'Shockers' in Cisco's Year-End Security Report

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Networking giant Cisco today revealed its take on the current state of IT security. The major trends? Vulnerabilities are on the rise, with blended and virtualization attacks becoming increasingly the norm.

According to Cisco, as of the end of October 2008, over 5971 IT vulnerabilities had been tallied, which is a year over year increase of 11.5 percent over the 5353 vulnerabilities for 2007. Cisco also reported a year over year increase of 90 percent in the volume of attacks that come from legitimate domains.

“Even though we were aware of the severity of the threats on the Web and in particular the attacks on legitimate Web sites, the ferocity and volume of those attacks in 2008 was very much of a shock,” Patrick Peterson, Cisco Fellow and chief security researcher, told InternetNews.com. “It really defied all of our worst case scenarios.”

Cisco’s report claims that exploited Web sites in 2008 were responsible for 87 percent of all Web-based threats. Overall Cisco reported that Buffer overflow, Denial of Service (DoS) and Cross Site Scripting (XSS) attacks led the total vulnerability count.

Peterson clarified that volume of reported vulnerabilities is not the same as volume of attacks. Peterson noted that attacks on Web sites in 2008 were primarily by way of SQL injection (define). BusinessWeek Online was among the sites attacked by SQL injection in 2008.

Peterson also pointed the finger at Web browser add-ons, which he argued were easy to exploit in 2008. If attackers want to take advantage of an add-on vulnerability, all they have to do is get the browser to visit a Web page with a malicious code Flash object on it. He added that the problem with add-on vulnerability often stems from the fact that users aren’t always running the most up to date versions of the software.

“Add-on patching and updates don’t seem to have the same kind of rigor or delivery vehicle as more standard apps,” Peterson said. “I just installed Windows Update, but when it comes to something like Flash, the way it gets updated, it doesn’t seem to have the same kind of rigor. It leads people to have an OS {operating system} that is patched but some kind of browser plugin that is not patched and they don’t even know how to get the patch.”

Eric Lawrence, security program manager for Microsoft’s Internet Explorer team, has made a similar argument: that browser add-on security is an issue that exists with the add-on vendors.

Lawrence made his add-on comment during a discussion this year on clickjacking, which is a new attack vector that was not included in Cisco’s report. Peterson explained that details on clickjacking emerged after Cisco began to put together its report.

In a clickjacking attack an attacker hides an object underneath a legitimate object or button, such that a user is completely unaware of what they might be clicking. Peterson commented that he doesn’t believe that clickjacking is currently a widespread attack but that it is a very clever and scary attack vector.

Perhaps more surprising, DNS (define)-related attacks did not happen in a widespread manner in 2008. Security researcher Dan Kaminksy revealed that most DNS servers were at risk from a cache poisoning attack that could have redirected users to arbitrary sites.

This article was first published on InternetNews.com. To read the full article, click here.