://www.cisco.com/web/about/ciscoitatwork/downloads/ciscoitatwork/pdf/cisco_it_case_study_wsa_executive_summary.pdf) ----- drive it further. Rezai explains, “Executives are playing a lead role in driving adoption of BYOD in the enterprise. They’re taking the risk of embracing the chaos, but also saying, ‘We will do this systemically and architecturally, and evaluate our progress every step of the way.’” (See sidebar, “Questions to Ask Along Your Own ‘Any Device’ Journey,” on facing page.) Governance also is critical to the success of a BYOD practice. Cisco, as an example, maintains a BYOD steering committee, which is led by IT but includes key stakeholders from other business units, such as human resources and legal. Without formal governance, companies cannot define a clear path for how to move the organization successfully and strategically from a managed world to an unmanaged or “borderless” world, where the security perimeter is no longer defined and IT does not manage every technology asset in use in the organization. “Many people think BYOD is about the endpoint, but it’s much broader than that,” says Russell Rice, director of product management for Cisco. “It’s about ensuring consistency of the user experience working from any device, whether it’s in a wired or wireless environment or in the cloud. It’s about the policy elements of interaction. And it’s about your data, how it’s secured, and how it traverses inside all of those different environments. All of these things must be taken into account when moving to BYOD—it really is a change in mindset.” ###### Myth vs. Reality: Workers Won’t Accept Enterprise Control of Their Mobile Devices Myth: Employees will not accept an employer’s requirement to have some remote control over the personal mobile device that they want to use for both work and play. ###### Workers Won’t Accept Enterprise Control of Their Mobile Devices Myth: Employees will not accept an employer’s requirement to have some remote control over the personal mobile device that they want to use for both work and play. Reality: Enterprises and employees must find common ground, with the company recognizing the individual’s need to use the device of his or her choice and the worker understanding that the company must do whatever is necessary to enforce its security policy and stay in compliance with regulatory requirements related to data security. Organizations must be able to identify unique devices when they enter the corporate network, link devices to specific users, and control the security posture of devices used to connect to corporate services. Technology is evolving that would allow the “containerization” of a device—that is, a virtual phone within a phone that could be shut off by an employer in the event the device is lost or stolen, without compromising a user’s personal data, which is kept separate. Within the next few years, viable security solutions based on this technology should be available for widespread enterprise use. Until then, employees who want to use their personal device of choice for work must accept that the enterprise, for security reasons, retains certain rights in order to protect the device. This includes requiring, among other things: - Passwords - Data encryption (including device and removable media encryption) - Remote management options that allow IT to remotely lock or wipe a device if it is lost, stolen, or otherwise compromised, or if the employee is terminated If a worker does not accept policy enforcement and asset management requirements that are designed to elevate a mobile device’s status to “trusted” according to the enterprise’s security standards, then IT will not permit the employee to access safeguarded company assets with his or her device of choice. ----- ###### Questions to Ask Along Your Own Any Device Journey When Cisco first embarked on its “Any Device” journey, the company identified 13 critical business areas affected by this new paradigm. The table below highlights these focus areas and provides a list of questions that have helped Cisco identify—and avoid—potential pitfalls and determine how best to approach these considerations. Enterprises that want to adopt a BYOD practice should consider these questions as well.[3] **Business Area** **Business Questions to Answer** Business continuity planning Should noncorporate devices be granted access or restricted from business continuity planning? and disaster recovery Should there be an ability to remotely wipe any end device accessing the network if it is lost or stolen? Host management (patching) Will noncorporate devices be permitted to join existing corporate host-management streams? Client configuration management and How will device compliance to security protocols be validated and kept up to date? device security validation Who should be entitled to what services and platforms on which devices? Remote-access strategies Should a contingent worker be given the same entitlement to end devices, applications, and data? Should policy change to permit installation of corporate-licensed software on noncorporate devices? Software licensing Do existing software agreements account for users accessing the same software application through multiple devices? Encryption requirements Should noncorporate devices comply with existing disk-encryption requirements? Authentication and authorization Will noncorporate devices be expected or permitted to join existing Microsoft Active Directory models? Regulatory compliance management What will organizational policy be on the use of noncorporate devices in high-compliance or high-risk scenarios? Accident management and investigations How will corporate IT security and privacy manage incidents and investigations with noncorporate-owned devices? Application interoperability How will the organization handle application interoperability testing with noncorporate devices? Asset management Does the organization need to change how it identifies the devices it owns to also identify what it does not own? Support What will the organization’s policies be for providing support to noncorporate-owned devices? ----- ###### Mobile Device Distribution in the Enterprise and Malware Encounters The Connected World survey revealed that three Even more startling, perhaps, is that Apple Inc.’s out of four employees worldwide (77 percent) have iPhone, iPad, and iPod touch devices are currently multiple devices, such as a laptop and a smartphone the most dominant platform—significantly so. Google says the malware is not targeted specifically at or multiple phones and computers. Thirty-three Android holds the second spot, with Nokia/Symbian percent of young professionals (one in three) say devices ranking third.** These results underscore the they use at least three devices for work. But which powerful impact that consumerization of IT has had impact on those devices. mobile device platforms are favored by most on enterprises in just a short period: The first iPhone workers today, in general? was released in 2007; the first commercially available Android phone was launched in 2008. In conducting research for the latest Cisco Global _Threat Report, Cisco ScanSafe took a close look at_ Cisco ScanSafe’s research also provides insight into the types of mobile device platforms that workers which mobile device platforms are encountering around the world are using in the enterprise.* malware. The answer: all of them. (See chart below.) that target mobile device users, see the “Cisco Surprisingly, RIM BlackBerry devices—which While BlackBerry devices are currently experiencing have long been accepted in most enterprise environments—are now the fourth most popular platform among workers. ###### Mobile Device Use by Enterprise Normalized Distribution of Encounters Android Nokia/Symbian BlackBerry Source: Cisco ScanSafe - Ci S S f billi f b d il S l b d l i f li d b The Connected World survey revealed that three Even more startling, perhaps, is that Apple Inc.’s the majority of encounters (over 80 percent), Cisco’s out of four employees worldwide (77 percent) have iPhone, iPad, and iPod touch devices are currently senior security threat researcher Mary Landesman multiple devices, such as a laptop and a smartphone the most dominant platform—significantly so. Google says the malware is not targeted specifically at or multiple phones and computers. Thirty-three Android holds the second spot, with Nokia/Symbian BlackBerry devices or users, and it’s doubtful the percent of young professionals (one in three) say devices ranking third.** These results underscore the malware encountered has infected or had any other they use at least three devices for work. But which powerful impact that consumerization of IT has had impact on those devices. mobile device platforms are favored by most on enterprises in just a short period: The first iPhone workers today, in general? was released in 2007; the first commercially available Landesman adds, “Wherever users go, cybercriminals Android phone was launched in 2008. will follow. As mobile device use continues to grow In conducting research for the latest Cisco Global among enterprise users, malware targeting those _Threat Report, Cisco ScanSafe took a close look at_ Cisco ScanSafe’s research also provides insight into devices—and thus, users—also will grow. (For more the types of mobile device platforms that workers which mobile device platforms are encountering on cybercriminals’ increasing investment in exploits around the world are using in the enterprise.* malware. The answer: all of them. (See chart below.) that target mobile device users, see the “Cisco Surprisingly, RIM BlackBerry devices—which While BlackBerry devices are currently experiencing Cybercrime Return on Investment Matrix,” page 26.) have long been accepted in most enterprise environments—are now the fourth most popular platform among workers. ###### Mobile Device Use by Enterprise Normalized Distribution of Encounters Android iPhone/iPad/iPod touch Nokia/Symbian BlackBerry Windows Mobile Source: Cisco ScanSafe ----- ###### The iPad Revolution: Tablets and Security When the Apple iPad tablet computer launched Regardless of whether enterprises or workers A more strategic decision is to shift the security in 2010, it was positioned (and embraced by the are driving adoption of iPads and other tablets, the conversation away from specific devices, and toward public) as a consumer device: Watching movies devices are generating questions and concerns about a BYOD enablement strategy with access based with the kids, browsing the web while sitting on securing company information accessed via tablets. on user, role, and device type (for more on BYOD the couch, and reading books were among the Unlike smartphones, iPads and tablets offer more practice, see page 10). The key to enabling any device favorite use cases. robust compute platforms, with which workers can in the enterprise, whether it’s company-owned or accomplish more than they can with smartphones. brought from home, is identity management—that is, However, many industry sectors, like healthcare and Forward-thinking enterprises want to enable the understanding who’s using the device, where they’re manufacturing, quickly saw the appeal of a powerful, inclusion of tablets, without compromising security. using it, and what information they’re accessing. easy-to-use mobile device for business use that In addition, enterprises welcoming tablet use in the would bridge the gap between smartphones (too Innovation has caused constant change in IT—and the workplace will need methods for device management small) and laptops (too bulky). In a recent earnings rate of change is increasing. Companies that design (e.g., wiping data from lost devices), just as they call, Apple’s chief financial officer said that 86 their device strategy around 2011’s popular choice have for smartphones and laptops. percent of Fortune 500 businesses and 47 percent (in this case, the iPad) will have to start the clock on of Global 500 companies are deploying or testing re-engineering their systems in a few years’ time, For tablets—and indeed, whatever new-and-cool the iPad; companies such as General Electric Co. when new vendors, products, and features emerge. devices come into the enterprise next—security and SAP are creating custom iPad apps for internal professionals need to preserve the user experience processes; and Alaska Airlines and American Airlines even as they add security features. For instance, pilots are using the iPad in cockpits to replace iPad users love the device’s touchscreen controls, paper-based navigational information.