SecCon is Cisco’s internal security conference aimed at raising security awareness within the company’s development community. On Oct 4th – 7th we completed the third Cisco SecCon and it was a big success. At this year’s conference we had well over a thousand attendees, with representatives from almost every job function. Thank you to all the participants and speakers!
The last two years seem dominated by PDF vulnerabilities. As far as the specification and its various readers are concerned, there is likely more sour fruit yet to be uncovered; it’s simply too complex and full of dangerous “features.” But a few blogs have recently hinted that there may be a new vector emerging with surprising popularity. Brian Krebs suggests that exploit crimeware packages have begun reporting significant success rates with Java exploits; data collected by the Microsoft Malware Protection Center (MMPC) seems to agree. After taking a look at what Cisco ScanSafe had to share on the topic, it seems clear that the threat landscape appears to be shifting under our noses.
PCI DSS, the Payment Card Industry Data Security Standard, is a set of standards that, more than many regulatory and compliance efforts, has real world relevance. PCI compliance can earn merchants tiered interchange rates and protection from fraud losses, while a lack of compliance can result in monthly fines of thousands or tens of thousands of dollars per month. Unlike some compliance efforts with relatively small penalties that are unlikely to be applied, PCI compliance has significant financial implications with a high probability of impact.
PCI DSS 2.0 is being released today. Earlier, we took a look ahead at some issues around PCI in a piece that you can read here.
So, now that we are on the cusp of a new set of standards, what’s new? Read More »
How does Cisco deal with cyber threats from the web? How does Cisco protect any device on a network? The following video will give you an update from Cisco CSIRT’s Gavin Reid on how Cisco is combating this increasing threat.
In May, I talked a bit about compensating controls and their value in layered defenses. The Wall Street Journal recently detailed what appears to be another significant failure of detective controls, as Dubai police worked with national governments to apprehend suspects in the assassination of Mahmoud al-Mabhouh. Authorities in Dubai posted about 30 minutes of video footage to YouTube shortly after al-Mabhouh’s January death. The videos showed a significant amount of coordination and investigation to tie together more than two dozen suspects over several locations throughout Dubai. Now, nine months later, despite this tremendous investigative effort, the trail shows few signs of progress. But when looked at from the perspective of incident response, even a spectacular failure can be a successful lesson learned for tomorrow.