Login
Explore the nature of vulnerabilities in this episode of ThreatWise TV.
It’s shaping up to be another big year for vulnerability disclosure. Already the number of Common Vulnerabilities and Exposures (CVEs) disclosed has crossed 18,000 and it’s on track to make this another record-breaking year.
With new CVEs being disclosed daily, it has become increasingly difficult for security teams to stay abreast of the latest risks, let alone quickly determine which ones apply to their network environment. From those, prioritizing which CVEs to patch first adds an additional wrinkle to the process.
If this wasn’t challenging enough, a curve ball that’s often lobbed at security teams are the “breaking news” vulnerabilities— vulnerabilities picked up by the security media, often with much fanfare. The stories surrounding these high-profile vulnerabilities generally carry an implied threat that the CVE in question will throw the doors wide open to attackers if not addressed immediately. What security team hasn’t had someone from the C-suite share an article they’ve read, asking “are we protected from this?”
On the surface, CVEs that appear severe enough to garner media attention do seem like a good place to start when addressing vulnerabilities in your environment. But vulnerabilities are complicated, and what a security researcher manages to do within a controlled environment doesn’t always translate into real-world attacks. In fact, most disclosed vulnerabilities never see active exploitation. And of those that do, not every vulnerability ends up becoming a tool in an attacker’s arsenal. Bad actors generally follow the path of least resistance when they compromise a network, relying on tested exploits long before trying something new and unproven.
This begs the question: how much overlap is there between the most talked about vulnerabilities and those that are widely used in attacks? Moreover, if media attention isn’t a reliable indicator, what else might predict if a vulnerability will be used in an attack?
To answer these questions, we used intelligence tools available from Cisco’s Kenna Security risk-based vulnerability management (RBVM) software. In particular, Kenna.VI+ consolidates a variety of vulnerability intelligence, where a CVE ID lookup can pull back a wealth of information. In addition to this, Kenna.VI+ includes an API that brings in an additional layer of external threat intelligence, enabling further analysis.
We started with a direct comparison of Successful Exploitations and Chatter Count from within Kenna.VI+. The former is a full count of confirmed exploits within the dataset, while the latter is a count of mentions in the news, social media, various forums, and the dark web.
Our first pass at the data included a comparison of the top 50 CVEs in both Successful Exploitations and Chatter Count. However, there were only two CVEs that overlapped. The data showed that many of the top exploited CVEs were old and predated the data in Chatter Count. We quickly decided that this wasn’t a fair comparison.
To get a better look at more relevant CVEs, we limited the dataset to a range of 10 years. Unfortunately, this did not do much to improve things—only three CVEs showed up in both lists.
A more effective approach was to look at CVEs that we know are actively being exploited. The Cybersecurity and Infrastructure Security Agency (CISA) happens to maintain such a list. The Known Exploited Vulnerabilities (KEV) catalog is considered an authoritative compilation of vulnerabilities identified as being actively exploited in the wild.
Running the KEV catalog though Kenna.VI+ resulted in six CVEs that appeared in the top 50 for both lists, with a single overlap in the top 10. This leads us to conclude that the vulnerabilities with the most discussion are not the same as those being actively exploited in the majority of cases.
| CVE | Brief description | |
| 1 | CVE-2017-9841 | PHPUnit vulnerability (used to target popular CMSes) |
| 2 | CVE-2021-44228 | Log4j vulnerability |
| 3 | CVE-2019-0703 | Windows SMB information disclosure vulnerability |
| 4 | CVE-2014-0160 | Heartbleed vulnerability |
| 5 | CVE-2017-9805 | REST plugin in Apache Struts vulnerability |
| 6 | CVE-2017-11882 | Microsoft Office memory corruption vulnerability |
| 7 | CVE-2017-5638 | Apache Struts vulnerability (used in Equifax breach) |
| 8 | CVE-2012-1823 | 10-year-old PHP vulnerability |
| 9 | CVE-2017-0144 | EternalBlue vulnerability |
| 10 | CVE-2018-11776 | Apache Struts RCE vulnerability |
| CVE | Brief description | |
| 1 | CVE-2021-26855 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 2 | CVE-2021-40444 | Microsoft MSHTML RCE vulnerability |
| 3 | CVE-2021-26084 | Confluence Server and Data Center vulnerability |
| 4 | CVE-2021-27065 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 5 | CVE-2021-34473 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 6 | CVE-2021-26858 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 7 | CVE-2021-44228 | Log4j vulnerability |
| 8 | CVE-2021-34527 | One of the PrintNightmare vulnerabilities |
| 9 | CVE-2021-41773 | Apache HTTP Server vulnerability |
| 10 | CVE-2021-31207 | One of the ProxyShell vulnerabilities |
Despite the lack of overlap, there are many well-known vulnerabilities at the top of both lists. Heartbleed and EternalBlue appear on the top 10 exploited list, while Hafnium, PrintNightmare, and ProxyShell make the top 10 most talked about CVEs.
The Log4j vulnerability is the only CVE that appears in both lists. This isn’t surprising considering the ubiquity of Log4j in modern software. It’s the second-most exploited vulnerability—far outpacing the CVEs directly below it. This, coupled with its appearance in the chatter list, puts it in a class of its own. In a brief period, it’s managed to outpace older CVEs that are arguably just as well known.
The CVE that recorded the most successful exploitations is a five-year-old vulnerability in PHPUnit. This is a popular unit-testing framework that’s used by many CMSes, such as Drupal, WordPress, MediaWiki, and Moodle.
Since many websites are built with these tools, this exploit can be a handy vector for gaining initial access to unpatched webservers. This also lines up with research we conducted last year, where this vulnerability was one of the most common Snort detections seen by Cisco Secure Firewall.
All four of the Microsoft Exchange Server vulnerabilities used in the Hafnium attacks appear in the most talked about list of CVEs. However, even when you add all four of these CVEs together, they still don’t come anywhere close to the counts seen in the top exploited CVEs.
If media attention is not a good predictor of use for exploitation, then what are the alternatives?
The Common Vulnerability Scoring System (CVSS) is a well-known framework for gauging the severity of vulnerabilities. We looked for CVEs from the KEV catalog that were ranked as “critical”—9.0 and above in the CVSSv3 specification. Examining the entire KEV catalog, 28% of the CVEs have a score of 9.0 or higher. Of the top 50 successfully exploited, 38% had such scores.
This is an improvement, but the CVSSv3 specification was released in 2015. Many CVEs in the KEV catalog predate this—19% of the entire catalog and 28% of the top 50—and have no score.
Using the previous CVSS specification does fill this gap—36% overall and 52% of the top 50 score 9.0 or higher. However, the older CVSS specification comes with its share of issues as well.
