In this week’s Cyber Risk Report we briefly discussed the fact that millions of individuals are victims of their own carelessness by freely posting information such as vacation plans and family photos on social networks and by storing Personally Identifiable Information (PII), such as medical records and financial information, on mobile devices. Users are sometimes not properly educated when it comes to what types of information should be shared, and with whom they should be sharing this information. This lack of education and subsequent “overposting” of personal details is now trickling down to our youth, some of whom are under the legal age to even utilize some of these social network sites. Read More »

Tags: cyber security, facebook, security, social networking

On June 1-2, I will be participating in the EastWest Institute’s (EWI) second Worldwide Cybersecurity Summit at the Queen Elizabeth II Conference Center in London, and I’m very excited about the prospects for this event.

EastWest Institute is a global, action-oriented, “think-and-do” tank founded in 1980. Its goals are to mobilize leading business and government leaders to address cross-border cybersecurity challenges; set new models for private-public-sector leadership in addressing high-priority security threats and vulnerabilities; and to make advances on the most pressing issues in global management of critical information infrastructure with breakthrough international collaboration.

I’m particularly energized about this year’s session, as I anticipate we will continue and expand upon the dialogue initiated at last year’s inaugural summit in Dallas. I’m proud to have participated in that event, along with other government, business, and civil society leaders from around the world who came together to collaborate on ways to assure the security of the world’s digital infrastructure.

Read More »

Tags: cybersecurity, security

In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when performing security testing on your IPv6 network. In this post, we will examine some of the things that you need to consider to secure the transition from IPv4 to IPv6. IPv6 is being deployed on more and more networks, but IPv4 is not going away any time soon. During this transition period, security is crucial since you will be running both IPv4 and IPv6, along with various tunneling protocols (even if you did not configure them explicitly) that enable communication between IPv4 and IPv6 networks (such as Teredo, ISATAP, and 6to4).

To begin with, the designers of IPv6 realized that the transition from IPv4 to IPv6 would not happen overnight. There was a hope that there would be a large push and the transition would go rather quickly, but as time moved on, that did not happen. The time for a quick transition has passed and we are in for a long and protracted transition. During this transition, nodes on your network will fit into one of the following buckets:

Read More »

Tags: IPv6-security

The Cisco 1Q11 Global Threat Report has been released. The report covers the period from 1 January 2011 through 31 March 2011 and features data from Cisco Security Intelligence Operations. This quarter’s contributors includes Cisco Intrusion Prevention System (IPS), IronPort, Remote Management Services (RMS), Security Research and Operations (SR&O), and ScanSafe.

Unique Web malware increased 46% from January to March 2011. 16% of encounters were via online searches and webmail. Likejacking, where users are tricked/forced into registering a click with the Facebook “Like” button, increased from 0.54% to 6% throughout the quarter.

Read More »

Tags: quarterly threat report, security

The next wave of spam is now making its way into social networks. One example of this type of threat is the Koobface malware, distributed through social networks such as Facebook. Koobface tricked users into downloading the malware, which then spread via the network of trusted friends. (For more details please read Unsociable: Social Media Brings a New Wave of Threats)

Facebook recognized this malware was a major problem. The trick to solving it, though, was determining how to distinguish the behavior of a bot acting like a human from the behavior of a real human. The initial answer seemed clear: selectively use a “captcha.” A captcha is the squiggly letters or numbers with interspersed lines that websites use to verify the user is a real person, not a bot. It’s very difficult for a machine to read the captcha and enter the right characters. (IMHO it is difficult for a person to enter the right characters, too—so no wonder a bot can’t do it.)

Read More »

Tags: Forbes, security, social media

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes two types of intermediaries between subjects (users) and relying parties: identity providers and attribute providers. This is a separation not frequently found in identity systems. In order to emphasize this distinction, I often use the term “credential provider” or “authentication provider” rather than identity provider to refer to a service that provides authentication services and makes assertions resulting from authentication but does not directly provide attributes about the subject.

A credential provider can be thought of as a key cabinet. The subject authenticates to the credential provider in order to “unlock” the cabinet of credentials. As with a physical key cabinet where different keys inside are used for different things, the credential provider serves different credentials to different services. Ideally, the identifiers used for each of these services would be different; a good identifier is also opaque, meaning that the identifier itself provides no additional information about the subject. Provided that the choice of credential provider itself does not reveal significant information about the subject, a subject can be generally pseudonymous with respect to the relying party until the subject authorizes the release of identifying attributes.

Read More »

Tags: identity, NSTIC, NSTIC Series, privacy, security

Last year brought a surprising, and seemingly positive, change in the number of security threats: it was the first year we saw spam volumes drop. That decrease was a significant change from the previous decade, in which spam volumes roughly doubled every year, compounding to yield a dirty Internet where about 90 percent of the email flowing over the backbone is spam. So does the drop in spam volume mean spam is suddenly less of a problem? Have spammers given up and gone home, or maybe developed a conscience and let up a little?

Unfortunately, no. Spam has just changed. It’s become more sophisticated. We are seeing a massive shift away from the spray-and-pray tactics of the past to much more targeted and complex attacks. One consistent trait of attackers: they always follow the money. Therefore, as social media sites such as Facebook have experienced explosive growth (and explosive valuations), it’s no surprise that threat writers are exploring ways to tap into these networks to deliver the next generation of attacks.

