Document Actions
Cisco 2007 Annual Security Report
Title: Cisco 2007 Annual Security Report
Author: none
Date: Winter 2007
Institution: Cisco Systems, Inc.
Bibliographic Entry: “Cisco 2007 Annual Security Report.” Winter 2007. Cisco Systems, Inc. Accessed at: http://www.cisco.com/web/about/security/cspo/docs/Cisco2007Annual_Security_Report.pdf (January 7, 2008).
Electronic Link: http://www.cisco.com/web/about/security/cspo/docs/Cisco2007Annual_Security_Report.pdf
Key Words: cybersecurity, threat trends, physical security, phishing, social engineering attacks, network vulnerability, information security
Summary of Key Issues, Points, Conclusions:
The Cisco 2007 Annual Security Report provides an overview of the combined security intelligence across Cisco organized into seven major risk categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The report also provides a high-level perspective on the issues currently shaping the security space, potential trends for the next several years, and policy recommendations.
In particular, in 2007 most corporations based security policy on people with criminal intent motivated by money rather than technology. Additionally, more and more businesses, governments, and law enforcement agencies recognized the global nature of cybercrime.
Vulnerability trends were that operating system issues decreased while application attacks rose dramatically. Other major vulnerability trends included the continued sophistication of malware and tools to help attackers increase efficiency and new forms of spam designed to evade filtering. Physical security trends included the convergence of physical and IP security, heightened effects of natural disasters on businesses, and the emergence of blended physical and online attacks. Legal trends were an increasing recognition of private organizations, law enforcement agencies, and governments that stopping internet crime requires mature laws, extensive cooperation and improvements in regulatory compliance. Additionally, Cisco highlighted that overconfidence in trusted controls and insiders continue to present serious problems. Identity theft continued to rise and the techniques became more varied. The global nature of these crimes, poor security controls, flawed payment card industry data standards, and lack of prompt and full disclosure are all problematic trends expected to continue in the battle against identity theft. The human security aspect showed two major trends: human error leading to major security breaches and huge increases in phishing and social engineering attacks. Dominant geopolitical trends included the ongoing threat of terrorism around the world; the continuing ascendance of developing economies; a growing global focus on environmental issues; and the growing recognition of cyberspace as a theater for military action and international espionage.
The following conclusions were drawn after reviewing the above trends. As these threats evolve and become more targeted, Cisco recommends that security professionals and businesses become focused on which targets in their organization will be most attractive. Additionally, the concept of “information security” is evolving and solutions will need to be comprehensive and a sense of ownership must be taken in response to the problems. This is perhaps because across the industry, many businesses spend little on education and awareness. Finally, Cisco asserts that revolutionary answers may be required to thwart evolving attacks, especially as service availability and network vulnerability come into fundamental conflict. Until all corporations have a self-defending network, corporations should institutionalize periodic security posture assessments and architectural reviews, and perform evaluations every few months.
Name of Researcher: Katie Stout
Institution: Integrative Center for Homeland Security, Texas A&M University
Date Posted: January 7, 2008