[4] such as moving fingers across the screen to view or zoom in on images. If IT departments build in At the same time, workers who use iPads and other security that restricts these much-loved features, tablets at home are asking their employers to let users will balk at the changes. them use the devices at the office—yet another consumerization of IT milestone. This is reflected “The best approach to tablet security is one that in the Cisco Connected World study, in which 81 allows the ability to isolate business and personal percent of college students said they expect to apps and data reliably, applying appropriate security be able to choose the device for their jobs, either policy to each,” says Horacio Zambrano, product receiving budget to buy devices of their choice, or manager for Cisco. “Policy happens in the cloud or bringing in their own personal devices. with an intelligent network, while for the employee, their user experience is preserved and they can leverage the native app capabilities of the device.” ----- #### The Influence of Mobile Devices, Cloud Services, and Social Media on Security Policy in the Enterprise #### Cloud Services, and Social Media on #### The Influence of Mobile Devices, sheets containing customer data, with controls to prevent downloading or moving the data from centralized applications or databases, the chance of an employee downloading that data to a personal or mobile device before leaving the company is greatly reduced.” Paschich also warns enterprises not to overlook a lower profile but very potent threat to data security—USB devices. “While companies are worrying about whether or not to let an employee connect to the network with an iPhone because they are concerned about undermining enterprise security, they are allowing their workers to plug USB devices into their laptops and copy whatever data they want.” He offers an additional tip for shoring up data protection in the enterprise: laying out DLP measures and acceptable use policies (AUPs) in separate documents. “These efforts are interlocking, certainly, but they are different,” says Paschich. (See “The Future for Acceptable Use Policies,” page19.) ###### Securing Enterprise Data in the Cloud Cloud-based file sharing has become a popular and convenient method for sharing large files across the Internet, and it represents another potential risk area for enterprise data security. The idea of sensitive corporate information being passed back and forth among webbased cloud services—which are not managed by the enterprise—can cause sleepless nights for security professionals. #### Security Policy in the Enterprise The cost of just one data breach can be staggering for an enterprise. Ponemon Institute estimates range anywhere from US$1 million to US$58 million.[5] The cost is not just financial, either: Damage to corporate reputation and loss of customers and market share are potential side effects of a high-profile data loss incident. As more employees become mobile workers and use multiple devices to access company assets and rely on collaborative applications to work with others while outside the traditional “four walls” of the enterprise, the potential for data loss grows. As an example, the _[Cisco Connected World survey (www.cisco.com/en/US/](http://www.cisco.com/en/US/netsol/ns1120/index.html)_ [netsol/ns1120/index.html) found that almost half (46](http://www.cisco.com/en/US/netsol/ns1120/index.html) percent) of young professionals send work emails via personal accounts. “The potential for data loss is high,” says David Paschich, web security product manager for Cisco. “Enterprises are steadily losing control over who has access to their corporate network. And the simple fact that more employees are using mobile devices for work—and sometimes, multiple devices—means that the potential for data loss due to theft or loss of a device is greater.” Cybercriminals’ growing preference toward the use of low-volume, targeted attacks, such as spearphishing campaigns (see “Global Spam Update: Dramatic Decline in Spam Volume”, page 29), to steal information from high-value targets, and the increasing use of cloudbased file sharing services by enterprises to increase efficiency and reduce costs (see next section, “Securing Enterprise Data in the Cloud”) are also heightening the potential for data to be stolen or compromised. In this landscape, it’s not surprising that more enterprises are renewing their focus on data loss prevention (DLP) efforts. “Today, businesses are evaluating their DLP programs to determine two things: if they are protecting the right data and if they are doing the right things to keep that data safe,” says John N. Stewart, vice president and chief security officer for Cisco. When categorizing data that must be kept safe, a good starting place for many organizations is to determine what data types require protection and security, based on applicable laws and regulations, which can vary by industry and geographic location (e.g., state, country). “You can’t build rings of security around what you need to protect if you don’t know what those things are,” says Jeff Shipley, manager for Cisco Security Research and Operations. “This is a major shift in thinking for many organizations that focus their security controls on the systems and network, not the granularity of the actual data on the various systems, across multiple systems, or the network.” He adds that enterprises should not overlook intellectual property when categorizing data to be secured. Shipley also cautions enterprise IT departments not to miss obvious opportunities to prevent data from “walking out the front door.” He says, “Here’s an example: If an enterprise would protect its sensitive files, such as Excel ----- Cloud-based file sharing is gaining ground because it’s easy to use: The signup process for services like Box.net or Dropbox is fast and simple, the services don’t require hardware or advanced software, and they are free or low cost. They also streamline collaboration between workers and external consultants and partners, since files can be shared without generating time-consuming and complex methods for accessing corporate networks. Younger workers, who are conditioned to rely on cloud services such as webmail and social networks, will no doubt embrace cloud file sharing and drive its greater adoption in the enterprise. Ceding control of corporate data to the cloud, especially a piece of the cloud that an enterprise doesn’t control, raises legitimate questions about information security. “Many new vendors in this market are startups with limited experience in providing enterprise-wide services, and with challenges it brings to the table,” says Amol Godbole, information security lead for the Cisco Security Programs Organization (CSPO). “In addition, security and encryption standards can vary widely from provider to provider. The benefits of file sharing in the cloud are many, but enterprises should ask tough questions of file sharing providers about their policies for maintaining security.” These questions include: - What kind of encryption controls does the vendor provide? - Which personnel have access to customer data? - Who manages incident response and monitoring—the vendor or the customer? - Does the vendor outsource some services to other suppliers? Are these suppliers caching data? - Are DLP policies in place? - Does the vendor conduct periodic security assessments? - What redundancy measures are in place? How and where are backup files stored? to establish corporate policy on file sharing in the cloud should take the following steps: Establish a system for classifying data. Documents can be classified by their sensitivity level—for instance, “public,” “confidential,” “highly confidential,” and so on, depending on business needs. Workers should be trained in how to apply these designations, and understand how they may affect the ability to share files in the cloud. Establish a system for handling specialized data. Data that has legal or compliance implications needs special handling in terms of retention policies, physical location, and backup media requirements. Enterprises need to define policies around sending such data to external audiences, in addition to its classification per sensitivity levels. Implement a DLP solution. File sharing vendors may not offer the granular level of DLP control that enterprises require. A DLP solution within the network can block data from being uploaded to file sharing services based on classifications—for instance, tax files or source code. Provide identity management to control access. Users should be authenticated by the network before they are permitted to upload or download files. Leveraging corporate identity and identity federation for internal and external collaboration and managing the life cycle of provisioned accounts are key. Set expectations from the vendor. Clear and well-defined policies and services should be part of the service level agreement (SLA)—for instance, redundancy systems and encryption controls, practices around access to data by third parties (e.g., law enforcement), defining shared responsibilities that might include incident response, monitoring and administrative functions, and data transfer/ purging activities prior to termination of the contract. ----- ###### U.S. Lawmakers Pursue Data Breach Disclosure Measures Several high-profile data breaches in 2011, including incidents involving Sony Corp.[6] and Citigroup Inc.[7], have had U.S. lawmakers working to pass legislation that will impact how businesses protect consumer information and notify the public about cybersecurity incidents. Three data breach and privacy bills were approved and passed by the U.S. Senate’s Judiciary Committee in September 2011; the Senate Commerce Committee and the House Energy and Commerce Committee are working on versions as well. In the Senate, any version that passes likely will be a compromise of all versions that pass Senate committees and, perhaps, rolled into any larger comprehensive cyber bill that moves through the Senate. The versions that passed the Senate Judiciary Committee are: The Data Breach Notification Act of 2011[8] This measure would require federal agencies and businesses that “engage in interstate commerce” and possess data containing sensitive personally identifiable information to disclose any breaches. The Personal Data Protection and Breach Accountability Act[9] The Personal Data Privacy and Security Act of 2011[10] At the time reporting for the Cisco 2011 Annual The act would establish a process to help companies This measure would establish a national standard for _Security Report was concluded, federal data breach_ create appropriate minimum security standards to companies to follow when reporting data breaches. notification legislation was still pending in the U.S. safeguard sensitive consumer information. It also Additionally, it would require businesses to implement Congress, along with comprehensive cybersecurity would require companies to issue prompt notification data privacy and security programs designed to legislation designed to help protect financial networks, to individuals following a data breach. prevent data breaches from occurring. The bill also transportation systems, and power grids. The Senate includes criminal penalties. has been working on comprehensive cybersecurity legislation for over a year; in May 2011, the Obama administration shared its view of what such legislation should include.