How do you build good, secure development practices into the DNA of a company with over 40 different business units, an incredibly diverse set of product lines, and employees distributed around the globe? One of the things you need is a virtual community of sharp, knowledgeable people who understand network security and secure product development (and testing), and who can share and evangelize that knowledge with their peers, their colleagues, and their management.
That virtual community is a reality at Cisco. Today, the Security Advocates program numbers over 100 members from 40 different business units, representing diverse product lines ranging from small SOHO devices to core routers and switches to SaaS applications. Testers, tech leads, developers, and architects learn together, share their knowledge and expertise with one another and with their business unit colleagues, and provide valuable feedback to centralized security teams. In a decentralized environment like Cisco, this is an incredible boost to the time-to-adoption of new secure development tools and processes.
Security doesn’t “just happen.” It takes dedicated voices to get and keep development teams focused on producing more secure products, especially when resources are focused on other, often more marketable customer requirements. Product teams inside Cisco show their commitment to security by designating a security advocate for their business unit. Bringing that message inside the development teams literally brings the information “inside,” with insider credibility from someone who understands the peculiarities, design features, history and market segment for a particular product — a major win when working with widely divergent products, markets and business realities.
Read More »
SCADA networks have been targeted by the Stuxnet malware that exploits a 0-day Windows vulnerability, as well as a hard-coded database password. The details of this issue paint a picture of security controls new and old, and give some hints about how we might expect these controls to affect us over time and whether they can evolve to meet new challenges. For starters, signed code may not be all that it’s cracked up to be.
Read More »
Today we released the Cisco 2010 Midyear Security Report, a report that provides a high level and thought provoking discussion of the technological, economic, and demographic shifts bearing down on IT security. As you’ll see in the report, the first half of 2010 has been a very interesting time. ScanSafe has always had an unparalleled view of the Web threat landscape, thanks to the ten of billions of Web requests processed in real-time. Now, thanks to Cisco’s acquisition of ScanSafe, we can extend our threat data analysis even further.
As part of our efforts to improve what we do at Cisco Security Intelligence Operations, next week — just in time for Black Hat — we are introducing a project to merge threat analysis across all Cisco security teams. The first product of this is the Cisco 2Q10 Global Threat Report, which merges threat analysis from Cisco IPS, Cisco IronPort, and Cisco ScanSafe data. Not only can we now report the who, what, when and where of Web threats, but we can share our bird’s eye view into what types of attacks are happening on enterprise networks — including how they can sometimes correlate to attack outbreaks on the Web. And we’re going to do this every quarter.
Read More »
Credit card thieves have taken their efforts to collect card information to the next level, as shown in recent reports of card skimming devices that have been uncovered in Utah and Florida. In the past, ATM machines were targeted, causing banks to increase the security around their machines, and collecting stolen card information on storage media inside the machines increased the risks that the thieves had to take to profit from their schemes. Now, as the fraud arms race escalates, the card skimming criminals have embedded Bluetooth or cell phone transmitters inside targeted machines so that the stolen information can be relayed to them without necessarily visiting each machine. We covered some practical suggestions for gas stations, but now let’s look at the details and how this could guide us in defending our borderless networks.
Read More »
Malware authors use a variety of obfuscation techniques to foil researchers and operate as covertly as possible on a user’s system. To that end, some of the techniques, like frequent changes of the executable (possibly daily) are designed to obstruct basic detection techniques. Often times, given a specific piece of executable code, it is not trivial to determine if the code is a piece of malware or just a random piece of software. Fortunately, there are variety of techniques to help someone determine if a piece of code is malicious or not.
Many of these techniques partially come from forensics or malware reverse engineering disciplines. Most of these techniques will work on all types of malicious files, although packer detection and entropy will work best on executable files. A previous blog post titled “A Brief History of Malware Obfuscation” by Mike Schiffman provides background information on malware obfuscation. Below, I’ll highlight several of the techniques and give a brief discussion of the good and bad of each technique.
Read More »