Another indicator worth exploring is remote control execution (RCE). A vulnerability with RCE grants an attacker the ability to access and control a vulnerable system from anywhere. It turns out that 45% of the CVEs in our dataset allow for RCE, and 66% of the top 50, making it the most worthwhile indicator analyzed.
Let’s summarize how we’ve honed our approach to determine if media attention and exploitation line up:
| Data set | Exploitation and Chatter lists | Number of CVEs |
| All CVEs | Appears in both top 50 | 2 |
| Appears in both top 50 (last 10 years) | 3 | |
| KEV Catalog | Appears in both top 50 | 6 |
| Appears in both top 10 | 1 |
And here’s a summary of our look at other indicators:
| KEV Catalog | Top 50 exploited | |
| CVSSv3 (9.0+) | 28% | 38% |
| CVSS (9.0+) | 36% | 52% |
| Allows for RCE | 45% | 66% |
All of this analysis provides a clear answer to our original question—the most regularly exploited CVEs aren’t the most talked about. Additional work highlights that monitoring variables like RCE can help with prioritization.
For illustrative purposes we’ve only looked at a few indicators that could be used to prioritize CVEs. While some did better than others, we don’t recommend relying on a single variable in making decisions about vulnerability management. Creating an approach that folds in multiple indicators is a far better strategy when it comes to real-world application of this data. And while our findings here speak to the larger picture, every network is different.
Regardless of which list they appear on, be it Successful Exploitations or Chatter Count, it’s important to point out that all these vulnerabilities are serious. Just because Hafnium has more talk than Heartbleed doesn’t make it any less dangerous if you have assets that are vulnerable to it. The fact is that while CVEs with more talk didn’t make the top of the exploitation list, they still managed to rack up tens of thousands of successful exploitations.
It’s important to know how to prioritize security updates, fixing those that expose you to the most risk as soon as possible. From our perspective, here are some basic elements in the Cisco Secure portfolio that can help.
Kenna Security, a pioneer in risk-based vulnerability management, relies on threat intel and prioritization to keep security and IT teams focused on risks. Using data science, Kenna processes and analyzes 18+ threat and exploit intelligence feeds, and 12.7+ billion managed vulnerabilities to give you an accurate view of your company’s risk. With our risk scoring and remediation intelligence, you get the info you need to make truly data-driven remediation decisions.
To responsibly protect a network, it’s important to monitor all assets that connect to it and ensure they’re kept up to date. Duo Device Trust can check the patch level of devices for you before they’re granted access to connect to corporate applications or sensitive data. You can even block access and enable self-remediation for devices that are found to be non-compliant.
How about remote workers? By leveraging the Network Visibility Module in Cisco Secure Client as a telemetry source, Cisco Secure Cloud Analytics can capture endpoint-specific user and device context to supply visibility into remote worker endpoint status. This can bolster an organization’s security posture by providing visibility on remote employees that are running software versions with vulnerabilities that need patching.
Lastly, for some “lateral thinking” about vulnerability management, take a look at this short video of one of our Advisory CISOs, Wolfgang Goerlich. Especially if you’re a fan of the music of the 1920s…
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
We’ve been talking a lot about security resilience recently, and for good reason. It’s clear the only way businesses can operate in today’s hybrid world is by taking bold steps to increase visibility, awareness, and integration across their systems. All while maintaining a singular goal of becoming more resilient in the face of evolving threats. But that doesn’t just mean expanding the scope of your security stack. It also means examining the resilience of other pillars of your business, like operations, organizational structure, financial processes, and supply chain functions.
If threats do compromise your business, time is of the essence when it comes to detection, response, and recovery. The longer an organization is unable to operate normally, the more at risk it becomes for damaging financial losses. As Diana Kelley, CSO and CISO at Cybrize notes, “it’s not about giving up, it’s about being better prepared.” Financial and security resilience go together, you can’t have one without the other and both are incredibly important for businesses of all sizes.
While recovering from an attack is important for maintaining resilience, a key feature of strong operational resilience is a business’s ability to operate through adverse conditions, not just recover well after the fact. Trina Ford, SVP and CISO at AEG, notes the importance of “preparedness so that your business can continue to thrive” while your security team addresses threats.
It also relies heavily upon strong staffing models because people are a critical part of any business’s day-to-day operations. What happens when someone is out sick, or is unable to access the necessary tools to do their job? Operational resilience means having a plan in place to be prepared for these situations.
In this video, CISOs and other security professionals explain what operational resilience means to them and why it’s a necessary component of overall security resilience:
If the past few years have taught us anything, it’s that supply chains are fragile. But there are ways to prepare for disruption, such as minimizing negative outcomes like production delays, infrastructure weaknesses, and increasingly complex logistics. When it comes to security resilience, supply chains are important because they expand the attack surface to any third party in your network. Oftentimes, this is where businesses have the lowest visibility, making it hard to detect and respond to threats. Supply chain resilience means preparing for these challenges before they cause real damage and having contingency plans in place.
According to Helen Patton, CISO of the SBG, “security is a risk business”. We couldn’t agree more. In the context of organizational resilience, this means dedicating resources to the areas of the business that are creating the most value and protecting those to minimize the risk of damage from potential threats.
With hybrid work here to stay, the threat landscape is expanding quickly, and security teams are working constantly to stay up to date on the latest attacks. But defending against everything all the time is impossible, so it’s necessary to make informed decisions about how to dedicate resources efficiently. The goal is to maximize flexibility and agility to enable security teams to act confidently when, not if, a threat lands.
Avoiding cyberattacks 100% of the time is impossible, but by ensuring the integrity of each part of your business, you can address threats confidently and emerge stronger. Investing in security resilience will strengthen your business in each of these areas, and help you better prepare for the challenges ahead.
Learn more about how Cisco Secure can help you at any step of the journey.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Self-awareness goes a long way in determining your next professional steps. While job searching, it’s critical to identify how to leverage your transferable skills and network, while also evaluating what environmental factors of work and work culture matter to you most. Learn what it’s like to work at Cisco and the top 10 ways to suss out a workplace that suits your needs from leaders at Cisco Secure, Cisco Talos and Duo Security.
First things first. Emily Reid, the newly appointed director of employee experience at Cisco Secure who came from Duo Security, advises, “Do your own research to see how the company and their employees describe the culture publicly — on the company’s website and through other sites, articles and resources. For tech companies specifically I always think, “What else do you have beyond the ping-pong table?”’
The interview process is the next key opportunity to find out what culture is like beyond amenities. To gain multiple perspectives, Reid recommends asking about company culture in every interview you have.
The question at the top of Reid’s list: Do you have programs and resources to support the development and success of your employees? “I want to know how a company will be investing in my career growth and if I will feel welcome and included as part of the team. Seeing what a company chooses to center and highlight when describing their culture is usually very telling,” she said.