[11] [6 “Sony Playstation Suffers Massive Data Breach,” by Liana B. Baker and Jim Finkle, Reuters.com, April 26, 2011, www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426.](http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426) [7 “Citi Says Many More Customers Had Data Stolen by Hackers,” by Eric Dash, The New York Times, June 16, 2011, www.nytimes.com/2011/06/16/technology/16citi.html.](http://www.nytimes.com/2011/06/16/technology/16citi.html) [8 The Data Breach Notification Act of 2011: www.govtrack.us/congress/billtext.xpd?bill=s112-1408.](http://www.govtrack.us/congress/billtext.xpd?bill=s112-1408) [9 The Personal Data Protection and Breach Accountability Act: http://judiciary.senate.gov/legislation/upload/ALB11771-Blumenthal-Sub.pdf.](http://judiciary.senate.gov/legislation/upload/ALB11771-Blumenthal-Sub.pdf) [10 The Personal Data Privacy and Security Act: www.govtrack.us/congress/billtext.xpd?bill=s112-1151.](http://www.govtrack.us/congress/billtext.xpd?bill=s112-1151) 11 “L H f R i d S h Ad i i i ’ b i l ” Whi H M 12 2011 Several high-profile data breaches in 2011, including incidents involving Sony Corp.[6] and Citigroup Inc.[7], have had U.S. lawmakers working to pass legislation that will impact how businesses protect consumer information and notify the public about cybersecurity incidents. Three data breach and privacy bills were approved and passed by the U.S. Senate’s Judiciary Committee in September 2011; the Senate Commerce Committee and the House Energy and Commerce Committee are working on versions as well. In the Senate, any version that passes likely will be a compromise of all versions that pass Senate committees and, perhaps, rolled into any larger comprehensive cyber bill that moves through the Senate. The versions that passed the Senate Judiciary Committee are: The Data Breach Notification Act of 2011[8] This measure would require federal agencies and businesses that “engage in interstate commerce” and possess data containing sensitive personally identifiable information to disclose any breaches. The Personal Data Protection and Breach Accountability Act[9] The Personal Data Privacy and Security Act of 2011[10] At the time reporting for the Cisco 2011 Annual The act would establish a process to help companies This measure would establish a national standard for _Security Report was concluded, federal data breach_ create appropriate minimum security standards to companies to follow when reporting data breaches. notification legislation was still pending in the U.S. safeguard sensitive consumer information. It also Additionally, it would require businesses to implement Congress, along with comprehensive cybersecurity would require companies to issue prompt notification data privacy and security programs designed to legislation designed to help protect financial networks, to individuals following a data breach. prevent data breaches from occurring. The bill also transportation systems, and power grids. The Senate includes criminal penalties. has been working on comprehensive cybersecurity legislation for over a year; in May 2011, the Obama administration shared its view of what such legislation should include.[11] ----- ###### The Future for Acceptable Use Policies ###### Myth vs. Reality: AUPs Cannot Be Enforced **Myth:** AUPs have no impact because they cannot be enforced—and they are simply too difficult for the enterprise to create in the first place. Many acceptable use policies (AUPs) were born out of a need for enterprises to set down rules for how workers could access the Internet during work hours using corporate assets. Over time, many policies have become bloated catch-all documents designed to cover everything from Internet access to social media use to what employees cannot say about their company while engaging in online channels during off-hours. As a result, these policies, well intentioned as they are, have been difficult for employees to absorb and adhere to, and almost impossible for enterprises to enforce. Given the results of the Cisco Connected World survey, it would appear that most AUPs are ineffective for another reason: Workers don’t think they play a role in helping the enterprise to enforce such policies. The research reveals that three in five employees (61 percent) believe they’re not responsible for protecting corporate information and devices; instead, their view is that IT and/or service providers are accountable. So the question is, what’s the point of having an AUP? “Acceptable use policies are important for many reasons, including for regulatory compliance, but most aren’t realistic,” says Gavin Reid, Cisco CSIRT manager. “Too many are long laundry lists filled with ‘you-can’t-do-this’ items. They are really just a way for the enterprise to say to the employee, their legal department, or investigators, in the event of a security incident, ‘Well, we said not to do that.’” Reid says a better approach is for enterprises to rethink the AUP to make it relevant and enforceable, and adds that many organizations are already doing that. The new AUPs coming out of this process are leaner and stronger. They are generally much shorter lists—some include only a handful of items, such as making it clear that employees cannot use peer-to-peer (P2P) applications or send spam from their desktop. And every item on these lists is “technically enforceable,” according to Reid, meaning that the organization has the technology in place to identify AUP violations. “The current trend with AUPs is that businesses are taking a much more risk-based approach,” says Nilesh Bhandari, product manager for Cisco. “Companies are honing in on what they absolutely must include in an AUP, and what makes the most sense for the business, especially in terms of time and cost required to monitor employees’ adherence to the policy.” He adds that a well-defined AUP is easier for employees to understand and follow—and it gives the company greater leverage with its workforce. “Users will pay attention to an AUP when they fully understand what will happen if they fail to adhere to the policy,” says Bhandari. ###### “The current trend with AUPs is that businesses are taking a much more risk-based approach.” —Nilesh Bhandari, product manager, Cisco ###### AUPs Cannot Be Enforced **Myth:** AUPs have no impact because they cannot be enforced—and they are simply too difficult for the enterprise to create in the first place. **Reality:** Organizations cannot effectively enforce catch- all policies. While it does take time and research to determine what an AUP should include and whether or not each item truly can be enforced, the end result will be a policy that is easier for employees to understand and follow—and that is more likely to enhance enterprise security. Special focus should be given to educating employees on safe use of email and the web, as these are avenues cybercriminals typically take to infiltrate and infect networks, steal intellectual property and other sensitive data, and compromise individual users. ----- ###### Getting Started with Collaboration Security ###### Social Media: Policies Paired with Technology Controls Judging from the results of the Connected World study, college students and young professionals are likely to find ways around restrictions on social media access if it suits their needs—regardless of corporate policies. Three in four employees surveyed believe their companies should allow them to access social media and personal sites with their work-issued devices. Additionally, 40 percent of college students said they would break a company’s social media rules. That’s a significant slice of the potential workforce surveyed in this study—and it serves as a warning to enterprises as they grapple with their AUPs for social media. In other words, you can ban or restrict social media, but odds are good that your employees will access it anyway. Organizations with AUPs that put a stranglehold on social media access for employees will likely find it hard to attract the best and the brightest young talent. Twentynine percent of students surveyed said they would decline a job offer from a company that did not allow them to access social media during working hours. And of those students who would accept such a job, only 30 percent said they would abide by the stated policies. “Access to social media and technology freedom of choice will become make-or-break benefits for younger workers considering where to start their careers,” says Chris Young, senior vice president for the Security Group at Cisco. “HR organizations need to account for these factors in corporate culture and policy to retain a competitive edge. Enterprises should define a realistic compromise between the desires of employees to share and the business requirements of maintaining IT security, data, privacy, and asset protection.” Such a compromise involves granting access to social media and other collaboration technologies while using technology controls to deflect threats such as malware or phishing messages. In most cases, the security settings in social networks are controlled by users, not by IT. To compensate for this lack of control, additional security measures can be implemented—for instance, an intrusion prevention system to protect against network threats, and reputation filtering to detect suspicious activity and content. Technology controls should be paired with user training that clarifies the enterprise’s expectations for appropriate behavior and practices while accessing social media on company devices or via company networks. As discussed earlier (see “Social Media: Now, It’s a Productivity Tool,” page 8), young professionals have become so comfortable sharing information in the social media environment that they may not realize—nor have they ever been taught—that even small pieces of information posted on a social network can cause damage to a business. Lack of both user training about collaboration security concerns and guidelines for disclosing information online can be causes for this risk exposure. ###### Collaboration Security Enterprises can use the following steps to help establish security policies, technologies, and processes related to collaboration and social media security: - Create a business plan for collaboration and social networking solutions, starting with the business need. - Craft clear security governance mechanisms for collaboration. - Create policies on information confidentiality and expectations for employee activity when interacting on collaboration sites. - Define policies on network security measures, such as remote access by mobile devices, level of password protection, and use of direct file sharing. - Identify regulatory and compliance requirements that might restrict use of or information disclosure on social media. - Create training resources for all users. ----- ###### Part # 2 ----- ###### Cyber Threat Outlook for 2012: The Hacktivism Factor Today’s enterprises are grappling with an array of statement and grab the attention of a wide audience, security issues brought about by changing attitudes and motivate others to pursue similar actions. and work habits among their employees, and the (See “Social Media Wields ‘Gathering’ Power,” on dynamics of a more collaborative, connected, and opposite page.) mobile world. As this half of the Cisco 2011 Annual _Security Report will examine, enterprises also must_ Behind Operation Payback was a group known as continue to protect against a wide range of potent the Anonymous collective, which has been growing threats that cybercriminals are already reaping in both membership and influence worldwide ever rewards from, and are investing additional resources since. (For more on Anonymous, see the “Cisco in refining—among them are advanced persistent Cybercrime Showcase,” on page 24.) Most recently, threats (APTs), data theft Trojans, and web exploits. Anonymous has been connected to the Occupy Wall Street movement.[13 ] The “Occupy” protests However, enterprises now must consider another began in New York City, but quickly spawned similar potential security threat that could be even more gatherings in more than 900 cities around the world. disruptive to their operations if they were to be Activists representing the Anonymous collective have targeted: hacktivism. encouraged members to participate in the movement, which generally has been peaceful, but has led to “Hacktivism is a morph of traditional hacking,” says violent clashes with law enforcement in some cities, John N. Stewart, vice president and chief security including Rome, Italy,[14] and Oakland, California.