Cisco Blogs


Cisco Blog > Security

Securing Mobile Data in the Event of Device Loss or Theft

September 4, 2014 at 6:00 am PST

As a business or technical leader, you know you need to protect your company in a rapidly evolving mobile ecosystem. However, threats are not always obvious. As malware and attacks become more sophisticated over time, business decision makers must work with technical decision makers to navigate security threats in a mobile world.

This blog series, authored by Kathy Trahan, will explore the topic of enterprise mobility security from a situational level and provide insight into what leaders can do now to mitigate risk. To read the first post focused on securing device freedom, click here. The second post, available here, focused on the risks that come with mobile connections. Kathy’s third post outlined three top considerations leaders must consider when examining their current mobile data security plan. The fourth post in this series highlights how security compliance is necessary for real-time mobile data access. – Bret Hartman, Chief Technology Officer (CTO) for Cisco’s Security Technology Group

Many of us have experienced that panicked “oh no!” moment when we’ve misplaced a mobile device or worse, found out it was stolen. The stakes are raised even higher when a lost or stolen device is company issued, or a personal device an employee uses for business purposes and contains sensitive data.

According to a recent report, more than 3.1 million smart phones were stolen just in America last year alone. This same report revealed that 34% of people took no security measures at all to protect sensitive information – not even a simple four-digit password. 51% of end users use their smartphone to perform daily business activities.

Read More »

Tags: , , , , ,

Behind the Music: The New Threat Management with NextGen IPS CVD

If you’ve ever caught an episode of VH1’s Behind the Music, the TV series that profiles rock bands and personalities, you may agree with me that it can be fascinating. I especially like the interviews about the creative process. I’ve learned that great songs can come from just about anywhere. And that a talented group of people working together can produce amazing results.

When it comes to our Secure Data Center for the Enterprise Portfolio CVDs (Cisco Validated Designs), that’s exactly what happened. We just released the fourth CVD: Threat Management with NextGen IPS, which focuses on giving you a full set of capabilities for a threat management system. But it’s also aware that the data center has to remain efficient and support other business goals while it’s defending against cyber attacks. Read More »

Tags: , , , , , ,

Filtering Explicit Content

Many web sites provide a setting to reduce the amount of explicit, or objectionable, content returned by the site. The user configures these settings, but many users are unaware such a setting exists, or that it needs to be set for each web site. Additionally, the security administrator cannot audit that users have configured the setting. As a result, users can be exposed to objectionable content or can inadvertently trigger filtering of objectionable content on the Cisco security service (Cisco WSA or CWS), sometimes causing uncomfortable questions from human resources or from management.

An emerging standard defines a new HTTP header, “Prefer: Safe,” which does not require the user to configure each web site. This feature is implemented by Firefox, Internet Explorer 10, and Bing. We anticipate more clients and more content providers will support this emerging standard.

Both Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS) support this emerging standard, and can be configured to insert this header on behalf of HTTP and HTTPS clients. In this way, the security administrator can cause all traffic to default to avoiding explicit or objectionable content, without relying on users to configure their browser or to configure each visited web site.

Tags: , , , , , ,

You’re Only as Secure as Your Weakest Link: Operationalizing Security

I am reminded of the wisdom of the old saw that “no news is good news” as almost every day brings us headline after headline highlighting that yet another company has experienced a systems breach and valuable data has been compromised. Companies continue to increase the amount of money spent on cyber security in an attempt to stay ahead of the attackers, and identifying the right level of investment in the right security solutions remains a challenge. In talking with the Chief Information Security Officer (CISO) of a large enterprise recently, we were somewhat taken aback by his candid feedback that the quickest way to still draw business attention -- and funding -- for cyber security projects, is to suffer an actual breach! Read More »

Tags: , , ,

Social Engineering:
 Finding the Weak Links In-Person

An enterprise can pay hundreds of thousands of dollars or more for the latest security software and imagine itself protected from targeted attacks that come in via the network. But if the threat is a real-live person who walks in the front door of an office or server farm, what good can the network edge software do?

Clever criminals are seeing bigger payoffs in showing up on-site to physically plug into a network rather than crafting phishing emails with links that lead to compromised websites. (Not to say that spam and other online social engineering campaigns have gone away; see the Cisco 2014 Midyear Security Report for more.) Simply being able to plug into an Ethernet connection or unplug an IP phone and use that cable to access network information can have serious consequences. Social engineering is the act of hacking people. Therefore, people—your employees—become the weakest link in your digital and physical security posture.

Criminals use similar tactics for social engineering an in-person visit as they do with emails and compromised websites. The point is to build trust (albeit misplaced) with someone who can grant access to company premises.

By researching a targeted employee on LinkedIn—for instance, discovering everything from the tasks they perform on the job to where they went to college and which sports teams they like—the criminal can present himself or herself as someone the target might know or have reason to trust. Thanks to the popularity of social networking, especially among professionals, there is a wealth of information and photos easily available to anyone who needs to get a literal foot in the door.

Armed with background information gleaned from online searches, a criminal can pretend to be a journalist and request an interview or claim to be a potential partner or customer and ask for an in-person visit. The criminal might also wear a fake badge to provide the illusion of authority.

Criminals have also figured out that they do not need to launch such scams at the front door of the organization they are targeting. Instead, they will target a weaker link: that is, a less secure business partner or supplier that has access or connectivity to their real target, which is the network. This is an especially effective technique to use when the security of a target is high, but the security of a trusted business partner of your target is not. Hackers will always try to find the easiest route in.

A mitigation approach for social engineering-based security breaches that involve gaining physical network access is to make sure network access ports enforce authentication and authorization before granting network access.

In addition, organizations can build “dynamic security domains” per user, per device, per user and device, or any other configuration needed. These dynamic security domains can use technology such as 802.1x, port access-control lists (ACLs), VPN, and host posture assessment.

For more security trends from the first half of 2014, download the Cisco 2014 Midyear Security Report.

Tags: , , ,