Interning at a company is another way to get firsthand knowledge and can lead to full-time employment. “several former interns are now people leaders managing their own teams — and their own interns — coming full circle,” Reid said.
Knowing that there is safety and support in bringing your whole self to work is vital. What policies, programs and initiatives are in place that demonstrate an organization’s commitment to diversity, equity, inclusion and belonging?
Cisco’s ongoing commitments to social justice and pay parity include twelve action steps as part of Cisco’s Social Justice Blueprint. Cultivating a conscious culture includes on-going dialogue, programs and events meant to increase equality. Employee Resource Organizations and mentorship programs provide more opportunities to build community and share knowledge, resources and advocacy.
What environment allows you to do your best work? Also consider what perks and processes an employer offers to enhance flexibility and adaptability. During the pandemic, Duo and Cisco transitioned all global events, training and professional development workshops to fully virtual. As in person options resumed following the pandemic, all events are designed to ensure an inclusive experience no matter where you’re joining from.
“We don’t want to go back to a world where people not based in an office feel like they are getting a lesser experience,” Reid said.
Considering how to make programs and information accessible to employees regardless of where they work is also important to Sammi Seaman, team lead of employee experience at Cisco Talos. She’s currently spearheading a new hire program that is “more inclusive of folks whether they’re office based, remote or somewhere across the world.”
It’s essential to consider how you want your life and work to intersect, particularly as hybrid work becomes more popular. How important is paid time off, flexible work options or a consistent structure?
Cisco Secure offers “Days for Me,” days off for employees to decompress and do something to fill their cups. Monthly “Focus Days” are days without meetings, so employees can prioritize the projects that need attention.
Curran recalls one candidate who, despite multiple offers from competitors, chose Cisco Secure because of the flexible work environment: “This person has a young child and felt that the “Days for Me” and flexibility to work from home in a hybrid situation would work best for his career long-term.”
As Reid’s team helps lead the transition to hybrid work, the book Out of Office: The Big Problem and Bigger Promise of Working From Home by Charlie Warzel and Anne Helen Petersen has been inspiring. The book “does an amazing job of sharing a vision for an inclusive future that empowers employees to be successful and have a ‘work/life balance’ that truly works,” Reid said.
Currently Cisco Secure offers a hybrid model while many employees still work remotely. In terms of maintaining accessibility through this transition, Marketing Specialist Julie Kramer advocated for more accessibility and saw changes at Cisco as a result.
“Webex pre-COVID didn’t have any closed captioning. So, another deaf person and I reached out and closed captioning and the transcript option got added,” Kramer shared.
Kramer prefers to have high-quality and frequently the same interpreters who “know the terminology for my job, marketing and technology. In business, the security and marketing industry can really talk fast, so you need a high-quality interpreter that can keep up and one that is qualified and certified,” she said.
Consider what pace of your specific role and within an industry is needed for you to feel engaged without overwhelmed. While different roles within the same organization and industry may run at different paces, it’s important to tune into what might be expected on your potential new team.
Seaman finds that the fast pace of cybersecurity can be “delightful and challenging. There’s a lot of fast-paced pivoting that happens, which makes for an interesting workplace because two days are never the same,” she said.
Do you prefer a hierarchical structure, or one that is more flat? Are you most effective and fulfilled riding solo, or while consistently connecting with coworkers? Does contributing your ideas make you feel empowered?
At Cisco Secure, there is space to join conversations. “No matter where you sit in the company, you have a voice and can speak up and collaborate and self-organize on a project. It feels like a bunch of really hard working, humble, smart people who are trying to solve problems together,” said Manager of Duo’s Global Knowledge and Communities Team Kelly Davenport.
To enhance communication and knowledge among distributed teams, Seaman started a dialogue series called “The More You Know.” Questions include: What do you do? How do you do it? How can that help other parts of Cisco Talos? The conversations lead to future collaboration and resource sharing.
Do you want to grow professionally and increase your skills and knowledge? A culture of teaching and learning within an organization can help hone and expand your skills and connections.
Lead of Strategic Business Intelligence Ashlee Benge finds the security world “very dynamic. You really can never stop learning. Within Cisco Talos, the people around me are such smart, dedicated people that there’s really a lot that you can gain from just being involved in the group as a whole.”
For Seaman, who didn’t come from a technical background, Cisco Talos offered opportunities to expand her technical knowledge, including from colleagues. “Coming into Cisco Talos, people are like, “Here, let me teach you. You can totally do this. Just because you didn’t know how to do it doesn’t mean you can’t learn. Let’s go,” Seaman shared. Seaman’s colleagues have also learned from her expertise in information and knowledge management given her background as a librarian.
More formally, the Learning and Development team recently launched a comprehensive talent development program with enablement resources and support for people leaders. Aspects include: “really thoughtful templates for employees to use with their manager to talk through career goals, development areas, and to define an actionable investment plan. These resources are fueling great career conversations, strong alignment, and thoughtful development plans,” Reid said.
Do you want to refine your skills within your wheelhouse? Or are you driven to try new tasks and potentially change roles within your next organization?
Benge, whose background is in computational astrophysics, has found her interests shift from technical security research to business strategy and data science. At Cisco Talos, she’s been involved in everything from detection research and threat hunting, to community outreach, conference talks and traveling to support sales engagements. Currently, she’s helping to lead threat hunting in Ukraine.
“My leaders have always made it very clear that if there’s an interest, it’s okay to pursue it and it doesn’t have to necessarily be within the scope of my role. Having that freedom to pursue interests within the industry has been really engaging,” Benge said.
In addition to company values and mission statements, leaders and employees contribute to an organization’s culture every day. If you want to enhance your company’s culture, participate.
“Feedback on what employees want to see is crucial,” Reid said. “The easiest way to contribute to developing culture and a positive employee experience in your workplace is to add to what’s already happening! Culture takes participation and ownership from all employees.”
Reid shared that in performance reviews at Cisco, “‘Team Impact” is equally as important as “Results.” Contributing positively to company culture should contribute to performance reviews and promotion justification,” she said.
To learn more about Cisco’s company culture and how you can contribute to it, check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Security tools are only as good as the intelligence and expertise that feeds them. We’re very fortunate to have our security technologies powered by Cisco Talos, one of the largest and most trusted threat intelligence groups in the world. Talos is comprised of highly skilled researchers, analysts, and engineers who provide industry-leading visibility, actionable intelligence, and vulnerability research to protect both our customers and the internet at large.
The Talos team serves as a crucial pillar of our innovation — alerting customers and the public to new threats and mitigation tactics, enabling us to quickly incorporate protection into our products, and stepping in to help organizations with incident response, threat hunting, compromise assessments and more. Talos can also be found securing large-scale events such as the Super Bowl, and working with government and law enforcement organizations across the globe to share intelligence.