[15] officer for Cisco. “Hackers used to hack for fun and At times, factions of Anonymous that identify with notoriety. Then, it was for a prize or monetary gain. the Occupy movement have threatened greater target—or all of the above.” Now, it’s often about sending a message, and you disruption, such as hacking campaigns to halt the may never know what made you a target. We’re operations of major financial exchanges. defending a new domain now.” Incidents of hacktivism by other groups in the last Hacktivism—a blend of hacking and activism— year have helped to elevate this threat to the top tier catapulted to the top tier of security concerns in of cyber threat concerns for enterprises. LulzSec, late 2010 when supporters of WikiLeaks.org launched for example, focused its efforts on law enforcement distributed denial of service (DDoS) attacks against organizations, executing DDoS attacks and data theft institutions such as PayPal and MasterCard; the initiative against a U.K. cybercrime organization and Arizona was dubbed “Operation Payback.”[12] In many ways, law enforcement.[16] In July, a related group, known as hacktivism is a natural extension of how people are “Script Kiddies,” hacked Fox News Twitter accounts using the Internet today—to connect with like-minded to post that U.S. President Barack Obama had been people all over the globe. The Internet serves as assassinated.[17 ] a powerful platform for those who want to make a [12 “‘Anonymous’ Launches DDoS Attacks Against WikiLeaks Foes,” by Leslie Horn, PCMag.com, December 8, 2010, www.pcmag.com/article2/0,2817,2374023,00.asp#fbid=jU1HvGyTz7f.](http://www.pcmag.com/article2/0,2817,2374023,00.asp#fbid=jU1HvGyTz7f) [13 Occupy Wall Street website: http://occupywallst.org/.](http://occupywallst.org) [14 “Occupy protests spread around the world; 70 injured in Rome,” by Faith Karimi and Joe Sterling, CNN.com, October 15, 2011, www.cnn.com/2011/10/15/world/occupy-goes-global/index.html.](http://www.cnn.com/2011/10/15/world/occupy-goes-global/index.html) [15 “Occupy Oakland Violence: Peaceful Occupy Protests Degenerate Into Chaos,” Associated Press, The Huffington Post, November 3, 2011, www.huffingtonpost.com/2011/11/03/occupy-oakland-violence-_n_1073325.html.](http://www.huffingtonpost.com/2011/11/03/occupy-oakland-violence-_n_1073325.html) 16 “LulzSec Releases Arizona Law Enforcement Data, Claims Retaliation for Immigration Law,” by Alexia Tsotsis, TechCrunch.com, June 23, 2011, [http://techcrunch com/2011/06/23/lulzsec releases arizona law enforcement data in retaliation for immigration law/](http://techcrunch.com/2011/06/23/lulzsec-releases-arizona-law-enforcement-data-in-retaliation-for-immigration-law) Today’s enterprises are grappling with an array of statement and grab the attention of a wide audience, Hacktivism can happen quickly and without warning security issues brought about by changing attitudes and motivate others to pursue similar actions. —although Anonymous did announce some of its and work habits among their employees, and the (See “Social Media Wields ‘Gathering’ Power,” on intended targets, such as HBGary Federal, a firm dynamics of a more collaborative, connected, and opposite page.) hired by the U.S. federal government to track down mobile world. As this half of the Cisco 2011 Annual cyberactivists targeting organizations that had _Security Report will examine, enterprises also must_ Behind Operation Payback was a group known as pulled support from WikiLeaks.org. While the threat continue to protect against a wide range of potent the Anonymous collective, which has been growing of hacktivism may seem remote, it’s very real, and threats that cybercriminals are already reaping in both membership and influence worldwide ever represents a shift in the nature of cybercrime itself. rewards from, and are investing additional resources since. (For more on Anonymous, see the “Cisco in refining—among them are advanced persistent Cybercrime Showcase,” on page 24.) Most recently, “Understanding criminal motivation has been a guiding threats (APTs), data theft Trojans, and web exploits. Anonymous has been connected to the Occupy principle in charting security strategy. However, the Wall Street movement.[13 ] The “Occupy” protests hacktivists’ goal of mayhem undermines this model, However, enterprises now must consider another began in New York City, but quickly spawned similar as any enterprise can be targeted at any time for any potential security threat that could be even more gatherings in more than 900 cities around the world. reason by anybody,” explains Patrick Peterson, senior disruptive to their operations if they were to be Activists representing the Anonymous collective have security researcher for Cisco. “What an enterprise targeted: hacktivism. encouraged members to participate in the movement, would try to protect from being compromised in which generally has been peaceful, but has led to a ‘traditional’ security breach, such as intellectual “Hacktivism is a morph of traditional hacking,” says violent clashes with law enforcement in some cities, property, may be of no interest to this type of hacker. John N. Stewart, vice president and chief security including Rome, Italy,[14] and Oakland, California.[15] The ‘value’ derived from the action is when the hacker officer for Cisco. “Hackers used to hack for fun and At times, factions of Anonymous that identify with can disrupt, embarrass, or make an example of their notoriety. Then, it was for a prize or monetary gain. the Occupy movement have threatened greater target—or all of the above.” Now, it’s often about sending a message, and you disruption, such as hacking campaigns to halt the may never know what made you a target. We’re operations of major financial exchanges. Stewart adds, “Planning ahead for an incident of defending a new domain now.” hacktivism means creating a clear action plan that Incidents of hacktivism by other groups in the last outlines what the organization would say and do after Hacktivism—a blend of hacking and activism— year have helped to elevate this threat to the top tier an event has occurred. Developing this plan should be catapulted to the top tier of security concerns in of cyber threat concerns for enterprises. LulzSec, a cross-functional effort that includes management, late 2010 when supporters of WikiLeaks.org launched for example, focused its efforts on law enforcement security teams, legal, and even communications distributed denial of service (DDoS) attacks against organizations, executing DDoS attacks and data theft professionals. If this happens to your business, handle institutions such as PayPal and MasterCard; the initiative against a U.K. cybercrime organization and Arizona it well, as it can result in lasting damage to your brand. was dubbed “Operation Payback.”[12] In many ways, law enforcement.[16] In July, a related group, known as As is true with many things, be prepared and have hacktivism is a natural extension of how people are “Script Kiddies,” hacked Fox News Twitter accounts your game plan in place before an incident occurs.” using the Internet today—to connect with like-minded to post that U.S. President Barack Obama had been people all over the globe. The Internet serves as assassinated.[17 ] a powerful platform for those who want to make a [12 “‘Anonymous’ Launches DDoS Attacks Against WikiLeaks Foes,” by Leslie Horn, PCMag.com, December 8, 2010, www.pcmag.com/article2/0,2817,2374023,00.asp#fbid=jU1HvGyTz7f.](http://www.pcmag.com/article2/0,2817,2374023,00.asp#fbid=jU1HvGyTz7f) [13 Occupy Wall Street website: http://occupywallst.org/.](http://occupywallst.org) [14 “Occupy protests spread around the world; 70 injured in Rome,” by Faith Karimi and Joe Sterling, CNN.com, October 15, 2011, www.cnn.com/2011/10/15/world/occupy-goes-global/index.html.](http://www.cnn.com/2011/10/15/world/occupy-goes-global/index.html) [15 “Occupy Oakland Violence: Peaceful Occupy Protests Degenerate Into Chaos,” Associated Press, The Huffington Post, November 3, 2011, www.huffingtonpost.com/2011/11/03/occupy-oakland-violence-_n_1073325.html.](http://www.huffingtonpost.com/2011/11/03/occupy-oakland-violence-_n_1073325.html) 16 “LulzSec Releases Arizona Law Enforcement Data, Claims Retaliation for Immigration Law,” by Alexia Tsotsis, TechCrunch.com, June 23, 2011, ----- ###### Geopolitical Trends: Social Media Wields Gathering Power If anyone still needed evidence that social media in the current global environment of frustration toward Twitter responded by pointing to a blog post from can spark social change at lightning speed, 2011 perceived privileged groups, this increases both earlier in 2011 affirming the company’s commitment was the year that this power was proven. The “Arab physical and virtual security concerns.” to keeping the service up and running no matter Spring” protests early in the year, and the riots in what world-shaking events were being discussed London and other British cities during the summer, In addition, enterprises can expect to undergo serious via tweets: “We don’t always agree with the things showed that social media disseminates calls to business disruption if offices or employees are based people choose to tweet, but we keep the information action like no other medium before it. In both cases, in areas undergoing such upheaval—for instance, lack flowing irrespective of any view we may have about Twitter and Facebook were used to drive attendance of Internet access if local authorities shut it down as the content.”[21] at public gatherings—and, also in both cases, a security measure. It’s also possible organizations government entities suggested blocking access to seen as aiding or abetting a corrupt regime could be Security watchers anticipate a tug-of-war between social media by cutting off Internet access or seizing targeted, or could suffer a backlash if they are viewed governments—which will increasingly demand access personal account records. as trying to stifle a revolutionary movement. to user data in order to maintain law and order— and privacy advocates, who will protest any such A September 2011 University of Washington study Also on enterprises’ radar is the increasing tendency disclosures from technology providers. As an example, found that social media, especially Twitter, “played a of government organizations to seek to block social India has expressed concern over its ability to access central role in shaping political debates in the Arab media or even Internet service on a broad scale, or such data (for instance, to track terrorist activity), and Spring,” particularly in Egypt and Tunisia, according to request access to social media account or mobile has made an agreement with RIM that the government the study’s summary. “Conversations about revolution device information that is normally private. For example, can request the company’s private user data on a often preceded major events on the ground, and during the riots in the United Kingdom, people used case-by-case basis. The European Data Retention social media carried inspiring stories of protest across BlackBerry Messenger (BBM), the instant messaging Directive, which was created in 2006 and calls for international borders.”[18] Social media watchers expect service for BlackBerry users, to trade information communications data to be retained in case it is this trend to continue, as anti-government frustration about sites to loot, or where protestors should gather. needed by law enforcement authorities, has been finds a voice in social media networks.[19] BBM is encrypted phone-to-phone messaging that, implemented by some countries in the European generally speaking, is harder for law enforcement Union, yet delayed by others.[22] The implications for enterprises and for their security authorities to trace. RIM, BlackBerry’s creator, agreed lie in the possibility of social media being used to to cooperate with U.K. police teams trying to identify “What is clear is that governments globally are cause upheaval within their own organizations or BBM users who advocated riots or looting, although struggling to apply the new facts of technology and toward their brands or industries. (See “Cyber Threat the company did not say what type of BBM account communications to the underlying principles of law Outlook for 2012: The Hacktivism Factor,” page 22.) information it would disclose.