Cisco conducted a scan of 115,000 Cisco devices on the internet and found that 92 percent contain at least one vulnerability.
Juniper’s recent disclosure of a three year-old backdoor undermining the encryption on many of its devices demonstrated that enterprise networking equipment can be a juicy target for attackers. Two years ago, the US was also accused of intercepting Cisco devices en route to customers to insert backdoors.
Even before former CIA hand Edward Snowden disclosed details of of US spying, Cisco and its chief security officer John Stewart had been urging customers to upgrade its IOS software to keep hackers at bay. Many avoided doing this due to the potential for network downtime.
However Cisco’s advice has apparently fallen on deaf ears, with the company revealing in its latest security report that its customers are leaving their networks exposed to attackers by running its hardware with software that contains vulnerabilities that are in the public domain.
“We found that 106,000 of the 115,000 devices had known vulnerabilities in the software they were running. That means 92 percent of the Cisco devices on the Internet in our sample are susceptible to known vulnerabilities,” Cisco said in the report.
The company said that on average Cisco devices were running a version of its software that had 26 vulnerabilities. Customers in communications, financial, insurance and retail were the worse offenders, with each on average running versions of Cisco’s software that was more than six years old.
"Many Cisco customers built their network infrastructure a decade ago. Back then, many businesses simply did not account for the fact that they would be 100 percent reliant on that infrastructure. Nor did they anticipate that their infrastructure would become a prime target for adversaries," it said.
The findings cast an interesting light on Cisco’s survey of security professionals, which found they’re now less confident about their security tools and processes than they were a year ago.
The “steady drumbeat” of attacks on high profile attacks last year — including on Ashley Madison, US health insurer Anthem, and Italian lawful intercept vendor Hacking Team — had taken its toll security professionals’ confidence levels, Cisco said.
Collectively, the breaches saw hundreds of millions of records exposed to attackers, while Hacking Team, whose attackers leaked two significant zero day flaws affecting Adobe Flash Player, caused ripples across the internet.
According to Cisco, flagging confidence was reflected by 59 percent of 2,432 respondents saying their organisation's security infrastructure was “very up to date” in 2015, compared to 64 percent of 1,738 responding claiming that same last year.
Still, Cisco’s internet scan of its own devices suggests respondents may still be overconfident about their security processes, despite the decline in confidence.
Though better known for its networking products, Cisco has poured billions into acquiring security technology and talent in the past few years, forking out over $1bn for security companies Lancope and cloud security provider openDNS last year. It also paid $2.7 billion for SourceFire in 2013, which helped Cisco form the elite squad of researchers at its Talos threat intelligence unit.
Cisco’s gamble on security may be vindicated by its findings that organisations are now taking a more structured approach to security. It found that in 2015, 66 percent reported their companies had written a formal security strategy, which was up from 59 percent in 2014.
Its research also found some discord between SecOps managers — the people who respond to day-to-day threats — and chief security officers (CSOs) who take higher level view of security operations.
Cisco notes that 65 percent of CSOs believe their security infrastructure is up to date, while just 54 percent of SecOps managers believe that to be true.
“The confidence of SecOps managers is likely to suffer because they respond to day-to-day security incidents, giving them a less positive view of their security readiness,” said Cisco.
Participate in CSO and Gigamon's survey on Security Priorities today!
Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.
For full terms and conditions click here.
Read more: The week in security: 8 in 10 health apps insecure; ISIS sidesteps backdoor debate