With Cisco’s vast customer base and broad portfolio — from routers and switches to email and endpoints — Talos has visibility into worldwide telemetry. Once a threat is seen, whether it’s a phishing URL or an IP address hosting malware, detections are created and indicators of compromise are categorized and blocked across our Cisco Secure portfolio.
Talos also leverages its unique insights to help society as a whole better understand and combat the cyberattacks facing us daily. During the war in Ukraine, the group has taken on the additional task of defending over 30 critical infrastructure providers in the country by directly managing and monitoring their endpoint security.
The reality of security today is that organizations must be constantly ready to detect and contain both known and unknown threats, minimize impact, and keep business going no matter what happens in the cyber realm. In light of hybrid work, evolving network architectures, and increasingly insidious attacks, all organizations must also be prepared to rapidly recover if disaster strikes, and then emerge stronger. We refer to this as security resilience, and Talos plays a critical role in helping our customers achieve it.
For several years, our integrated, cloud-native Cisco SecureX platform has been delivering extended detection and response (XDR) capabilities and more. SecureX allows customers to aggregate, analyze, and act on intelligence from disparate sources for a coordinated response to cyber threats.
Through the SecureX platform, intelligence from Talos is combined with telemetry from our customers’ environments — including many third-party tools — to provide a more complete picture of what’s going on in the network. Additionally, built-in, automated response functionality helps to speed up and streamline mitigation. This way, potential attacks can be identified, prioritized, and remediated before they lead to major impact.
For XDR to be successful, it must not only aggregate data, but also make sense of it. Through combined insights from various resources, SecureX customers obtain the unified visibility and context needed to rapidly prioritize the right threats at the right time. With SecureX, security analysts spend up to 90 percent less time per incident.
One of Australia’s largest universities, Deakin University, needed to improve its outdated security posture and transition from ad hoc processes to a mature program. Its small security team sought an integrated solution to simplify and strengthen threat defense.
With a suite of Cisco security products integrated through SecureX, Deakin University was able to reduce the typical investigation and response time for a major threat down from over a week to just an hour. The university was also able to decrease its response time for malicious emails from an hour to as little as five minutes.
“The most important outcome that we have achieved so far is that security is now a trusted function.”
– Fadi Aljafari, Information Security and Risk Manager, Deakin University
Also in the education space, AzEduNet provides connectivity and online services to 1.5 million students and 150,000 teachers at 4,300 educational institutions in Azerbaijan. “We don’t have enough staff to monitor every entry point into our network and correlate all the information from our security solutions,” says Bahruz Ibrahimov, senior information security engineer at AzEduNet.
The organization therefore implemented Cisco SecureX to accelerate investigations and incident management, maximize operational efficiency with automated workflows, and decrease threat response time. With SecureX, AzEduNet has reduced its security incidents by 80 percent.
“The integration with all our Cisco Secure solutions and with other vendors saves us response and investigation time, as well as saving time for our engineers.”
– Bahruz Ibrahimov, Senior Information Security Engineer, AzEduNet
The sophistication of attackers and sheer number of threats out there today make it extremely challenging for most cybersecurity teams to effectively stay on top of alerts and recognize when something requires their immediate attention. According to a survey by ESG, 81 percent of organizations say their security operations have been affected by the cybersecurity skills shortage.
That’s why Talos employs hundreds of researchers around the globe — and around the clock — to collect and analyze massive amounts of threat data. The group uses the latest in machine learning logic and custom algorithms to distill the data into manageable, actionable intelligence.
“Make no mistake, this is a battle,” said Nick Biasini, head of outreach for Cisco Talos, who oversees a team of global threat hunters. “In order to keep up with the adversaries, you really need a deep technical understanding of how these threats are constructed and how the malware operates to quickly identify how it’s changing and evolving. Offense is easy, defense is hard.”
Earlier this year, we unveiled our strategic vision for the Cisco Security Cloud to deliver end-to-end security across hybrid, multicloud environments. Talos will continue to play a pivotal role in our technology as we execute on this vision. In addition to driving protection in our products, Talos also offers more customized and hands-on expertise to customers when needed.
Cisco Talos Incident Response provides a full suite of proactive and emergency services to help organizations prepare for, respond to, and recover from a breach — 24 hours a day. Additionally, the recently released Talos Intel on Demand service delivers custom research unique to your organization, as well as direct access to Talos security analysts for increased awareness and confidence.
Visit our dedicated Cisco Talos web page to learn more about the group and the resources it offers to help keep global organizations cyber resilient. Then, discover how XDR helps Security Operations Center (SOC) teams hunt for, investigate, and remediate threats.
Watch video: What it means to be a threat hunter
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
During our threat hunting exercises in recent months, we’ve started to observe a distinguishing pattern of msiexec.exe usage across different endpoints. As we drilled down to individual assets, we found traces of a recently discovered malware called Raspberry Robin. The RedCanary Research Team first coined the name for this malware in their blog post, and Sekoia published a Flash Report about the activity under the name of QNAP Worm. Both articles offer great analysis of the malware’s behavior. Our findings support and enrich prior research on the topic.
Raspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.
Let’s walkthrough the steps of the kill-chain to see how this malware functions.
Raspberry Robin is delivered through infected external disks. Once attached, cmd.exe tries to execute commands from a file within that disk. This file is either a .lnk file or a file with a specific naming pattern. Files with this pattern exhibit a 2 to 5 character name with an usually obscure extension, including .swy, .chk, .ico, .usb, .xml, and .cfg. Also, the attacker uses an excessive amount of whitespace/non printable characters and changing letter case to avoid string matching detection techniques. Example command lines include:
File sample for delivery can be found in this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations
Next, we observe explorer.exe running with an obscure command line argument, spawned by a previous instance of cmd.exe. This obscure argument seems to take the name of an infected external drive or .lnk file that was previously executed. Some of the samples had values including USB, USB DISK, or USB Drive, while some other samples had more specific names. On every instance of explorer.exe we see that the adversary is changing the letter case to avoid detection:
After delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload. It uses -q or /q together with standard installation parameter to operate quietly. Once again, mixed case letters are used to bypass detection:
As you can see above, URLs used for payload download have a specific pattern. Domains use 2 to 4 character names with obscure TLDs including .xyz, .hk, .info, .pw, .cx, .me, and more. URL paths have a single directory with a random string 11 characters long, followed by hostname and the username of the victim. On network telemetry, we also observed the Windows Installer user agent due to the usage of msiexec.exe. To detect Raspberry Robin through its URL pattern, use this regex:
^http[s]{0,1}\:\/\/[a-zA-Z0-9]{2,4}\.[a-zA-Z0-9]{2,6}\:8080\/[a-zA-Z0-9]+\/.*?(?:-|\=|\?).*?$
If we look up the WHOIS information for given domains, we see domain registration dates going as far back as February 2015. We also see an increase on registered domains starting from September 2021, which aligns with initial observations of Raspberry Robin by our peers.