[20] and society,” says Adam Golodner, director of global “The perception of anonymity online increases the risk security and technology policy for Cisco. “This has of unintended consequences if so-called netizens feel In the aftermath of the riots, British officials warned always been the case as technology moves forward, at liberty to lay blame but skip fact-checking,” says that, in the future, the government might request and in cyber, this application of the new facts to the Cisco global threat analyst Jean Gordon Kocienda. extended police powers to curb unrest, and proposed old principles will be the core policy issue for the “For companies and corporate executives, particularly asking social media providers to restrict access to foreseeable future.” their services during such emergency situations. 18 “Opening Closed Regimes: What Was the Role of Social Media During the Arab Spring?”, Project on Information Technology and Political Islam, [http://pitpi.org/index.php/2011/09/11/opening-closed-regimes-what-was-the-role-of-social-media-during-the-arab-spring/.](http://pitpi.org/index.php/2011/09/11/opening-closed-regimes-what-was-the-role-of-social-media-during-the-arab-spring/) [19 “U.K. social media controls point to wider ‘info war’,” by Peter Apps, Reuters, August 18, 2011, www.reuters.com/article/2011/08/18/us-britain-socialmedia-idUSTRE77H61Y20110818.](http://www.reuters.com/article/2011/08/18/us-britain-socialmedia-idUSTRE77H61Y20110818) [20 “London Rioters’ Unrequited Love For BlackBerry,” by Nidhi Subbaraman, FastCompany.com, August 8, 2011, www.fastcompany.com/1772171/london-protestors-unrequited-love-for-blackberry.](http://www.fastcompany.com/1772171/london-protestors-unrequited-love-for-blackberry) ----- ###### THE GOOD Microsoft Third, Microsoft has aggressively pursued legal actions Announcing the against cybercriminals. In 2010, Microsoft took legal Microsoft’s technology has always attracted the action to shut down the Waledac botnet—which had ###### 2011 Winners of the attention of criminals because of its pervasiveness in infected hundreds of thousands of computers worldwide the enterprise and among consumers. In particular, and was sending as many as 1.5 billion spam messages ###### Cisco Cybercrime botnet owners have exploited the Windows operating daily—by asking a federal judge to file a restraining system using social engineering, web-based attacks, order against almost 300 Internet domains believed to ###### Showcase and unpatched vulnerabilities. In recent years, Microsoft be controlled by Waledac-related criminals. This action has fought back against botnets in three big ways. cut off communications between the botnet’s command- and-control centers and its compromised computers, ###### There will always be villains and heroes, First, Microsoft has dramatically effectively “killing” the botnet.[23] and the security industry is no exception. improved product security. Key developments include aggressive In early 2011, Microsoft lawyers and U.S. marshals seized ###### The cast of characters may change, but vulnerability discovery and weekly command-and-control servers for the Rustock botnet, ###### every year, malicious actors are doing their patch cycles; implementation of which were housed at several web-hosting providers best to identify new ways to steal money Microsoft Security Development across the United States. Malware promulgated by Lifecycle (SDL) to dramatically Rustock, which was operated by Russian criminals and ###### and information and cause mayhem through increase product security; auto-update systems mostly delivered fake pharmaceuticals spam, dropped ###### online channels—and cybercrime fighters for all of Microsoft’s software products; significant dramatically, and the botnet’s activity slowed to a halt. are working tirelessly to thwart them. In changes to Windows Internet Explorer, including Additionally, Microsoft offered a US$250,000 reward for a new security model for ActiveX controls; and information leading to the arrest of Rustock’s creators.[24] ###### this, the third annual Cisco Cybercrime development of the Malicious Software Removal Tool According to the Cisco IronPort SenderBase Security ###### Showcase, we once again recognize (MSRT), which surgically removes malware from Network, since Rustock has been sidelined, daily spam representatives from both the “good side” PCs. MSRT has been deployed against malware volume worldwide has dropped dramatically. families powering more than 150 of the world’s ###### and “bad side” of the security battlefield In September 2011, Microsoft used similar legal tactics largest botnets, including Zeus (Zbot), Cutwail, ###### who have had a notable impact on the Waledac and Koobface, to remove hundreds of to shut down the Kelihos botnet—and in legal filings actually named a defendant for the first time, calling ###### cybersecurity landscape, for better and millions of PC malware infections. Cisco research out the alleged owner of the web domain controlling has shown massive declines year over year in ###### for worse, in the past year. the botnet.[25 ] web exploit toolkits’ successful exploitation of Microsoft technologies. Microsoft’s anti-botnet actions—combined with the 23“Deactivating botnets to create a safer, more trusted Internet,” Second, Microsoft has led the security community in company’s record numbers of vulnerability patch [Microsoft.com: www.microsoft.com/mscorp/twc/endtoendtrust/](http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/botnet.aspx) releases, which also help clamp down on criminal the fight against cybercrime. Microsoft’s Digital Crimes [vision/botnet.aspx.](http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/botnet.aspx) activity—have turned it into a cybercrime crusader. 24 “Rustock take-down proves botnets can be crippled, Unit hosts the annual Digital Crimes Consortium (DCC), The company’s Project MARS (Microsoft Active says Microsoft,” Computerworld.com, July 5, 2011, which provides an opportunity for law enforcement [www.computerworld.com/s/article/9218180/Rustock_take_down_](http://www.computerworld.com/s/article/9218180/Rustock_take_down_proves_botnets_can_be_crippled_says_Microsoft) officials and members of the technology security Response for Security), which oversees these botnet [proves_botnets_can_be_crippled_says_Microsoft.](http://www.computerworld.com/s/article/9218180/Rustock_take_down_proves_botnets_can_be_crippled_says_Microsoft) takedown efforts, also has shared its findings about community to discuss enforcement efforts involving 25 “How Microsoft Took Down Massive Kelihos Botnet,” The botnets with members of the security industry. [Huffington Post, October 3, 2011, www.huffingtonpost.](http://www.huffingtonpost.com/2011/10/03/microsoft-kelihos-botnet_n_992030.html) cybercrime worldwide. This year’s event included [com/2011/10/03/microsoft-kelihos-botnet_n_992030.html.](http://www.huffingtonpost.com/2011/10/03/microsoft-kelihos-botnet_n_992030.html) 340 attendees from 33 countries. ----- ###### THE BAD In 2011, Anonymous has been associated with a number the Anonymous mix who truly want to cause ###### Anonymous of high-profile hacking incidents, some announced in damage—or if the group takes things one step too advance and all intended to make a statement, including far when trying to make a statement—there could Anonymous, described as a “decentralized online direct attacks on the websites of: be a real problem.” community acting anonymously in a coordinated manner,” is a “loose coalition of Internet denizens” that has been - Numerous U.S. law enforcement organizations, Consider this almost-incident that had the potential around for several years, but making headlines more which resulted in the release of peace officer to send shockwaves through an already uncertain often lately as the group becomes increasingly associated and confidential informant personal information global economy: In October, factions of Anonymous with collaborative, international hacktivism. (For more aimed big by threatening to “erase” the New York - The government of Tunisia, as part of the on hacktivism, see “Cyber Threat Outlook for 2012: Stock Exchange on October 10, 2011, through a “Arab Spring” movement (see “Social Media The Hacktivism Factor,” page 22.) distributed DDoS attack in a show of support for Wields ‘Gathering’ Power,” page 23) the Occupy Wall Street movement.[26] One possible Those who identify with the Anonymous - Security firm HBGary Federal reason the group did not carry through with its collective are located all over the world - Sony Computer Entertainment America promise to bring down the exchange is because and connect with one another through “the rallying cry drew out criticism from supporters Internet forums, imageboards, and other What threat does Anonymous pose moving forward? and detractors alike, with most decrying the effort.”[27] web-based venues such as 4chan, “This group has the ability to inflict real damage,” says So it would appear that Anonymous, loosely 711chan, Encyclopedia Dramatica, IRC Scott Olechowski, threat research manager for Cisco. connected as it is right now, can be influenced by channels, and even mainstream sites such as YouTube “Most of what we’ve seen from them so far hasn’t been its collective conscience not to inflict serious and Facebook. “This is a group that is fairly well too extreme—arguably, more disruption than the actual damage—at least, in this case. organized, yet loosely affiliated,” says Patrick Peterson, damage they are capable of. You could define them as senior security researcher for Cisco. “The people mischievous right now. But if you add some people into involved are highly talented—and incredibly ambitious. In many cases, their actions are not motivated by profit. It’s more a case of ‘Look what I can do.’ And when they’re done, they disassemble and disappear as quickly as they came together.” “The people involved are highly talented — and incredibly ###### ambitious. In many cases, their actions are not motivated by profit. It’s more a case of ‘Look what I can do.’” —Patrick Peterson, senior security researcher, Cisco 26 “‘Anonymous’ Hackers Group Threat to New York Stock Exchange,” by Ned Potter, ABC News, October 10, 2011, [http://abcnews.go.com/Technology/anonymous-hackers-threaten-erase-york-stock-exchange-site/story?id=14705072.](http://abcnews.go.com/Technology/anonymous-hackers-threaten-erase-york-stock-exchange-site/story?id=14705072) 27 “Blink and You Missed It: Anonymous Attacks NYSE,” by Chris Barth, Forbes.com, October 10, 2011, [www.forbes.com/sites/chrisbarth/2011/10/10/blink-and-you-missed-it-anonymous-attacks-nyse/.](http://www.forbes.com/sites/chrisbarth/2011/10/10/blink-and-you-missed-it-anonymous-attacks-nyse/) ----- #### The Cisco Cybercrime Return on Investment (CROI) Matrix **POTENTIALS** **RISING STARS** financially motivated cybercrime operations, which increasingly are managed and organized in ways similar to sophisticated, legitimate businesses. This matrix specifically highlights the types of aggressive actions Cisco security experts predict cybercriminals are likely to focus most of their resources toward developing, refining, and deploying in the year ahead. Potentials: Mass Account Compromise, a newcomer to this year’s Cisco CROI Matrix, essentially involves cybercriminals “making use of table scraps left from data theft,” according to Patrick Peterson, senior security researcher for Cisco. They piece together information gathered from data theft Trojans to extract low-value username/password credentials. The credentials are then used as “stepping stones” to find credential reuse on a valuable online banking site, or to use webmail credentials to spy on a victim’s personal email in order to lay groundwork for a more aggressive action. “Cybercriminals are looking at the tons and tons of information they’re collecting in a different way. They’re now thinking, ‘Could this webmail or dating site username/password I have be the skeleton key to a high-value account? Or could it be a stepping stone for a webmail exploit that will allow me to do other things, like password resets and reconnaissance, that could lead to even bigger prizes?” says Peterson. **RISING STARS** Cloud Infrastructure Hacking Mobile Devices Money Laundering (Muling) **POTENTIALS** VoIP Abuse Mass Account Compromise #### The Cisco Cybercrime Return **DOGS** **CASH COWS** Social Networking Web Attacks Exploits Click/ Redirect Fraud Pharma Spam Phishing 1.0 Spyware/ Advanced Scareware Fee Fraud **CASH COWS** Web Exploits Data Theft Trojans Click/ Redirect Fraud Spyware/ Scareware #### on Investment (CROI) Matrix ###### Low High Scalability/Revenue **DOGS** Social Networking Attacks Pharma Spam Phishing 1.0 Advanced DDoS Fee Fraud _The Cisco CROI Matrix predicts cybercrime techniques that will be “winners” and “losers” in 2012._ Cybercriminals are also accelerating investment in VoIP and other telephony abuse techniques. As reported in the Cisco 2010 Annual Security Report, many miscreants already have found success in targeting small or midsize businesses with this technique, causing significant financial losses for some organizations. VoIP Abuse, which was listed as a “Potential” on last year’s matrix, involves the hacking of private branch exchange (PBX) systems. VoIP abusers place fraudulent, longdistance calls—usually international calls. Some criminals use VoIP systems for more sophisticated “vishing” scams (telephone-based phishing), designed to collect sensitive information from users, such as Social Security numbers. Caller ID spoofing attacks against phonebased verification systems are also on the rise. ----- is expected to remain a key focus area for cybercrime investment in 2012. Discussed in detail in the Cisco 2010 Annual Security Report, criminals leveraging data theft malware have access to numerous online bank accounts but face a bottleneck in extracting funds safely overseas without leaving a direct trail.