Cisco Blogs


Cisco Blog > Security

Security – Who is Responsible?

Do you view your security posture in the office as more or less important in comparison to your residence? And how does that compare to the personal security profile that you exercise for you and your family? Who should be shouldering the security responsibility? I posit — you are responsible. And I would add that you also need to hold yourself accountable.

At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure. Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.

An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences — be they intended or unintended — of your choices should you not follow the rules. This is the accountability part of the equation — you own the end result of your choices and actions.

Throughout my 30+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure! It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!” It just doesn’t happen. Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well. And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.

Let me share a few of my thoughts:

Read More »

Encryption is Essential, Except When it Isn’t

Insurgents in Iraq and Afghanistan used satellite recording software, commonly used to capture satellite broadcasts, to intercept video from US military warplanes and drones. In the aftermath of the Wall Street Journal’s publication of this information, many security professionals have weighed in to offer their criticism of the US military’s oversight, and we have also provided our thoughts on the matter in our own Cyber Risk Report: Concerns Raised over Unencrypted Military Video Feeds.

Certainly the military should be encrypting this content, right? We have the technology, and it’s sensitive information, so there shouldn’t be any argument. The CIA already encrypts these videos for all of their drones, according to Gartner analyst (and former National Security Agency analyst), John Pescatore. Still, Bruce Schneier has dissented in a way — he does not argue that the feeds should be unencrypted. Rather he offers that encryption standards designed to thwart resourceful nation states are not necessary against today’s opponents with far fewer resources (but more advanced technology readily available).

What’s the verdict then: encrypt, or not?

Read More »

A Culture Shift: IT Security to Smart Grid Security

With the global excitement and opportunity of the Smart Grid, a lot of historically IT-focused companies, including Cisco, are entering the market. It’s important to note that there are unique characteristics of the grid when attempting to apply IT security solutions. In this post I’ll focus on the primary goal of power generation and delivery: reliability. In subsequent posts I’ll discuss other security requirements of the grid (such as integrity, authentication, and confidentiality), and how we can apply lessons learned from the IT sector.

To better understand the culture shift from securing IT systems, we need to clarify the focus of grid security. In the IT world, we often focus on protecting information. For example, in United States Department of Defense circles, security is usually referred to as Information Assurance. Smart Grid security (usually called “cyber security,” or just “cyber” by electric sector practitioners) however, concerns itself with making sure that systems continue to operate in the case of a security event. An equivalent term for the grid would be “Continuation Assurance.” The smart grid community considers the potential to affect system reliability a cyber security issue, from disgruntled insiders to operator error or a deliberate attack from the outside that affects any portion of the grid – substations, data centers, operations centers, neighborhood area networks, and eventually homes. The effectiveness of cyber security measures will be judged mainly on their contribution to keeping the systems running!

Why is reliability key to the grid?

Read More »

Exploring a Java Bot: Part 2

January 6, 2010 at 1:17 pm PST

When I first started this series my goal was to remove any mystery around botnets. In fact, most botnets, like this one, are relatively simple. In this post we will explore the command-and-control (C&C) infrastructure, as well as the bot’s update mechanism.

A C&C interface is the primary user interface between the botmaster and the legion of infected hosts participating in the botnet. Since it is present in every botnet (although there are many different types of interfaces), it is one of the primary things we look for when attempting to determine if any machines have been compromised. From a botmaster’s perspective, it would seem that this is a key feature that must be carefully designed to avoid detection. But surprisingly, a very large percentage we see are very simple, just like this one. That said, at times it can be very much a cat-and-mouse game between botmasters and people in my industry.

Remotely controlling multiple machines is a basic principal that botmasters must address. You need to be able to command your nodes in a fairly efficient manner. If you have 10,000 nodes you do not want to issue a command 10,000 times. You want to issue it once and have all 10,000 nodes respond in a timely manner so that you know if the command was successful.

In this example the author decided to use internet relay chat (IRC). The use of IRC is very common among simple bots since it’s easy to understand and there are lots of implementations publicly available. There is a trade off though: because IRC is a well-documented protocol, it is extremely easy to detect and monitor. Infiltrating a Botnet that is IRC-based is a trivial task. Some botnets try to mitigate this issue by doing things like requiring server and channel passwords or even using SSL encryption, but none of those efforts are really effective. Passwords are easily sniffed off a network and anything being encrypted can be spied on with a debugger.
Read More »

Tags: , ,

Know What Data is Being Collected, and Why

Privacy and information leakage has become one of my favorite topics on the Security blog. It seems that an enormous amount of information is being willingly plastered all over the Internet, from which significant value can be extracted (especially when combined with other public, or more likely private, datasets). The results are mind-boggling, and the implications are not fully comprehensible. Yet another example of this came to light recently from security professional Roger Thompson’s blog.

As we described in the Cyber Risk Report for the week of December 14, Thompson had a credit card suspended because of fraud concerns. As he called to reactivate the card and prove his identity to the fraud division at his bank, he was asked questions regarding his daughter-in-law that were not things that should have been tied to him in traditional security questions. His assumption is that the information was gleaned from a public source, such as a social networking site.

Read More »