| WHOIS Creation Date | Count |
| 12/9/2015 | 1 |
| … | … |
| 10/8/2020 | 1 |
| 11/14/2020 | 1 |
| 7/3/2021 | 1 |
| 7/26/2021 | 2 |
| 9/11/2021 | 2 |
| 9/23/2021 | 9 |
| 9/24/2021 | 6 |
| 9/26/2021 | 4 |
| 9/27/2021 | 2 |
| 11/9/2021 | 3 |
| 11/10/2021 | 1 |
| 11/18/2021 | 2 |
| 11/21/2021 | 3 |
| 12/11/2021 | 7 |
| 12/31/2021 | 7 |
| 1/17/2022 | 6 |
| 1/30/2022 | 11 |
| 1/31/2022 | 3 |
| 4/17/2022 | 5 |
Table 1: Distribution of domain creation dates over time
Associated domains have SSL certificates with the subject alternative name of q74243532.myqnapcloud.com, which points out the underlying QNAP cloud infra. Also, their URL scan results return login pages to QTS service of QNAP:
Once the payload is downloaded, it is executed through various system binaries. First, rundll32.exe uses the ShellExec_RunDLL function from shell32.dll to leverage system binaries such as msiexec.exe, odbcconf.exe, or control.exe. These binaries are used to execute the payload stored in C:\ProgramData\[3 chars]\
It is followed by the execution of fodhelper.exe, which has the auto elevated bit set to true. It is often leveraged by adversaries in order to bypass User Account Control and execute additional commands with escalated privileges [3]. To monitor suspicious executions of fodhelper.exe, we suggest monitoring its instances without any command line arguments.
Raspberry Robin sets up its C2 channel through the additional execution of system binaries without any command line argument, which is quite unusual. That likely points to process injection given elevated privileges in previous steps of execution. It uses dllhost.exe, rundll32.exe, and regsvr32.exe to set up a TOR connection.
In Cisco Global Threat Alerts available through Cisco Secure Network Analytics and Cisco Secure Endpoint, we track this activity under the Raspberry Robin threat object. Image 3 shows a detection sample of Raspberry Robin:
Raspberry Robin tries to remain undetected through its use of system binaries, mixed letter case, TOR-based C2, and abuse of compromised QNAP accounts. Although we have similar intelligence gaps (how it infects external disks, what are its actions on objective) like our peers, we are continuously observing its activities.
| Type | Stage | IOC |
| Domain | Payload Delivery | k6j[.]pw |
| Domain | Payload Delivery | kjaj[.]top |
| Domain | Payload Delivery | v0[.]cx |
| Domain | Payload Delivery | zk4[.]me |
| Domain | Payload Delivery | zk5[.]co |
| Domain | Payload Delivery | 0dz[.]me |
| Domain | Payload Delivery | 0e[.]si |
| Domain | Payload Delivery | 5qw[.]pw |
| Domain | Payload Delivery | 6w[.]re |
| Domain | Payload Delivery | 6xj[.]xyz |
| Domain | Payload Delivery | aij[.]hk |
| Domain | Payload Delivery | b9[.]pm |
| Domain | Payload Delivery | glnj[.]nl |
| Domain | Payload Delivery | j4r[.]xyz |
| Domain | Payload Delivery | j68[.]info |
| Domain | Payload Delivery | j8[.]si |
| Domain | Payload Delivery | jjl[.]one |
| Domain | Payload Delivery | jzm[.]pw |
| Domain | Payload Delivery | k6c[.]org |
| Domain | Payload Delivery | kj1[.]xyz |
| Domain | Payload Delivery | kr4[.]xyz |
| Domain | Payload Delivery | l9b[.]org |
| Domain | Payload Delivery | lwip[.]re |
| Domain | Payload Delivery | mzjc[.]is |
| Domain | Payload Delivery | nt3[.]xyz |
| Domain | Payload Delivery | qmpo[.]art |
| Domain | Payload Delivery | tiua[.]uk |
| Domain | Payload Delivery | vn6[.]co |
| Domain | Payload Delivery | z7s[.]org |
| Domain | Payload Delivery | k5x[.]xyz |
| Domain | Payload Delivery | 6Y[.]rE |
| Domain | Payload Delivery | doem[.]Re |
| Domain | Payload Delivery | bpyo[.]IN |
| Domain | Payload Delivery | l5k[.]xYZ |
| Domain | Payload Delivery | uQW[.]fUTbOL |
| Domain | Payload Delivery | t7[.]Nz |
| Domain | Payload Delivery | 0t[.]yT |
Over her 25-year-plus career, Saleema Syed has seen the information security industry from a variety of vantage points, all while championing women in technology. Syed worked as director of business systems and data management for Duo Security before rising to vice president of information technology. Later, after Duo was acquired by Cisco, she transitioned to new roles within the larger organization and now heads up operations for Webex Marketing. In this position Syed brings structure across different functions of marketing including brand, events and technology while also serving as chief operating officer for Chief Marketing Officer Aruna Ravichandran.
“I fell in love with the culture, the kindness, the heart of this company,” Syed said.
Recently, she shared her passion for problem solving and inclusion with the Duo Blog, along with the advice she gives mentees navigating their own career paths.
Saleema Syed: I like chaos and I love putting a method to the madness. With marketing we have to react to the market, react to the business, react internally. What energizes me is there’s never a dull day and there is always this ability to bring some overall end to end process.
I love running towards a burning car and figuring out how to put it out. I love change. I know change is the only constant and rather than running away from it, I thrive in it. I like to look at it and ask, “What can we do to break it down and figure out what we need to do?”
My brain works in terms of boxes and flows and charts and spreadsheets so when I look at something I’m like, “Okay, what is a box? What is a process? How do I untangle it?” I like sitting in the discomfort and understanding what to do to get out of it.
Saleema Syed: There are three things I always keep in mind when I look at what I’m doing and where I want to be. One is, at the core of it, does it fill my cup of empathy and allow me to be true to who I am in how I treat people or how I build a team?
The second thing is, will I have the opportunity to influence and impact the people on the team or my family? How do I show myself to my daughter who is growing and seeing how to become who she is as a career person?
The third thing is, is it something new and am I learning something? Continuous learning is a huge part of who I am, so that drives me to get out of my comfort zone constantly.
