I found a couple of interesting little tidbits while going through the “Cisco 2014 Annual Security Report”. Before I begin, disclaimer and explainer: keep in mind that I am a contractor for Cisco. However, the 2014 Report is not a Cisco internal document, but is available to the public. You can download it here, though you do have to enter your name and an email address.
Things that I found interesting:
Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware.
You. Don’t. Say.
Spam volume was on a downward trend worldwide in 2013. However, while the overall volume may have decreased, the proportion of maliciously intended spam remained constant.
So we’re winning? Maybe?
Of all the web-based threats that undermine security, vulnerabilities in the Java programming language continue to be the most frequently exploited target by online criminals, according to Cisco data.
More:
Data from Sourcefire, now part of Cisco, also shows that Java exploits make up the vast majority (91 percent) of indicators of compromise (IoCs) that are monitored by Sourcefire’s FireAMP solution for advanced malware analysis and protection (Figure 12).
So should you disable Java? I think Borepatch would probably say “yes”. But this is also interesting:
90 percent of Cisco customers use a version of the Java 7 Runtime Environment, the most current version of the program. This is good from a security standpoint, since this version is likely to offer greater protection against vulnerabilities…
…However, Cisco TRAC/SIO research also shows that 76 percent of enterprises using Cisco solutions are also using the Java 6 Runtime Environment, in addition to Java 7.
JRE6 has been end-of-lifed and is no longer supported. I’m thinking the best practice here is:
A. Carefully evaluate your need for Java.
II. If you do need it, use the most current version.
At 43.8 percent, Andr/Qdplugin-A was the most frequently encountered mobile malware, according to Cisco TRAC/SIO research. Typical encounters were through repackaged copies of legitimate apps distributed through unofficial marketplaces.
“unofficial marketplaces”. You. Don’t. Say.
There’s a lot more in the report, including a brief discussion of Wireshark and Python tools for doing data analysis. I do commend it to your attention, even though my bias here is obvious.
Edited to add: left out one I intended to include.
In a recent project reviewing Domain Name Service (DNS) lookups originating from inside corporate networks, Cisco threat intelligence experts found that in every case, organizations showed evidence that their networks had been misused or compromised.
For example, 100 percent of the business networks analyzed by Cisco had traffic going to websites that host malware, while 92 percent show traffic to webpages without content, which typically host malicious activity. Ninety-six percent of the networks reviewed showed traffic to hijacked servers.