This week, Cisco provided comments on the Department of Commerce’s Bureau of Industry and Security (BIS) proposed cybersecurity regulations. These comments reflect the realities of how Cisco looks to protect both our customers and our products. They also emphasize the critical role that security researches, access to tools, and qualified talent have in cybersecurity.
Cisco has hundreds of dedicated security engineers and researchers throughout the company and around the globe, who use the latest and greatest tools and techniques to test our technology. We proactively attempt to break into our own products, our own services, and our own networks, in order to close identified weaknesses and vulnerabilities as soon as possible and to develop better protections against attack. Many of these same people are responsible for investigating reported vulnerabilities or compromises of our products and running these reports to ground with absolute certainty. In doing this, we have resolved countless bugs and vulnerabilities and continue to improve the security of our products with what we learn. Along the way we have discovered many interesting and creative adversaries and certainly learned that there are some very resourceful people out there. Read More »
In this environment of advanced threats along every point of the value chain, I’d like to talk about what it means for you, our customers and partners, to have supply chain security throughout the product lifecycle.
I’ve just finished a short video on this topic. I’d love to hear your feedback, insights and suggestions on securing the product supply chain.
Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).
The client Director of Security and I waited patiently outside the Board Room while other board business was conducted inside. As is the case with many organizations, information security was not really taken seriously there, and the security team reported into IT way down the food chain, with no direct representation in the C Suite. The organization’s CMP had evolved over the years from anti-virus, patching and firewall management into other domains of the ISO27002 framework but was not complete or taken seriously by those at the top. Attempts at building out a holistic security program over the years had met with funding and staff resource constraints and Directors of Security had come and gone with nothing really changing. Read More »
I recently had the opportunity to sit down with Roland Cloutier, Global Chief Security Officer at ADP and former CISO at EMC, to discuss how they integrate and leverage threat intelligence into their security operations centers as well as their greater security technology infrastructure. It’s pretty rare for the CISO of a F500 company to discuss what technologies they use in such an open way, but it was really a testament to the trust they have for the solutions they have chosen. To hear Roland discuss it himself, watch the video at the end of this post or read the case study.
ADP had created a much more proactive, and dare I say “predictive” security program than most. They are consuming threat intelligence from numerous sources including AMP Threat Grid to create what Roland dubbed ‘intelligence-led decision making.’ How is this different from today? Most security organizations, whether it’s analysts in the Security Operations Center (SOC) or the <<other group>> tend to be in a very reactive mode. They see an alert pop up on screen and start to scramble. It’s tough to get ahead of the game when the technology you’ve invested in is merely a reactive one. Roland and his team have spent the time to develop and execute on a strategy that has flipped this model and puts them in a very proactive situation. So how have they done this? A few key elements: Read More »
Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT. This post serves as a summary of the advisory.
Credit for these discoveries belongs to Marcin Noga of Talos.
An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the ‘Size’ field of the Archive Member Header or the “Number Of Symbols” field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the “Resource Table Count” field of the LE Header or the “Object” field at offset 0x8 from a “Resource Table Entry”. An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.
These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.
Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.