Cisco Blogs


Cisco Blog > Security

Understanding Security Through Probability

TRAC-tank-vertical_logoThis post was also authored by Min-yi Shen and Martin Lee.

Security is all about probability. There is a certain probability that something bad will happen to your networks or your systems over the next 24 hours. Hoping that nothing bad will happen is unlikely to change that probability. Investing in security solutions will probably reduce the chance of something bad happening, but by how much? And where should resources be most profitably directed?

Cyber security is a complex environment with many unknowns and interdependencies. TRAC data scientists research this environment to try and understand how different variables affect security. Bayesian graph models are one of our most useful tools for understanding probabilities in security and to explore how the likelihood of outcomes can be changed. Read More »

Tags: , ,

T-7: The Bundle Countdown Begins…

It’s that time of year again—the Cisco IOS Software Security Advisory Bundled Publication will go live in seven days. As a reminder, the Cisco Product Security Incident Response Team (PSIRT) releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our advisories, vulnerabilities scheduled for disclosure in these upcoming Security Advisories will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.

To ensure you’re prepared for the upcoming publication, consider:

  • Creating a text file of all the Cisco IOS Software releases in your network
  • Assembling a simple list of Cisco IOS Software technologies and features you use
  • Noting your Cisco.com username and password
  • Locating the username and password for your Cisco IOS routers and switches
  • Ensuring network operation partners are prepared for the security advisory release
  • Reviewing the benefits of OVAL and CVRF content

Read More »

Tags: , , , ,

Summary: Beyond Security Concerns: IoT Also Provides Security Benefits!

March 17, 2014 at 5:05 am PST

Security concerns surrounding the Internet of Things (IoT) is a topic that’s beginning to gain quite a head of steam lately, and for good reason. But it’s also important to note that IoT can dramatically improve the overall security posture of your organization.

Read the full Beyond Security Concerns: IoT Also Provides Security Benefits! blog post to learn more.

Tags: , ,

Navigating Security Threats in a Mobile World

Security plays an important role in the success of mobility implementations worldwide. We assume security threats are always present; however, it’s not always apparent where threats may arise from. Being aware of these potential risk areas is crucial.

Since mobility solutions offer users the ability to use devices on a range of networks and in a wide array of places, threats may come in unsuspected ways, or be inadvertently introduced into your enterprises network. For example, one recent study reveals that 80 percent of corporate security professionals and IT leaders recognize that “end user carelessness” constitutes the biggest security threat to an organization.

In addition, information from the Cisco 2014 Annual Security Report sheds light on the persistent security attacks that enterprises face. From hackers to malicious malware, it’s clear that security threats arise from unsuspecting places.

Given this knowledge, business decision-makers must gain insight into where these breaches are occurring. They should also understand why it is important for them to care, and how they can be aided by technical decision-makers to solve these issues moving forward. In this post I’ll discuss the where, the why and the how of embracing a secure approach to enterprise mobility and what it means for business leaders.

Read More »

Tags: , , , , , , , , , , , , ,

Mission to Helsinki

I grew up in Northern New York State, so a trip to Helsinki in the middle of February held no fears for me. Interesting things are going on in Finland from a cybersecurity point of view, so I jumped at the chance to speak to the Security Day conference in Finland’s capital city. The conference appearance was actually one stop on an itinerary that took me to three countries, two press conferences, and four customer visits…in five days.

In some ways, it’s a tribute to globalization that audiences all over world share the same concerns about cybersecurity. Mobility, identity, explosive growth of an Internet of Things, and an increasingly malicious threat environment are as much on the minds of the people I met in Finland as they are in every part of the world I have traveled. I also found it notable that the Security Day conference celebrated its 12th anniversary this year with the largest number of attendees in its history. My talk centered on three kinds of methods that can make it harder for cybersecurity adversaries to succeed. First, I recommend doing the basics—patching, asset inventories, identity management, visibility into device and user behavior—and doing them well. Here it is particularly important to eliminate any dark space in an infrastructure. It’s the assets and users that you don’t know about that will oftentimes create our largest risks.

Second, the security community has been innovating some delightful ways to lead adversaries on merry, frustrating chases. Virtualization, honey pots, software-defined network configuration changes, and systems set up to act as mineshaft canaries, can be used to bring frustration and confusion to the working lives of adversaries.

Third, I shared my thoughts on developing new kinds of metrics designed to reflect changing definitions of security effectiveness. These include heightened ability to measure…

Adversarial Dwell Time—Time required to detect an adversary entering a system.
Compromise Speed—Time required for an adversary to perform their mission.
Unmitigated Attack Duration—Time an attack operates before stopping it.
Adversarial Confusion Ratio 1—Ratio of time an adversary appears confused to the total time of an attack.
Adversarial Confusion Ratio 2—Number of incorrect adversary decisions to the number of correct decisions.
Cost Effectiveness Ratios—Cost of protecting an infrastructure and/or service to cost of losses, and cost of protecting an infrastructure to cost of restoring a service.

These proposed metrics probably justify a free-standing blog post in their own right, so stay tuned for that.

In summing up, I described the above methods as steps along the path of building a condition of information superiority over security adversaries. This means knowing more about the infrastructure, services, and users you protect than your adversaries as a precondition for the ability to act effectively.

There’s a lot more that can be said about this, and the more I talk to customers and security practitioners, the more I’m learning and processing to take these concepts further. That alone is one of the factors that makes cybersecurity so fascinating. There’s something new to learn and think about every day.

Tags: , , , , ,