[28] Money mules provide this solution. Muling operations have become increasingly elaborate and international in scope recently with some of the best data coming from “Operation Trident Breach,” the arrest of more than 60 cybercriminals who successfully stole US$70 million using money mules.[29] While it is estimated that only one in three money mule transactions are successful—and money mules are easy to arrest, at least in the United States—mule networks continue to grow as real criminals have plenty of bank accounts and mules to burn. A not-so-surprising newcomer among the “Rising Stars” is Mobile Devices, which was listed in the “Potentials” category in the 2010 matrix. Cybercriminals, as a rule, focus their attention on where the users are, and increasingly, people are accessing the Internet, email, and corporate networks via powerful mobile devices. Mobile device attacks have been around for years now, but historically have not been widespread, and were more akin to research projects than successful cybercrime businesses. But that’s changing—fast. Mobile campaigns not only are becoming more prevalent, but also, successful—and therefore, important to cybercriminals. New mobile OS platforms present new security vulnerabilities to exploit. Many cybercriminals are reaping rewards with fake mobile applications that serve up malware. And with mobile devices quickly replacing traditional PCs as business computing tools, cybercriminals are investing more resources in developing APTs to exploit two-factor authorization and help them gain access to corporate networks where they can steal data and/or conduct “reconnaissance missions.” and hosted services, cybercriminals are also looking to the cloud in search of moneymaking opportunities with Cloud Infrastructure Hacking. “Criminals see the potential to get more return on their investment with cloud attacks,” says Scott Olechowski, threat research manager for Cisco. “Why focus all your efforts on hacking into one enterprise when you can compromise hosted infrastructure and potentially access information belonging to hundreds or even thousands of companies?” Olechowski adds that recent data security incidents— such as hackers gaining access to customer names and email addresses stored in the systems of email marketer Epsilon Data Management LLC[30]—underscore the growing trend toward “hack one to hack them all.” Cash Cows: Two of 2010’s “Rising Stars”— Data Theft Trojans and Web Exploits—have made their way to the 2011 “Cash Cows” category, as they are now among the favorite moneymakers for cybercriminals. But this move isn’t just because criminals have perfected their skills with these techniques; the prevalence of cheap and easy-to-use web exploit toolkits and data theft Trojan exploits means anyone who wants to get into the game can do so with relatively little effort or investment. Other old favorites such as Spyware/Scareware and Click/Redirect Fraud have lost a little luster, but maintained their role as loyal workhorses for cybercriminals during 2011—and will continue to do so in 2012. Dogs: Two new entrants to the “Dogs” category are Pharma Spam and Advanced Fee Fraud. Pharma spam, a “Cash Cow” in the 2010 Cisco CROI Matrix, has fallen out of favor due to law enforcement activities and botnet shutdowns. (See the Cisco Cybercrime Showcase, “The Good: Microsoft,” page 24.) Numerous pharma spam criminals have been arrested or have gone underground to avoid capture, Vrublevsky of RX-Promotions/Eva Pharmacy; Oleg Nikolaenko, operator of the massive Mega-D botnet; Georg Avanesov, operator of the Bredolab botnet; and many others. With so many of the once-massive botnets such as Waledac, Mariposa, Cutwail (reportedly the largest botnet ever), Rustock, Bredolab, and Mega-D either long gone or severely crippled, and authorities more vigilantly scanning the horizon for prolific spammers, pushing out pharma spam simply does not generate the returns it used to for cybercriminals.[31] Meanwhile, another “Cash Cow” from last year, Advanced Fee Fraud, is now making its way toward the exit door. Today’s users are simply better educated— and spam filters are better tuned—which means this technique is no longer delivering significant returns to cybercriminal operations. The labor-intensive “Nigerian prince” scam still runs, but profits continue to decline. Old dogs still hanging around on the matrix are Phishing 1.0 scams and DDoS attacks. Social Networking Attacks continue to take a backseat as users become even savvier about navigating the online “Social Sphere.” Many more users are now instinctively less trusting of others they don’t know who try to interact with them on social networks. They also are taking advantage of privacy controls from their social network providers, and generally, being less open when sharing personal information on these sites. Social networking attacks will not fade away completely, but sophisticated cybercriminals are unlikely to continue investing their resources in refining or expanding such exploits. Making these types of scams work has simply become too labor-intensive and time-consuming, especially now that many in the shadow economy are making a specific effort to be more strategic when investing their resources. [28 Cisco 2010 Annual Security Report, www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.pdf.](http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.pdf) [29 “Ukraine Detains 5 individuals Tied to $70 million in U.S. eBanking Heists,” Brian Krebs, Krebs on Security blog, October 2, 2010, http://krebsonsecurity.com/tag/operation-trident-breach/.](http://krebsonsecurity.com/tag/operation-trident-breach/) 30 “Breach Brings Scrutiny: Incident Sparks Concern Over Outsourcing of Email Marketing,” by Ben Worth, The Wall Street Journal, April 5, 2011, ----- #### 2011 Vulnerability and Threat Analysis #### 2011 Vulnerability and Threat Analysis The Cisco Annual Security Report provides a comparison of the rise and fall of vulnerabilities and threats by category, as well as the estimated impact of these exploits. The Vulnerability and Threat Categories chart below shows a slight increase in recorded vulnerabilities and threats—a significant trend, since they generally have been on the decline since 2008. One factor causing the increase is vulnerabilities in major software vendors’ open source packages or code, such as those using the open source browser engine WebKit. A single vulnerability in an open source product like WebKit can impact multiple major products and result in multiple advisories, updates, and patches. Apple continued to release large updates this year for several of its products, relating to the inclusion of open source software. Going into 2012, security experts are watching vulnerabilities in industrial control systems and supervisory control and data acquisition systems, also known as ICS/SCADA systems. These systems present a growing area of concern, and government cyber defense initiatives are focused on addressing these vulnerabilities. As reported in the Cisco 2010 _Annual Security Report, the Stuxnet network worm was_ designed to infect and tamper with these systems. The good news for 2011 is a decline in basic coding errors: buffer overflows, denial of service, arbitrary code execution, and format string vulnerabilities. However, this does not include vulnerabilities and corrections related to flaws that allow SQL injection attacks, which continue to be a widespread problem. The Cisco IntelliShield Alert Severity Ratings reflect the impact level of successful vulnerability exploits. In 2011, severity levels continued along a slight decline evident since 2009, which mirrors recent declines in vulnerabilities and threats. Moving forward into 2012, severity levels are expected to remain at current levels, with no widespread attacks or exploits of specific vulnerabilities. Cisco IntelliShield Alert Urgency Ratings reflect the level of threat activity related to specific vulnerabilities. 2011 is notable for a significant spike in Urgency 3, meaning a limited number of exploits were detected, but additional exploits still could be possible. This increase indicates that while there are a greater number of active threats in circulation on the Internet, they generally do not rise to the level of ###### Vulnerability and Threat Categories Cisco IntelliShield Alert Severity Ratings Cisco IntelliShield Alert Urgency Ratings Buffer Overflow Denial of Service Arbitrary Code Execution Cross-Site Scripting Privilege Escalation Information Disclosure Software Fault (Vul) Directory Traversal Unauthorized Access Spoofing Format String 0 100 200 300 400 500 600 700 2009 2010 2011 |Col1|Col2|Col3|Col4|Col5|2 2 2|009 010 011| |---|---|---|---|---|---|---| ----- ###### Global Spam Update: Dramatic Decline in Spam Volume Urgency 4 (several incidents of exploitation have been reported across a variety of sources) or Urgency 5 alerts (widespread incidents of exploitation have been reported across a variety of sources, and exploits are easy to perform). Threats and exploits also are more narrowly focused, as opposed to widespread exploits involving Internet worms and malicious code. The threats tend to be associated with attack toolkits, which assist in launching attacks using individual vulnerabilities on individual systems. [As discussed in the Cisco 2010 Annual Security Report,](http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.pdf) large botnets such as Zeus—which commandeered as many as 2 million to 3 million computers worldwide— have been used to steal banking information and login data for years. Recently, botnet creators have launched attack toolkits, in which botnet code is built in, enabling the creation of a host of smaller botnets. Instead of just a few very large botnets, usually managed by established criminal enterprises, there are now dozens of smaller botnets engaging in criminal activity. “When there were only a few large botnets in existence, it was easier to track them and understand how they operated,” says Jeff Shipley, manager for Cisco Security Research and Operations. “The availability of botnet toolkits has greatly increased the number of botnets, allowed more variations, and complicates the task of analyzing their behavior patterns and providing protection from them.” The new smaller botnets still aim to gather bank account information, as the larger Zeus botnets do. However, the number and variety of these smaller botnets make it challenging for security professionals to track their movements. ###### Dramatic Decline in Spam Volume Thanks to criminals’ preference for targeted But events over the past year have disrupted campaigns, spam does not appear to be as lucrative traditional spammers’ business models so as it used to be. According to Cisco Security significantly that many have been forced to channel Intelligence Operations (SIO), spam volume dropped their resources toward developing targeted attacks. from more than 379 billion messages daily to about Beginning in 2010 and continuing into 2011, law 124 billion messages daily between August 2010 enforcement authorities and security organizations and November 2011—levels not seen since 2007. around the world have been working closely together to shut down or severely limit the activity of some of Before 2011, some cybercriminals had already the biggest spam-sending botnets. SpamIt, a large started to shift their focus toward more targeted spam-sending affiliate network, closed down in attacks, using their resources to reach out to specific 2010 after Russian police pressed charges against people in an organization (such as financial or IT its owner. In addition, major botnets were crippled or personnel) with a scam message designed to obtain shut down, including Rustock, Bredolab, and Mega-D. sensitive network login data or other account information. Targeted scams need only a single The impact on the business of cybercrime is response from a recipient to be considered significant: Cisco SIO estimates that the cyber- successful, whereas mass spam campaigns require criminal benefit resulting from traditional mass a much higher response rate to be profitable. email-based attacks declined more than 50 percent (on an annualized basis) from June 2010 to June 2011—from US$1.1 billion to US$500 million.