Read More »

Tags: Forbes, security

Mark Twain once wrote, “Everybody complains about the weather, but nobody ever does anything about it.” Security policy is a lot like that. Creating a security policy is at the top of the list for anyone looking to really secure their network. But the devil is in the details.

Among the things a security policy needs to cover are:

• All users
• All physical and virtual devices
• All access methods
• All resource classifications and locations
• All compliance requirements
• All of the OSI layers, from the physical layer up the stack to the application layer
• AND the policy needs to be applied uniformly across the entire distributed enterprise

Read More »

Tags: identity, Identity Services Engine, ISE, policy, risk, security

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace.  The introduction to this series can be found here.

A couple of months ago, I spoke with a security researcher at a conference about the NSTIC.  He questioned the need for an intermediary to manage users’ identity information; he asked why we don’t just do this at the user’s endpoint, eliminating the need for the user to trust an external party.  This is a good place to begin a discussion about the NSTIC architecture.

Read More »

Tags: NSTIC, NSTIC Series, security

Security and functionality have lived on opposite ends of the spectrum since the dawn of time. The door with no lock has always been easier to use than something with multiple chains and dead bolts. Of course, the unlocked door has always been easier to open for those who may want to do bad things.

Read More »

Tags: security

A new tool called the Cisco IOS Software Checker is now available on the Cisco Security Intelligence Operations (SIO) portal.  This tool introduces a feature that has been long-requested from our customers and will make Cisco product security information much easier to consume and digest.

Security Advisories that are published by the Cisco Product Security Incident Response Team (PSIRT) provide detailed information about security vulnerabilities in Cisco products, including mitigations, affected products and vulnerable and fixed versions of software. Security Advisories affecting Cisco IOS include a table that provides a list of affected Cisco IOS release trains and fixed versions for those trains. Our customers have long asked us for ways to simplify identification of affected software in this table, and so we have developed the Cisco IOS Software Checker for this very purpose. This tool leverages our internal databases to easily provide affected software information without requiring you to manually process the fixed software table.

Read More »

Tags: psirt, security

Apple’s iOS mobile device operating system has recently come under fire in the media for tracking user location, recoverable from device backups of a file called consolidated.db. As we discussed in the Cyber Risk Report, even though Apple has disclosed location tracking via their Privacy Policy, significant commentary online suggests that users are surprised to learn how it is accomplished. The researchers whose efforts have brought this location tracking to wide attention were aware that forensics experts knew about it, but developed their tool to bring this to a wider attention. By all accounts, they have succeeded in raising awareness; what remains is to understand what should be done from here.

Update: Apple responded with a press release on April 27, 2011

Read More »

Tags: mobility, privacy, security

In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when securing your IPv6 network. In this post, we’ll talk about some of the things to consider when performing security testing on your IPv6 product or network. This testing is useful whether you are developing an IPv6 application or simply deploying IPv6 on your network.

Increased Setup Time

Start with an IPv6 environment in which most people do not have a lot of experience. Next throw in the typical dual stack configurations, and it is almost guaranteed that any IPv6 security testing that you perform is likely to take longer than it took you in your IPv4 environment. With dual stack configurations, both IPv4 and IPv6 are viable traffic paths. Therefore, just making sure that your test traffic is actually using IPv6 is one of the first hurdles you will face. So when developing your schedules for performing IPv6 security testing, always allow a little extra time to account for those problems that will almost certainly appear.

Read More »

Tags: IPv6, security, security testing

Last June, I blogged about a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) that had been released for public comment. This past April 15, the finalized NSTIC strategy document was released at an event at the US Chamber of Commerce.

For those of you that aren’t already familiar with the NSTIC, it is a US government-facilitated initiative that seeks to simplify and strengthen user authentication and to provide trustable assertions about principals in online transactions through the creation of an ecosystem that includes identity and attribute providers. More information is available at the NIST NSTIC website, particularly the animation video. NSTIC seeks to improve trust in use in the Internet and to enable new uses that depend on trusted attributes and higher assurance transactions.

Read More »

Tags: NSTIC, NSTIC Series, privacy, security

Risk assessments are the underpinning of all effective security programs. It’s quite difficult to best prioritize defensive efforts without a proper valuation of assets to be protected, consideration of threats against those assets, and some means to establish a probable rate at which those threats will result in a particular impact. Because risk assessments describe the priorities of the organization through the perspective of minimizing impact from security events, they must be regularly reviewed to ensure not only that the assets and activities of the organization are current, but also that the current threats are properly accounted for.

Recent research by Christopher Soghoian, a graduate student at Indiana University, Bloomington’s Center for Applied Cybersecurity Research, suggests that underreporting of US law enforcement surveillance could be creating a blind spot in organizational risk assessments. That is, the current legislative reporting requirements exclude certain information and agencies. In the absence of such requirements, it appears that state and local agencies, for example, are responsible for the vast majority of Electronic Communications Privacy Act (ECPA) requests. Unfortunately, the kinds of information excluded from stringent reporting requirements coincides with the current trends in mobile computing and informal electronic communication, namely stored communication (text messages, social networking posts, etc.). At this intersection lies the opportunity for an organization to miss a very real threat to its sensitive communications, as we mentioned in our recent Cyber Risk Report.

Read More »

Tags: privacy, security