When I’m changing jobs people usually say, “You’ve set up this team, you’re so comfortable. Now all you have to do is sit back and execute.” And my answer is, “That’s exactly why I am moving.”
If I am comfortable I’m not learning, and I don’t know if I’m adding any more value than I’ve set up. That means it’s time for me to move on and elevate somebody. What I’m doing is sending the elevator down to somebody on the team to grow.
That’s why I’ve had people who work for me for many years follow me through multiple organizations, which as a leader has been my pinnacle of what I call my success. Success is not my role; it is how many people I have impacted and influenced.
Saleema Syed: I keep going back to Duo because working at that organization and meeting those people defined me as a human being. One of the strategic pillars of that organization is to be kinder than necessary.
However complicated the work challenges are, those around me must be aligned with what my integral values are and who I am. They have to have empathy and kindness in their heart. If that is not there, no matter how much I love solving challenges and know I can solve them, I’m not going to go for it. I’ve been extremely lucky at Duo, Cisco and Webex that I’ve been around those kinds of people.
If you look at Webex, I love the core of what we are, the journey we are on, the inclusivity. We are not just selling Webex messaging or other products. At the heart of it we are looking at how we are influencing people and things around us by making sure that there is inclusivity in the collaboration tools that we are launching.
Saleema Syed: My leadership style is pretty simple: nobody works for me; people work with me. I lead with making sure that people know this is the problem you’re trying to solve, here is the context of what we are trying to do. Now, let’s figure out how we solve it. That is something that has helped my team be part of the problem solving that I love to do.
When I interview people my first questions are, “What does the job bring to you? How would this job fill your cup?” That throws people off every time. You can teach any technology, you can teach any skill set, but if you don’t have the basic passion, the attitude to be able to do this job, then everything else can just go out the door.
Saleema Syed: I have a very diverse background. I am an Indian by birth and grew up in the Middle East. When I went into engineering, finished my education and started my career, one of the things I realized was that as a woman of color, I always wanted to apply for positions that I was fully qualified for. I wanted to make sure I knew everything about the job because a very big fear was being asked a question in the interview I didn’t know. LinkedIn’s Gender Insights Report found that women apply for 20% fewer jobs than men despite similar job search behaviors. That has been a very challenging mental barrier for me to break.
Trey Boynton, who was at Duo and now she’s leading Cisco in a beautiful journey of diversity as the senior director of inclusion and collaboration strategy always said, “We have to have that bicycle lane on the road, whether it is for females, whether it is for people of color or any LGBTQIA+ community members. That is how we get people to bring that confidence in to learn, grow and then they can merge easily.”
“Passion is a part of who I am and is contributing to my growth.” – Saleema Syed
Whatever I faced as I was growing up, whether it was my dark skin, whether it was my accent, whether it was, “Oh, you’re way too passionate” has been some of the feedback that I’ve gotten. In my career if I’m told I’m way too passionate I turn that around and say, “Passion is a part of who I am and is contributing to my growth.”
Saleema Syed: Within Webex, within Cisco, I try to be part of anything that I can do in terms of giving back to the community. I’m definitely a big proponent of women in technology. In the local Dallas area I run a program by myself and go into schools and advocate for girls in STEM. Cisco is amazing in how it gives us time to volunteer. I love that educating kids is part of my journey of giving back. That’s the generation you can influence.
How do we enable children and women to be more open to technology and being part of the technology field? Let’s look at the percentage of diversity in the technology field and be aware of it. It’s not only about the diversity numbers, but are we bringing in candidates at the leadership level and giving them not just a seat at the table but a voice at the table, too?
You also have to talk about what you do and with passion and energy because if you don’t, people get intimidated. If you can influence one person who comes from an underrepresented community, imagine what you are doing, not just for that person, but for his household, for his family, for his extended community. I have a lot more to do, but as I get into the next decade of my life and my career, that is something that is a huge focus for me.
Saleema Syed: First and foremost it’s very important to spend time and understand the business and the products in whatever industry you’re going into. It is key to your growth. Especially if it’s a security industry, take time to understand the products, the technology or the function that you’re trying to get into. Contextual understanding and product understanding are extremely important.
The second piece is to keep learning. Cisco is amazing in trying to help you learn and support you financially to be able to do it. I went back and got my executive MBA four years ago. Give yourself a goal of learning a new something, whether it is a new function, new technology or new leadership skill.
The third piece is to create a spreadsheet of where you want to be in two years. Put that out there and then work back just like you would do a project plan. Work back month by month, quarter by quarter. What are the skill sets you need to learn to get there?
The last part is: Do the job you want versus the job you are in. Of course, you have to do the job you are in, but do the job you want to get to. Don’t wait for a title, don’t wait for a promotion to act. No. What do you want to be? Show that to your leaders and yourself. The title will come, money will come, everything will come, but am I doing the job that I want and enjoy and I want to get to?
To learn more about Webex, Cisco and Duo Security and how you can apply your passion, advocacy and problem solving to make a difference in cybersecurity, browse our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
We have entered a world where uncertainty has become the normal operating mode for everyone. Within this new frontier, cybersecurity has become even more challenging. However, some cybersecurity professionals have stood out, using their unique skills and resourcefulness to protect the integrity of their businesses, and to withstand unpredictable and dynamically changing threats. In the end, they, and their businesses have emerged even stronger.
These accomplishments have lead them to be selected from over more than 700 Cisco Cybersecurity Advocates – who are also members of Cisco Insider Advocates – to join the League of Cybersecurity Heroes.
Cisco Insider Advocates is a peer networking community developed several years ago for Cisco customers around the globe. Currently, over 14,000 customers are using it to share technology insights, feedback, and best practices, and also to make meaningful connections with others in the industry. We at Cisco believe that when we connect, anything is possible, and the Insider Advocacy program is a great example of the great things that can happen when people come together.
As the global CISO of Mediapro, Roberto has deployed Cisco SecureX together with Umbrella, Secure Endpoint, Secure Firewall, ISE, NGIP, Threat Response, AnyConnect, and Web security. With this partnership, Mediapro has reduced its threat detection time by 90%. In addition, they have seen no false positives in their threat detection alerts. It is rare to boast of a 100% success rate, but they can boldly make that pronouncement. All of this has also benefitted Mediapro financially by incurring zero fines for any compliance issues
What do music, cybersecurity, and teaching all have in common? They all culminate in a readiness to perform. Equally, they all require collaboration, comfort with the unexpected, and a passion for the job. Blair exemplifies the best of these traits, and in doing so, he provides inspiration and excellence to all with whom he interacts. Watching Blair at work makes one wonder if there are more hours granted to him during a day than the average person. He is a time-maximizer, spending most of that time in the service of others.
