A new tool called the Cisco IOS Software Checker is now available on the Cisco Security Intelligence Operations (SIO) portal. This tool introduces a feature that has been long-requested from our customers and will make Cisco product security information much easier to consume and digest.
Security Advisories that are published by the Cisco Product Security Incident Response Team (PSIRT) provide detailed information about security vulnerabilities in Cisco products, including mitigations, affected products and vulnerable and fixed versions of software. Security Advisories affecting Cisco IOS include a table that provides a list of affected Cisco IOS release trains and fixed versions for those trains. Our customers have long asked us for ways to simplify identification of affected software in this table, and so we have developed the Cisco IOS Software Checker for this very purpose. This tool leverages our internal databases to easily provide affected software information without requiring you to manually process the fixed software table.
Read More »
Tags: psirt, security
Update: Apple responded with a press release on April 27, 2011
Read More »
Tags: mobility, privacy, security
In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when securing your IPv6 network. In this post, we’ll talk about some of the things to consider when performing security testing on your IPv6 product or network. This testing is useful whether you are developing an IPv6 application or simply deploying IPv6 on your network.
Increased Setup Time
Start with an IPv6 environment in which most people do not have a lot of experience. Next throw in the typical dual stack configurations, and it is almost guaranteed that any IPv6 security testing that you perform is likely to take longer than it took you in your IPv4 environment. With dual stack configurations, both IPv4 and IPv6 are viable traffic paths. Therefore, just making sure that your test traffic is actually using IPv6 is one of the first hurdles you will face. So when developing your schedules for performing IPv6 security testing, always allow a little extra time to account for those problems that will almost certainly appear.
Read More »
Tags: IPv6, security, security testing
Last June, I blogged about a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) that had been released for public comment. This past April 15, the finalized NSTIC strategy document was released at an event at the US Chamber of Commerce.
For those of you that aren’t already familiar with the NSTIC, it is a US government-facilitated initiative that seeks to simplify and strengthen user authentication and to provide trustable assertions about principals in online transactions through the creation of an ecosystem that includes identity and attribute providers. More information is available at the NIST NSTIC website, particularly the animation video. NSTIC seeks to improve trust in use in the Internet and to enable new uses that depend on trusted attributes and higher assurance transactions.
Read More »
Tags: NSTIC, NSTIC Series, privacy, security
Risk assessments are the underpinning of all effective security programs. It’s quite difficult to best prioritize defensive efforts without a proper valuation of assets to be protected, consideration of threats against those assets, and some means to establish a probable rate at which those threats will result in a particular impact. Because risk assessments describe the priorities of the organization through the perspective of minimizing impact from security events, they must be regularly reviewed to ensure not only that the assets and activities of the organization are current, but also that the current threats are properly accounted for.
Recent research by Christopher Soghoian, a graduate student at Indiana University, Bloomington’s Center for Applied Cybersecurity Research, suggests that underreporting of US law enforcement surveillance could be creating a blind spot in organizational risk assessments. That is, the current legislative reporting requirements exclude certain information and agencies. In the absence of such requirements, it appears that state and local agencies, for example, are responsible for the vast majority of Electronic Communications Privacy Act (ECPA) requests. Unfortunately, the kinds of information excluded from stringent reporting requirements coincides with the current trends in mobile computing and informal electronic communication, namely stored communication (text messages, social networking posts, etc.). At this intersection lies the opportunity for an organization to miss a very real threat to its sensitive communications, as we mentioned in our recent Cyber Risk Report.
Read More »
Tags: privacy, security