[32] 400B 350B 300B 250B 200B 150B 100B 50 0 Source: Cisco SIO ----- ###### Spam Volume by Country: 2011 Highlights |4/5 3 4/5|Col2| |---|---| Cisco SIO also tracks spam volume originating China, which was seventh on the list in 2010, maintains Cisco SIO’s research also reveals that Brazil had from countries worldwide. As of September 2011, the same position in the current lineup. However, while spam volume of about 4.5 percent in September India had the highest percentage of spam volume that country’s spam volume has increased only slightly 2011. Brazil now ranks eighth among the top spam (13.9 percent). In 2010, the country ranked second in overall, from 3.6 percent in December 2010 to 4.7 nations, after topping the list in 2009 and earning spam volume, behind the United States, which saw percent in September 2011, it was by far the highest- third place on last year’s list. However, the country’s its spam volume drop dramatically from January to ranking spam nation for a short period this year. From spam volumes did fluctuate throughout 2011, nearly September 2011, from 10.1 percent to 3.2 percent. May to June, China’s total spam volume leapt from doubling to 8 percent by April 2011 before beginning The United States now ranks ninth in total spam 1.1 percent to just over 10 percent. Its spam volume a steady decline to 4.5 percent. volume worldwide. peaked at 18 percent in July, and then edged down to 11.5 percent in August before dropping dramatically Holding second place on this year’s list of spam to 4.7 percent percent in September. nations is the Russian Federation, with 7.8 percent. Its spam volume increased during the first half of 2011, rising from 7.6 percent in January to a peak of 9 percent in May, but has been experiencing a steady decline in volume since. Third on the list for 2011 is Vietnam, which, like India and the Russian Federation, was among the top five spam nations in the Cisco 2010 Annual Security Report. **2** Vietnam’s spam volume hovered between 3 and 4 percent for much of the year, but then jumped to nearly 6 percent in August 2011 and grew again **4/5** to nearly 8 percent in September 2011. Rounding out this year’s top five spam nations are **1** the Republic of Korea and Indonesia, each with **3** 6 percent in total spam volume, according to Cisco **4/5** SIO’s research. Neither country appeared among the top 12 spam nations in last year’s report. Russian India Vietnam Republic Federation of Korea/ Indonesia ----- #### The Cisco Global ARMS Race Index #### The Cisco Global ARMS Race Index The annual Cisco Global ARMS Race Index, inspired by the Richter Scale used to measure earthquake magnitude, tracks “Adversary Resource Market Share” (ARMS). The index provides a way to measure the overall level of compromised resources worldwide— the networks and machines currently under “adversarial control.” Cisco security experts created the index as a way to gain a better understanding of overall trends based on the global online criminal community’s activities and their rates of success at compromising both enterprise and individual users. According to data collected for this year’s index, the aggregate number that represents the level of compromised resources at the end of 2011 is 6.5, down slightly from the December 2010 level of 6.8. When the Cisco Global ARMS Race Index debuted in the Cisco _2009 Annual Security Report, the aggregate number_ was 7.2, which meant enterprise networks at the time were experiencing persistent infections, and consumer systems were infected at levels capable of producing consistent and alarming levels of service abuse. Since then, consumer and enterprise systems have seen a constant decline in infection rate, but levels are still between “capable of producing consistent and alarming levels of service abuse” and “capable of broad (but not sustained) high-level service abuse.” Unfortunately, the magnitude decline does not tell the whole story, as each copy of a criminal’s APT malware is doing far more damage than in years past. What’s behind this year’s decline in the level of compromised resources worldwide? The decrease in the number of massive botnets driven by law enforcement and botnet takedowns has had a significant impact. As discussed earlier in this report, sophisticated **December** ###### 6.8 2010 **December** ###### 7.2 2009 _According to the Cisco Global ARMS Race Index, the level of_ _resources under adversarial control worldwide was 6.5 at the_ _end of 2011. This is a decline from the 2010 level of 6.8,_ _showing that infections of enterprise networks and consumer_ _systems are less frequent compared to 12 months ago._ criminal operations are moving away from the massive botnets commonplace in years past because law enforcement and the security industry are keeping a close watch on this activity. However, many smaller botnets have been developed—with each one capable of inflicting more damage per bot. Additionally, many in the shadow economy now center their efforts on infecting specific high-value targets with APTs and launching targeted attacks that are more likely to yield a lucrative payout. The prevalence of featurerich data theft malware such as Zeus/SpyEye has enabled many criminal gangs to launch such attacks. “The ‘Ocean’s 11’ gangs are out there,” says Patrick Peterson, senior security researcher for Cisco. “They’re focusing tremendous energy on compromising a small number of high-value targets versus the carpetbombing techniques of the past.” ###### Methodology To arrive at this year’s measurement on the 10-point Cisco Global ARMS Race Index, Cisco relied on leading botnet-tracking estimates of total bots and other data points derived through internal research and other expert sources, such as The Shadowserver Foundation, which tracks cybercriminal activity and is composed of volunteer security professionals from around the world. The methodology for the Global ARMS Race Index is based on: - Current aggregate botnet size - Statistics used to estimate the total number of Internet-connected systems in the world - Estimates of home and work infection rates, which measure factors such as resource availability ----- #### The Internet: A Fundamental Human Necessity? #### The Internet: But many enterprises are trying to change. Cisco security experts interviewed for the 2011 Annual Security _Report have reported seeing many firms making strides_ in both evolving their security model so it is relevant for today’s connected world, and in trying to find common ground with employees who are demanding access to applications and devices that they want to use for work. They’re also re-evaluating their AUPs and business codes of conduct, reinvigorating their DLP efforts, and taking the enterprise security discussion—and the responsibility for preserving desired levels of security— beyond the IT function and into departments throughout the organization, from marketing to human resources and legal right up to the management level. As we’ve learned in this report, Cisco is among them. Like countless organizations worldwide, it is working to find the right balance between seizing new opportunities and maintaining network and data security. Cisco’s “Any Device” initiative, designed to allow the company’s employees greater choice in devices, while maintaining a common, predictable user experience that maintains or enhances global organizational competitiveness and 2011 saw the Internet being used in new and powerful ways—in particular, to bring together people on a mass scale to create change that has altered the landscape of our global community. Its influence on our everyday life, both work and personal, is only growing as well. So it begs the question: If we have become so reliant on the Internet and its power to connect us with information and people from anywhere in the world, is it now a fundamental human necessity? According to one in three college students and young professionals surveyed for Cisco’s Connected World study, it is. In fact, they consider it to be as important to their lives as air, water, food, and shelter. To some, this attitude may seem extreme, but more than likely, it is a view that will be commonplace among those in the next-generation workforce. While today we observe how the line between personal and professional use of the Internet and Web 2.0 tools and technologies is blurring, soon there may be no discernible delineation whatsoever. Meanwhile, there is no question that for today’s businesses, the Internet is a necessity—for both basic operations and competitive advantage. For that reason alone, it would seem there should be no debate in the enterprise around whether any technology that will significantly enhance productivity, efficiency, and innovation—and the satisfaction of workers—should be embraced and put in use strategically throughout the organization. However, many businesses are finding it difficult to adapt to so much change so quickly. They cite security concerns as a primary hurdle to leveraging new technologies. But many are beginning to understand that a wait-and-see approach, while meant to protect the enterprise and its assets, may actually undermine their competitive edge—if not now, then definitely in the future. Moving too slowly doesn’t just mean that enterprises risk taking advantage of innovations that can help their business achieve new levels of success. They also risk not being able to recruit or retain their most important asset: talent. As discussed in this report, many of today’s employees would be inclined not to take a job if a potential employer told them their access to corporate networks and applications would be severely limited or prohibited. (See “Remote Access and BYOD: Enterprises Working to Find Common Ground with Employees,” page 10.) Likewise, more than half of college students surveyed for the Connected World study said if they encountered a company that banned access to social media, they would either not accept a job with that organization, or would join and find a way to access social media despite corporate policies. (See “Social Media: Now It’s a Productivity Tool,” page 8.) ###### “The rapid erosion of this perimeter that took 20 years to build has left many enterprises stunned and feeling vulnerable as they embark on the BYOD journey.” —Ofer Elzam, integrated security solutions architect, Cisco ----- disrupters and criminals to connect and assemble quickly, anonymously, and unpredictably for a specific goal that may not be motivated by money or have a purpose that is easy for others, including targets, to decipher. “Some of the things we’ve witnessed over the past year are like nothing we’ve ever seen before,” says Gavin Reid, Cisco CSIRT manager. “Some events have been absolutely crushing, and this is not a good sign.” Like our own planet, the connected world has a light side and dark side at all times. Enterprise security can exist here, but building an effective model requires new thinking as well