Security professionals were less confident in their security infrastructure in 2015 than in 2014, according to a report released today by Cisco.
In 2014, 64 percent of security pros said that their infrastructure was up to date, while only 59 percent felt the same way about 2015. In addition, in 2015, 54 percent said they strongly believe that they do a good job of building security into procedures for acquiring, developing, and maintaining systems, compared with 58 percent in 2014.
"Despite all the hard efforts, there is concern that both the speed at which the technology and capabilities being deployed, and the number of people, qualified individuals to be hired, and the overall approach in the face of an overwhelming number of attacks," said John N. Stewart, chief security and trust officer and senior vice president at Cisco Systems. "This is causing confidence to go down."
Aging infrastructure was another issue raised in the report.
An analysis of more than 115,000 Cisco devices showed that 92 percent were running software with known vulnerabilities, 31 percent were no longer on the market, and 8 percent were "end of life."
The financial services industry has the highest percentage of devices that had passed their last day of support, at 20 percent.
Jason Brvenik, a principal engineer at Cisco, said that the likely explanation for this is that the financial sector has long been an early adopter of technology.
"They have more devices deployed in more places, and would have aging infrastructure," he said.
[ ALSO ON CSO: 10 risky software that have passed their expiration dates ]
On an unrelated note, the Cisco report also uncovered browser extensions as a dangerous attack vector often overlooked by security teams.
According to Cisco, adware and browser injections were among the most difficult threats to detect, taking up to 200 hours. By comparison, downloaders that target Microsoft Word users are typically detected in less than 20 hours.
Security teams often spend less time on adware and browser injections, classifying them as lower priority.
"It's seemingly benign, it seems to offer value to the user, they like to use it," said Brvenik.
But they create invasive paths that attackers can use to install more dangerous applications, he said -- and more than 85 percent of organization were affected by malicious browser extensions.
The main problem, he said, is that many users are running out-of-date browsers that allow these malicious extensions to slip through.
"We know organizations have legacy applications that require them to legacy versions of browsers," he said. "But I advocate that, if you could, you should restrict them from accessing the Internet. They need to deploy a firewall to decide whether a version of a browser is allowed to access the Internet or not. They will significantly reduce their exposure if they enforce that policy."