Any federal workers taking breaks from their jobs to visit mainstream news websites may be susceptible to exploitation kits just by loading the page, according to a new report from Cisco Systems.
The company released its 2014 Midyear Security Report Tuesday, which focuses on a number of low-key, low-risk vulnerabilities that hackers are using to exploit systems and access data.
Levi Gundert, the technical lead for Cisco’s threat research, analysis and communications team, said cybercriminals are purchasing last-minute ad packages in the hopes that their kits — which may only show up every 100 or 1,000 ad impressions — make it through the exchange’s security measures.
Malvertising then takes it one step further: Even hackers know clickthrough rates for online display ads are infinitesimal, so the exploit kits do not require the user to actually click on an ad.
The malvertising also takes advantage of Internet users’ unfamiliarity with the maze of ad networks that mainstream sites partner with, making it virtually undetectable to the average user’s eye.
“Folks don’t understand the risk, they don’t understand how it works,” Gundert said. “They don’t understand that when you go to CNN.com, they have hundreds of external relationships with parties off the site — content delivery networks, advertising exchanges — that’s the primary mechanism that’s feeding the redirection.”
While Gundert said he has had conversations with leading ad networks to solve the problem, it is crucial that agency chief information security officers and chief information officers take the time to plan for these exploits as workplace culture continues to change.
“So much [security] effort has been put on the perimeter,” he said. “There is no perimeter any more. We all work remotely, we all work on the go, we all work on the road and there are restrictions in government, but they are going to fade over time.”
The reports also highlights a number of rising vulnerabilities, including exploit kits being used on popular content management systems like WordPress. Hackers are becoming particularly adept at cracking sites no longer used in order to have them “upload malicious binaries and use them as exploit delivery sites.”
“There are millions of installations and instances of CMS software and people don’t care about security, they just want to run the site,” Gundert said. “There are fundamental vulnerabilities in older versions, there are vulnerabilities in the third-party add-ons that [hackers] are exploiting.”
Java still hot — for hackers
Java exploits represented 93 percent of all incidents of compromise measured by the company, a 2 percent increase since Cisco’s last report.
“Java’s extensive attack surface and high return on investment are what make it a favorite for adversaries to exploit,” reads the report, which also sais Microsoft Silverlight is a key target for Java exploits.
Can CISOs ever sleep?
The 50-page report, which covers a number of other vulnerabilities, is enough to give any seasoned cybersecurity official a reason to sweat. However, Gundert said the best way to defend against attacks is to expect them, no matter how prepared an agency may be.
“You can absolutely think about threats, you can inspect threats, you can expect that you are going to be compromised and really shorten that detection window,” Gundert said. “I think that’s where people need to focus. As a CISO, you sleep better at night knowing ‘Yes, this is a real attack, this is probably going to happen to us, but we have a very smart team in place and we are going to detect it and its going to be a really short remediation window.’”
You can read Cisco’s full report here.