​Cisco: 92 percent of Cisco devices in the wild are vulnerable

Cisco conducted a scan of 115,000 Cisco devices on the internet and found that 92 percent contain at least one vulnerability.

Juniper’s recent disclosure of a three year-old backdoor undermining the encryption on many of its devices demonstrated that enterprise networking equipment can be a juicy target for attackers. Two years ago, the US was also accused of intercepting Cisco devices en route to customers to insert backdoors.

Even before former CIA hand Edward Snowden disclosed details of of US spying, Cisco and its chief security officer John Stewart had been urging customers to upgrade its IOS software to keep hackers at bay. Many avoided doing this due to the potential for network downtime.

However Cisco’s advice has apparently fallen on deaf ears, with the company revealing in its latest security report that its customers are leaving their networks exposed to attackers by running its hardware with software that contains vulnerabilities that are in the public domain.

“We found that 106,000 of the 115,000 devices had known vulnerabilities in the software they were running. That means 92 percent of the Cisco devices on the Internet in our sample are susceptible to known vulnerabilities,” Cisco said in the report.

The company said that on average Cisco devices were running a version of its software that had 26 vulnerabilities. Customers in communications, financial, insurance and retail were the worse offenders, with each on average running versions of Cisco’s software that was more than six years old.

"Many Cisco customers built their network infrastructure a decade ago. Back then, many businesses simply did not account for the fact that they would be 100 percent reliant on that infrastructure. Nor did they anticipate that their infrastructure would become a prime target for adversaries," it said.

The findings cast an interesting light on Cisco’s survey of security professionals, which found they’re now less confident about their security tools and processes than they were a year ago.

The “steady drumbeat” of attacks on high profile attacks last year — including on Ashley Madison, US health insurer Anthem, and Italian lawful intercept vendor Hacking Team — had taken its toll security professionals’ confidence levels, Cisco said.

Read more: The week in security: 8 in 10 health apps insecure; ISIS sidesteps backdoor debate

Collectively, the breaches saw hundreds of millions of records exposed to attackers, while Hacking Team, whose attackers leaked two significant zero day flaws affecting Adobe Flash Player, caused ripples across the internet.

According to Cisco, flagging confidence was reflected by 59 percent of 2,432 respondents saying their organisation's security infrastructure was “very up to date” in 2015, compared to 64 percent of 1,738 responding claiming that same last year.

Still, Cisco’s internet scan of its own devices suggests respondents may still be overconfident about their security processes, despite the decline in confidence.

Though better known for its networking products, Cisco has poured billions into acquiring security technology and talent in the past few years, forking out over $1bn for security companies Lancope and cloud security provider openDNS last year. It also paid $2.7 billion for SourceFire in 2013, which helped Cisco form the elite squad of researchers at its Talos threat intelligence unit.

Cisco’s gamble on security may be vindicated by its findings that organisations are now taking a more structured approach to security. It found that in 2015, 66 percent reported their companies had written a formal security strategy, which was up from 59 percent in 2014.

Its research also found some discord between SecOps managers — the people who respond to day-to-day threats — and chief security officers (CSOs) who take higher level view of security operations.

Cisco notes that 65 percent of CSOs believe their security infrastructure is up to date, while just 54 percent of SecOps managers believe that to be true.

“The confidence of SecOps managers is likely to suffer because they respond to day-to-day security incidents, giving them a less positive view of their security readiness,” said Cisco.

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

For full terms and conditions click here.

Read more: WordPress patches amid huge spike in redirects to malware sites

Start survey NOW!

Join the CSO newsletter!

Error: Please check your email address.

Tags security professionals​Ciscovulnerable

More about AppleCiscoCSOCustomersGigamonJuniperLancopeVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place