Cisco Blogs


Cisco Blog > Security

Fresh Reasons to Review The Company E-mail Policy

The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New Jersey (NELA-NJ), the Association of Criminal Defense Lawyers of New Jersey (ACDL-NJ), and the New Jersey State Bar Association (NJSBA). As noted in last week’s Cyber Risk Report, the justices ruled that an employee “could reasonably expect that e-mail communications with her lawyer through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them.”

Only a few years ago, the case of Stengart v Loving Care might never have gone to court because most companies didn’t pay much attention to employees’ electronic communications except to avoid human resource department issues.  Today, corporations have cyber and insider risks to guard against, regulatory and compliance requirements to adhere to, and legitimate business concerns that make monitoring a necessity, not an option.  The risk of not knowing what employees may be electronically communicating has increased dramatically.

Read More »

IDS and IPS

This is the third post in a series that focuses on a view from the trenches. In this post I will examine inline and passive intrusion prevention/detection installations. Although the industry trend is that the automation aspects of inline IPS make it more useful, does that mean that passive intrusion detection as a technology is obsolete? While the benefits of inline IPS are easy to see, I want to point out a few situations where it may still be useful to use passive intrusion detection.

There is a debate today on the value of IDS/IPS and whether IDS has to be inline to be valuable. (See my previous posts for more background on the merits of IPS.) At first, all intrusion detection was passive, looking for attack signatures on the wire. Of course predictively analyzing and detecting all attacks has an inherent conflict: if we can predict it enough to analyze it with a high degree of fidelity, we could just prevent it. This set the stage for an inline preventative IDS (IPS). The intrusion detection market has been progressively moving in this direction. One of the business influences leading to that trend could be described as follows:

A company has a small security team, they purchase and deploy IDS for $1000 and get many alerts; their security posture remains static. The company purchases SIM for $1000 to help manage alerts and their security posture remains static. The company then hires more people to tune, manage, and respond to their IDS deployment and, a year or two down the road and $100,000 later, they start to identify and reduce issues.

In today’s fast-changing world, the return on investment (ROI) is hard to justify and is a long time coming. Switch to IPS and that same small security team buys and deploy something inline for $1000 and their security posture starts to improve immediately. Is IDS dead? Is IPS the only way to go? Read on to find out.

Read More »

Tags: , , ,

None of Us is as Dumb as All of Us

A New York Times story last month described a new phenomenon in China in which groups of “netizens” hunt down wrong-doers through online crowd-sourcing and sleuthing. According to the story, a group of online vigilantes determined the identity of a woman who had posted a video of herself torturing and killing a kitten. Within a few days, the vigilantes were able to piece together clues and identify her by eliciting information from readers on Mop, a popular online forum. Ultimately, the woman and her camera man were publicly shamed and expelled from their public sector jobs, cutting them out of the prospect of pensions and lifetime employment.

Mob justice is nothing new, but the Internet moves it along faster than before. Also, the Internet expands the playing field from the proverbial village of twenty or so torch-bearing peasants to potentially the entire online world. In other words, the Internet’s gifts to mob justice are speed and reach. The kitten killer was picked out of a population of 1.3 billion Chinese in six days. But the problem with speed, when applied to an angry mob, is that it tends to skip over due process. The kitten killer story led me to three conclusions about online mass collaboration known as crowd-sourcing:

Read More »

The Cisco Secure Development Lifecycle: An Overview

Cisco has defined a development standard called the Cisco Secure Development Lifecycle (CSDL).  This process is designed to ensure that Cisco produces secure and resilient products by identifying and implementing specific processes or tools to enable engineers to detect, fix, mitigate and prevent design and code weaknesses that could become exploitable.

CSDL is a multi-layered defensive approach. First, we seek to ensure product security is integrated into the design and design review process through the use of baseline requirements and threat modeling reviews.  Secondly, we pursue a rigorous software development design process to detect, fix, and protect against potential software weaknesses. Finally, we utilize robust penetration testing to validate the effectiveness of the first two layers of our defense, and to identify and fix any resulting vulnerabilities.

Read More »

Safety in Situ

Photo credit: RobotshopDANGER, WILL ROBINSON, DANGER! MY SENSORS DETECT THAT YOU LIVE IN A HIGH RISK AREA FOR CYBERCRIME!

According to a recent press release from Symantec, some cities in the U.S. are more “vulnerable” than others, with Seattle at the top of list. Their methodology “analyzed data for each city including the number of cyberattacks and potential infections (data provided by Symantec Security Response), level of Internet access, expenditures on computer hardware and software, wireless hotspots, broadband connectivity, Internet usage and online purchases.”

While an argument could be made about a potential conflict of interest for a press release of this nature, I’d like to focus on what greater access to Internet connectivity means in terms of best practices, regardless of whether you are in Seattle or Shishmaref. As noted in a recent Cyber Risk Report, the study’s real conclusion has little to do with your actual location.

Read More »