Too often, cybersecurity certifications are treated derisively by some of the very professionals who need them most. This is not the case with Kevin, who can list the many benefits of attaining certifications. Kevin’s desire to improve his knowledge doesn’t stop with technology and cybersecurity. He is an avid reader of anything that can raise him up to be better than he was the day before. With a career that started in the US Marine Corps, Kevin continues to learn and grow, all the while remaining as masterful at a computer keyboard as he is his with his traditional 55-gallon-barrel BBQ smoker and grill.
Steve is a Senior Cybersecurity and Network Architect at Lake Trust Credit Union. Like most organizations, Lake Trust has had to transition to a completely remote workforce quickly, and thanks to Secure Network Analytics, they were able to transition the employees to work remotely while maintaining the same high level of visibility and protection in place. Steve was the subject of a case study about the benefits that Cisco products have brought to Lake Trust Credit Unions’ customers. He is currently collaborating to update that information to share more of his knowledge.
Being the Head of Information Technology is never an easy job. However, when food manufacturer, Leng-d’Or, was faced with a challenge during the pandemic that could have interrupted its production line, quick thinking, skilled leadership, and a close partnership with Cisco all lead to positive outcomes, and helped them to pull through stronger than before. Part of this success comes from Enric’s distinct understanding of the threats, solutions, and processes needed to bring security to a higher level for the Leng-d’Or organization. Enric also shares his success story very freely, adding immeasurable benefits to the security community.
Cybersecurity is truly a global discipline. Tony Dous proves this by practicing his craft as a Senior Network Security Engineer in Cairo, Egypt. Tony’s involvement with the Cisco community shows how no distance is too far for a motivated cybersecurity professional.
When John Patrick is on the job, there is no longer any feeling that the criminals are one-step ahead of the good guys. He adopted Umbrella together with Meraki to develop a proactive security approach inside his organization. John Patrick created a more unified network from a patchwork of disparate entities. In doing so, he reduced the complexity within the environment. Complexity is so often responsible for security gaps, and John Patrick’s work not only corrected those gaps, but he brought people together in the process. He and his team received great feedback from the employees, who enjoyed a consistent network experience.
We often hear stories about teenagers who become enamored with technology, leading to the fulfillment of a dream. Amit Gumber became interested in cybersecurity at an early age, pursued his passion and has worked in the field ever since. His sense of advocacy is best described in his own words: “I’m quite passionate about sharing knowledge and ideas with peers and participating in collaborative activities.” Amit’s use of Cisco technologies has helped HCL Technologies to stabilize and secure their environment.
One of the most important factors for success is insatiable curiosity. Mark Healey is a continuous learner, and he is an example of someone who enthusiastically shares his knowledge. Whether it is on a personal level, or through his high engagement as part of the Cisco Insider Advocates community, or as an active member of the Internet Society, Mark is an evangelist and a positive voice for cybersecurity.
Wouter holds a special designation, not only as a member of the League of Cybersecurity Heroes, but also as the recipient of the “Cybersecurity Defender of the Year” award. Wouter is an active participant in the cybersecurity community, working with an almost evangelical zeal towards sharing the importance of holistic cybersecurity. His contributions stand out towards making the cyber realm a safer place.
It is often said that the job of a cybersecurity professional in an educational facility is especially challenging. When that facility happens to be the largest in an entire country, with over 4,000 schools and universities, the job of protecting it can seem insurmountable. At AzEduNet, in Azerbaijan, Bahruz and his team is tasked with securing the network for its 1.5 Million students. With Cisco Secure, the security team reduced security incidents by 80%. This not only ensures access for the students, but also keeps the data safe.
Many people want to enter the cybersecurity profession, but few have the dedication and perseverance to fully embrace the skillset required to meet that goal. Walther Noel not only had the desire to refocus his career, but he proved it by earning the CyberOps Associate Certification. His accomplishment is a prime example of how one can step outside of their comfort zone to grow and thrive.
Pascual demonstrates how important it is to make the most of the learning opportunities in Cisco Insiders Advocates. While already a successful NOC engineer, he sought to advance his professional development by studying cybersecurity. He passed the CCNA CyberOps 200-201 exam, moving him closer to propelling his career to even higher achievements.
One of the noblest expressions of knowledge is the desire to freely share that information. Inderdeep lives up to this ideal, offering his expertise to all with no expectations of reciprocity. His charitable spirit has not gone unnoticed, as he has been a previous award winner for Cisco IT Blogs, as well as a designation on the Feedspot top 100 Networking Blog.
Being the first to try a new technology can be a risky proposition. However, as a COO, risk calculations are in one’s blood. Luigi, along with the Sara Assicurazioni organization, hails as the first company in Italy to embrace cloud technology. As a company with more than one million customers, this was a bold initiative that required careful planning, keen insight, and above all, collaboration. In the end, this has resulted not only in a digital transformation, but a business transformation.
Whether it is a technical achievement, a personal triumph, or a spirit of helping others, each member of our League of Cybersecurity Heroes proves how technology and humanity can work together to accomplish the impossible. Congratulations to all of them!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Few security career paths are linear. For Stephanie Frankel the journey to Cisco Secure was circuitous. The Ann Arbor, Michigan native studied journalism at the University of Michigan before managing communications for the Washington Capitals and NBC Sports. But after several stints at communications agencies, she charted a new path for herself in cybersecurity. Not only has her diverse background served as a strength in her current role as senior manager for strategy and operations, but it’s also informed her management philosophy.
After doing project management and account direction at consulting agencies, Frankel was interested in honing her skills and expertise on the client side. She had heard amazing things about Duo and wanted to stay in Ann Arbor and work for a company with local roots. After interviewing, Frankel realized that “working at Duo was a cool, exciting opportunity with a really awesome group of people.”
Frankel was on the ground running working as a technical project manager in research and development overseeing the Multi-Factor Authentication, applications and mobile engineering teams despite not having worked in information security before.
Duo’s security education allowed Frankel to understand the industry and is something she values for getting more people into the cybersecurity field. At Duo and Cisco Secure, employees come from a variety of backgrounds and some don’t have much (or any) experience with cybersecurity.
Robust educational programs build knowledge about security and specific products which empower new team members to grow and learn. Every team also has a learning and development budget for employees to quench their curiosity and enhance their knowledge through courses, books or other programs Manager of Global Employee Programs Anndrea Boris shared.
“People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are open and willing to listen to you.” – Stephanie Frankel
Something Frankel also appreciates most is that ideas are valued at Duo and Cisco Secure: “Even in my first job, I would have ideas and go to my boss or our head of engineering and say, ‘Hey, I think this could be a really cool opportunity, and I think it needs this.’ People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are willing to listen to you.”
