Today we announced our regularly scheduled, semiannual (that’s twice a year, not every other year) group of Cisco IOS Security Advisories, otherwise known as our “Cisco IOS Security Advisory Bundle.” Security Advisories are disclosed by the Cisco Product Security Incident Response Team (PSIRT) in response to vulnerabilities that have been discovered and/or reported, either internally or externally, in Cisco products. The term “bundle” was chosen since we now disclose a group of IOS-related Security Advisories at one time, as opposed to releasing advisories individually whenever they are ready for prime time. This one-at-a-time approach is what we had used for years until, back in March 2008, we decided to take the “bundle” approach, similar to Microsoft’s monthly “Microsoft Tuesday” event, which occurs on the second Tuesday of every month.
A few weeks back, I wrote a review of recent security industry reports, including one from McAfee that promoted Offensive Security. In it, I mentioned a reluctance to adopt a sweeping usage of the term “offensive” in describing security postures, using it only where it is appropriate. Further, I mentioned that:
“[I]n addition to choosing terminology carefully, organizations may not necessarily need to head down the road of advanced techniques if they are still struggling to get a handle on the basics.”
Microsoft’s recent success with active response (a much better term, in my opinion) further emphasized my point. What they accomplished with the Waledac takeover required fairly significant resources, determination, and expertise — and it was definitely collaborative. It will be interesting to see where these efforts go in the future.
Over the weekend, we updated a security resource that many of you have come to trust: the Cisco Security Intelligence Operations (SIO) Portal. Just as the threat landscape around us changes with time, the portal has also evolved, all while delivering timely security intelligence in a usable and intuitive manner. Throughout, we have continued to adapt the site to meet your needs.
The redesign was a direct response to your feedback. Not only did we review submitted visitor comments—using the permanent feedback mechanisms of the portal—but we commissioned a survey of 150 customers and facilitated an extensive focus group to help guide our efforts. The new SIO Portal features simpler navigation, naming, and categorization as a result.
What is “social engineering?” A simple working definition that I like is, “to induce an individual to take an action in which they otherwise would not engage.” This begs a second question, “What does this have to do with business?” It means that employees of businesses, both large and small, may become targets of unscrupulous and malevolent entities interested in obtaining the information or assets belonging to the business. The individuals may wish to engage in criminal behavior and break into your business headquarters; may attempt to follow an employee through the side door, or perhaps speak to you on the telephone and ask you to share the phone number of an executive; provide your user id and password; reveal the physical whereabouts of a facility or executive.
In all cases two factors are always at play – compassion and urgency. The individual will attempt to trigger the target’s basic human trait to be helpful. The individual will also infuse a sense of urgency in their quest for information or specific action with the expectation that you won’t have sufficient time to verify their proffered bona fides.
So what happens before the phone rings or you’re faced with an unknown person either face-to-face, on the phone, in an instant message window, or via a Twitter/Facebook exchange?
Last month, my colleague Christopher Burgess shared some thoughts on the “double-edged sword” of location-based services at the Huffington Post. In his post, Christopher highlighted how these services could alternately be a benefit, and where they might cross a line and become undesirable. Recently, some US Federal courts have heard cases about the legality of GPS tracking, including how and when such tracking should require a search warrant. While it will be up to people with far more legal experience than I have to debate exactly how these decisions will impact individual rights vs. police or government powers, I do think that there is something to be concerned about from a purely technical viewpoint. Whether used by government officials or attackers who have unauthorized access to this information, location-based data could result in a person being picked from a crowd when they least expect it.