as some risk-taking—and maintaining it demands more vigilance than ever before. The core challenge for today’s businesses is that they must find the right mix of technology and policy to meet their unique combination of needs. This is not an easy process, but the end result will be a more agile business better prepared to adapt—both swiftly and securely—to changes in technology that tomorrow inevitably will bring. “The connected world is a more fluid world. And it’s literally ‘sink or swim’ time now for enterprises that have yet to accept that change is no longer just at their door—it’s already in their workplace,” says Chris Young, senior vice president for the Security Group at Cisco. “By embracing the technologies that their employees, and their customers, inevitably will use, enterprises can create a better overall security solution by addressing reality instead of wondering about the ‘what if.’” security, is an important start. However, even building the foundation for movement toward a BYOD model can be a challenge. “Modern smartphones and tablets are a huge IT disruption,” says Ofer Elzam, integrated security solutions architect for Cisco. “Enterprises are conditioned to maintaining a defined security perimeter and fiercely protecting everything inside of it. The rapid erosion of this perimeter that took 20 years to build has left many enterprises stunned and feeling vulnerable as they embark on the BYOD journey.” In many ways, their feelings of vulnerability are not misplaced. While living in a connected world means we are closer to our co-workers, business partners, customers, friends, and family, we and the organizations we work for and do business with are also within easier reach of the criminal economy. The openness and interconnectedness that mobile devices, social networks, and Web 2.0 applications support provide new avenues for malicious actors to steal from others, disrupt business, or simply, make a statement. Cybercriminals are investing more toward “R&D” to find ways to use mobile devices and penetrate the cloud to seize the data they need to make a profit or undermine a company’s success. And as the hacktivism trend clearly indicates, today’s technology allows like-minded social ----- ##### 2012 Action Items for Enterprise Security ##### 2012 Action Items for Enterprise Security Even though organizations need to develop an approach to network and data security that will 4 Know where your data is and understand how 8 Create an incident response plan. “IT-related (and if) it is being secured. “Identify every third party risk should be treated like any other business risk. support the specific needs of their workforce and that has permission to store your company’s data— This means enterprises need to have a clear plan help them to achieve key business objectives, from cloud providers to email marketers—and confirm in place to respond quickly and appropriately to there are several things that any enterprise can do that your information is being secured appropriately. any type of security event, whether it’s a data breach to improve its security posture both immediately Compliance requirements, and now the trend in resulting from a targeted attack, a compliance and over the long term. Following are 10 cybercrime toward ‘hack one to hack them all,’ violation due to an employee’s carelessness, or recommendations from Cisco’s security experts: means enterprises must never assume their data an incident of hacktivism.” is secure, even when they put it in the hands of Pat Calhoun, vice president and general manager of Cisco’s ###### 1 Assess the totality of your network. “Know those they trust.” Secure Network Services Business Unit where your IT infrastructure begins and ends—so Scott Olechowski, threat research manager for Cisco many enterprises simply have no idea of the entirety ###### 9 Implement security measures to help of their network. Also, know what your ‘normal’ is so compensate for lack of control over social you can quickly identify and respond to a problem.” 5 Assess user education practices. “Long networks. “Do not underestimate the power of seminars and handbooks aren’t effective. Younger John N. Stewart, vice president and chief security officer for Cisco technology controls, such as an intrusion prevention employees will be more receptive to a targeted system for protecting against network threats. approach to user education, with shorter sessions ###### 2 Re-evaluate your acceptable use policy and Reputation filtering is also an essential tool for and ‘just-in-time’ training. Peer training also works business code of conduct. “Get away from the detecting suspicious activity and content.” well in today’s collaborative work environment.” laundry list approach with security policies. Focus David Evans, chief futurist for Cisco Rajneesh Chopra, director of product management, only on those things you know you must and Cisco Security Technology Group can enforce.” Gavin Reid, Cisco CSIRT manager not enough enterprises do it—although compliance 6 Use egress monitoring. “This is a basic thing, but 10 Monitor the dynamic risk landscape and keep users informed. “Enterprises and their demands have more organizations adopting this ###### 3 Determine what data must be protected. practice. Egress monitoring is a change in focus security teams need to be vigilant about a much “You cannot build an effective DLP program if broader range of risk sources, from mobile devices from just blocking ‘the bad’ from coming in. You you don’t know what information in the enterprise and the cloud to social networking and whatever monitor what is being sent out of your organization must be secured. You also must determine who in new technology tomorrow may bring. They should and by whom and to where—and block things from the enterprise is allowed to have access to that take a two-step approach: reacting to security leaving that shouldn’t be.” information, and how they are allowed to access it.” vulnerability disclosures, while also being proactive Jeff Shipley, manager for Cisco Security Research and Operations David Paschich, web security product manager for Cisco about educating their employees on how to protect themselves and the enterprise from persistent and ###### 7Prepare for the inevitability of BYOD. potent cyber threats.” “Organizations need to stop thinking about when they are going to move to a BYOD model and start Ofer Elzam, integrated security solutions architect for Cisco thinking more about how.” Nasrin Rezai, senior director of security architecture and chief security officer for Cisco’s Collaboration Business Group ----- #### Cisco Security Intelligence Operations #### Intelligence Operations It has become an increasing challenge to manage and secure today’s distributed and agile networks. Online criminals are continuing to exploit users’ trust in consumer applications and devices, increasing the risk to organizations and employees. Traditional security, which relies on layering of products and the use of multiple filters, is not enough to defend against the latest generation of malware, which spreads quickly, has global targets, and uses multiple vectors to propagate. Cisco stays ahead of the latest threats using real-time threat intelligence from Cisco Security Intelligence Operations (SIO). Cisco SIO is the world’s largest cloud-based security ecosystem, using SensorBase data of almost 1 million live data feeds from deployed Cisco email, web, firewall, and intrusion prevention system (IPS) solutions. #### Cisco Security Cisco SIO weighs and processes the data, automatically categorizing threats and creating rules using more than 200 parameters. Security researchers also collect and supply information about security events that have the potential for widespread impact on networks, applications, and devices. Rules are dynamically delivered to deployed Cisco security devices every three to five minutes. The Cisco SIO team also publishes security best practice recommendations and tactical guidance for thwarting threats. Cisco is committed to providing complete security solutions that are integrated, timely, comprehensive, and effective—enabling holistic security for organizations worldwide. With Cisco, organizations can save time researching threats and vulnerabilities, and focus more on taking a proactive approach to security **Cisco Security IntelliShield Alert Manager** **Service provides a comprehensive, cost-effective** solution for delivering the vendor-neutral security intelligence organizations need to identify, prevent, and mitigate IT attacks. This customizable, web-based threat and vulnerability alert service allows security staff to access timely, accurate, and credible information about threats and vulnerabilities that may affect their environments. IntelliShield Alert Manager allows organizations to spend less effort researching threats and vulnerabilities, and focus more on a proactive approach to security. Cisco offers a free 90-day trial of the Cisco Security IntelliShield Alert Manager Service. By registering for this trial, you will have full access to the service, including tools and threat and vulnerability alerts. To learn more about Cisco Security IntelliShield [Alert Manager Services, visit: https://intellishield.](https://intellishield.cisco.com/security/alertmanager/trial.do?dispatch=4) [cisco.com/security/alertmanager/trialdo?dispatch=4](https://intellishield.cisco.com/security/alertmanager/trial.do?dispatch=4) For early-warning intelligence, threat and vulnerability analysis, and proven Cisco mitigation solutions, please visit: [www.cisco.com/go/sio.](http://www.cisco.com/go/sio) ----- ###### Cisco SecureX The Cisco SecureX architecture is a next-generation, The Cisco SecureX architecture: Leverages Cisco SIO for robust, real-time insights context-aware framework that meets the evolving into the global threat environment. Enforces context-aware policy across a wide range security needs of borderless network environments. of form factors to deliver security flexibly, when and Enables simplified business policies that will where you need it. Unlike legacy security architectures that were built correlate directly between what IT must enforce and to enforce policies based on a single data point, the organization’s business rules. Manages context-aware security policies Cisco SecureX enforces policies based on the full throughout the network, providing deep insights context of the situation. Context-aware policies use Integrates comprehensive, extensible APIs that into—and effective controls over—who is doing what, a high-level language that aligns closely to business allow Cisco’s own management systems and partners when, where, and how. policy. This greatly simplifies policy administration to plug in and complete the security ecosystem. while simultaneously providing more effective security Provides secure access from a full range of For more information on Cisco SecureX, go to and control. As a result, networks are far more devices—from traditional PCs and Mac-based [www.cisco.com/en/US/netsol/ns1167/index.html.](http://www.cisco.com/en/US/netsol/ns1167/index.html) secure, while business efficiency and flexibility are computers, to smartphones, tablets, and other maximized. mobile devices—anytime, anywhere. ----- ###### For More Information **Cisco Security Intelligence Operations** [www.cisco.com/security](http://www.cisco.com/security) **Cisco Security Blog** [blogs.cisco.com/security](http://blogs.cisco.com/security) **Cisco Remote Management Services** [www.cisco.com/en/US/products/ps6192/](http://www.cisco.com/en/US/products/ps6192/serv_category_home.html) [serv_category_home](http://www.cisco.com/en/US/products/ps6192/serv_category_home.html) **Cisco Security Products** [www.cisco.com/go/security](http://www.cisco.com/go/security) **Cisco Corporate Security** **Programs Organization** [www.cisco.com/go/cspo](http://www.cisco.com/go/cspo) ----- Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore ###### Report available for download at www.cisco.com/go/securityreport Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands [Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.](http:// www.cisco.com/go/offices) Ci d th Ci L t d k f Ci S t I d/ it ffili t i th U S d th t i A li ti f Ci ’ t d k b f d t i / /t d k Thi d t t d k ti d th -----