After a year, Frankel moved from engineering to marketing to run operations for Duo’s in-house brand team, leading the team through a rebrand. “The team really rallied behind this new brand and it was amazing to see their pride and hard work when sharing it,” she said. With Frankel’s leadership, the team showcased not only the new look and feel of the brand but also the customer research that went into understanding the need for the change.
“Our amazing team knew that for it to catch on internally we needed to help people understand the why. The team put together an amazing training and went around the company to help people understand the security buyer, the industry overall and our differentiators and how we could do all of this within the umbrella of Cisco,” she said.
Recognizing that she most enjoys and feels best suited for a strategic operations role, she had open conversations with her manager. “I told my boss, ‘It’s just not a great fit.’” Her manager was very supportive, and they worked through potential options. “You’ll find a lot of that at Cisco,” she said.
Now as senior manager in the Strategy and Operations Group within Cisco’s Security and Collaboration division, Frankel runs key initiatives for business operations that drive business growth. She is empowered to creatively solve problems and collaborate “with all the stakeholders within each group to move these programs forward, to understand the problems we’re looking to solve, create objectives, a program plan, and continue to track metrics and progress towards those ultimate goals,” she said.
A self-described “over communicator,” Frankel believes that as a leader, “the more you communicate and the more transparent you are, the better.” Frankel loves leading people who are experts in their fields and letting them do what they do best.
On the brand team, for example, she trusted her team’s expertise in producing stories, videos and animations to demystify Cisco’s security products.
“All I needed to do was give them the objective and the goals and they were able to come up with the solutions,” Frankel said.
She fondly remembers the boss at one of her first jobs out of college. In that job Frankel wrote press releases and wanted her boss to fully approve the final versions before sending them to the media. Once her boss told her, “Stephanie, if you keep giving it back to me, I will keep finding things to change. I trust you to know when it is ready to go.” That confidence in her so early in her career “gave me so much confidence in myself,” she said.
Frankel emulates his approach to management by recognizing that each employee has different needs in their lives, in their careers, and in how they like to receive feedback. From that boss Frankel first learned that for every piece of negative feedback, you must give four pieces of positive feedback for “someone to actually hear it because that’s how you balance things out in your mind.”
Frankel believes feedback is crucial for growth. “I don’t see how you can improve or grow without it, no matter what level of your career you’re at. Feedback shouldn’t be taken as negative, as much as it is a way for you to improve,” she said.
One of the most helpful things Frankel learned in a Cisco class for managers was the importance of asking a person if they are in a good place to receive critical feedback. “You might not be in the mindset to accept the feedback and to do something constructive with it,” she said. ”If you’re having a bad day or struggling, you could say, ‘You know what, I’m not going to be able to take it today, but let’s talk tomorrow and I’ll be in a better place to receive it.’’’
Frankel has spent the last year thriving in a role she never anticipated in an industry her college training in journalism didn’t fully prepare her for. The secret, she says, is keeping an open mind to new possibilities and a willingness to take on new challenges, even if you don’t feel 100% ready.
“A lot of it is getting real world experience and learning your way through it and knowing that there’s a lot of opportunities and a lot of people that are willing to teach you,” she said.
To pivot professionally Frankel advises not feeling pigeonholed just because you studied a particular topic or have been in a certain industry for a long time. Take what you can from where you started such as storytelling and communications skills in the case of journalism for Frankel. While trying something new may require taking a different level or type of job “sometimes it’s worth it because you have that opportunity to grow and you might find you’re happier somewhere else,” she said.
When discerning professional steps Frankel recommends having open and honest conversations with yourself and others such as mentors.
“Cisco has so many mentorship programs and so many people that are knowledgeable about a lot of things,” she said. ”Just because your current role isn’t a great fit doesn’t mean that there’s not another good fit within the corporation, or it doesn’t mean that you can’t create your own good fit.”
Did you know that Cisco offers cybersecurity trainings and certifications? Start developing your cybersecurity skills today! And if you’re ready to jump into an exciting new career in security, check out the open roles at Cisco Secure and Duo Security.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
As the world continues to face formidable challenges, one of the many things impacted is cybersecurity. While recent challenges have been varied, they have all contributed to great uncertainty. How can organizations stay strong and protect their environments amidst so much volatility?
Lately we’ve been talking a lot about security resilience, and how companies can embrace it to stay the course no matter what happens. By building a resilient security strategy, organizations can more effectively address unexpected disruptions and emerge stronger.
Through our Security Outcomes Study, Volume 2, we were able to benchmark how companies around the world are doing when it comes to cyber resilience. Recent blog posts have taken a look at security resilience in the EMEA and Americas regions, and this post assesses resilience in Asia Pacific, Japan and China (APJC).
While the Security Outcomes Study focuses on a dozen outcomes that contribute to overall security program success, for this analysis, we focused on four specific outcomes that are most critical for security resilience. These include: keeping up with the demands of the business, avoiding major cyber incidents, maintaining business continuity, and retaining talented personnel.
The following chart shows the proportion of organizations in each market within APJC that reported “excelling” in these four outcomes:
There is a lot of movement in this chart, but if you take a closer look, you will see that many of the percentage differences between markets are quite small. For example, 44.9% of organizations in the Philippines reported that they are proficient at keeping up with the business, with Mainland China closely following at 44.4%.
The biggest difference we see between the top spot and the bottom spot is around retaining security talent—42.4% of organizations in Australia reported that they were successful in that area, while only 18.3% of organizations in Hong Kong reported the same.
Next, we looked at the mean resilience score for each market in the region:
When we look at this, we can see the differences between the top six and bottom seven markets a bit more clearly. However, as the previous chart also showed, the differences are very slight. (When we take into account the gray error bars, they become even more slight.)
There are many factors that could contribute to these small differences when it comes to security resilience. But the most important thing to be gleaned from this data is how each market can improve its respective resilience level.
The Security Outcomes Study revealed the top five practices—what we refer to as “The Fab Five”—that make the most impact when it comes to enhancing security. The following chart outlines the Fab Five, and demonstrates how each market in the APJC region ranked its own strength across these practices.
If we look at Thailand, for example, 69.1% of organizations say they are adept at accurate threat detection, while only 28% of organizations in Taiwan say the same. Like in the previous charts, there is a lot of movement between how various markets reported their performance against these practices. However, it’s interesting to note that Taiwan remained consistent.
So does implementing the Fab Five improve resilience across organizations in APJC? Looking at the chart below, it’s safe to say that, yes, implementing the Fab Five does improve resilience. Organizations in APJC that did not implement any of the Fab Five practices ranked in the bottom 30% for resilience, whereas those that reported strength in all five rose to the top 30%.
While building resilience can sometimes seem like an elusive concept, we hope this data provides some concrete benchmarks to strive for in today’s security programs.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
FreshRSS 