Cisco Blogs


Cisco Blog > Security

New Security White Paper: Unified Computing System (UCS) Hardening Guide

Check out the new Cisco UCS Hardening Guide white paper which is now released  and available on the Cisco Security Portal. The paper outlines and highlights security best practices for Cisco UCS.

This paper provides information to help users secure Cisco Unified Computing System (Cisco UCS) platform and provides guidance on how to harden Cisco UCS Software features.  The paper provides references to lots of related documentation.

Please access it using the following URL: http://www.cisco.com/web/about/security/intelligence/ucs_hardening.html

Tags: , ,

Announcing the IoT Security Grand Challenge Winners

The Internet of Things (IoT) is exponentially increasing the number and type of attack vectors, creating many new cybersecurity challenges for organizations and those responsible for defending the infrastructure. These new threats to data and physical security are a top concern for organizations as they seek ways to gain greater operational efficiencies and power new business models by expanding connections between people, process, data and things. Cisco understands that protecting all of the interactions of the IoT is crucial in enabling people and organizations to benefit from these advances.

The IoT requires new models for innovation, new architectures and new approaches to cybersecurity. With this in mind, earlier this year, we announced the Internet of Things Security Grand Challenge. As part of this industry-wide initiative, we invited the global community to propose practical security solutions to address the new security challenges the IoT and IoE presents. This initiative is one of several global efforts at Cisco to accelerate industry innovation and the adoption of breakthrough technologies that will contribute to the growth and evolution of the IoT.

Our outreach to the global community generated more than 100 entries from leading universities, businesses, industry start-ups and entrepreneurs worldwide with proposals for solutions in the following focus areas – Malware Defense, Security Credential Management and Privacy Protection.

After an extensive review process conducted by a team of experts, Cisco chose four innovative IoT security solutions as the winners of the Internet of Things Security Grand Challenge. These winners represent some of the most innovative approaches to enable people and organizations to benefit from IoT. Each winner selected was awarded $75,000 USD and is being showcased this week at the Internet of Things World Forum. The winning entries are:

  • Cornell Tech and Rice University: Physical Proof-of-Presence Protocols (P4) for Transient Connections in the IoT
  • Excalibur: Context-Aware Blockchain Naming / Discovery /Authentication
  • Carnegie Mellon University: Dynamically Controlling IoT Privacy Risks and Trade-offs with Fog Mediation
  • Aircloak and the Max Planck Institute for Software Systems: Anonymized Analytics through Cloaking

To learn more about the winners, visit https://ninesights.ninesigma.com/web/cisco-gc.

As more organizations adopt new business models related to the Internet of Everything (IoE) and IoT, their security solutions and processes must also adapt with this change. Now more than ever, organizations must be enabled to implement dynamic controls to manage the pace of change in their environments and address security incidents—before, during and after an attack.

Congratulations to the winners and for those of you who are at the IoT World Conference, be sure to check out the winning entries! www.ciscosecuritygrandchallenge.com

POODLE and The Curse of Backwards Compatibility

This post was written by Martin Lee

Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a potential weakness is discovered to be a genuine vulnerability and an exploit is released.

The Transport Layer Security (TLS) protocol defines how systems can exchange data securely. The current version 1.2 dates from August 2008, however the protocol’s origins lie in the Secure Sockets Layer (SSL) standard first published in February 1995. As weaknesses in the cryptography and flaws in the protocol design were discovered, new versions of the protocol were released.

In order to maintain interoperability the most recent TLS standard requires that systems support previous versions down to SSL 3.0. The discovery of a cryptographic weakness in SSL 3.0 and the publication of an attack that can exploit this provide attackers with a means to attack TLS implementations by intercepting communications using the old SSL 3.0 protocol.

The vulnerability, assigned the Common Vulnerability and Exposure ID CVE-2014-3566, and referred to as POODLE, allows an attacker to modify the padding bytes that are inserted into SSL packets to ensure that they are of the correct length and replay modified packets to a system in order to identify the bytes within a message,  one by one. This allows an attacker to discover the values of cookies used to authenticate https secured web sessions. Nevertheless, the vulnerability potentially affects any application that secures traffic using TLS, not only https traffic. Read More »

Tags: , , , , ,

Naughty Users! Protect Your Endpoints From Users’ Bad Behavior

Every organization needs to face the fact that breaches can and do happen. Hackers have the resources, the expertise, and the persistence to infiltrate any organization, and there is no such thing as a 100 percent effective, silver-bullet detection technology. As security professionals, we tend to focus on what we can do to defend directly against hackers that will infiltrate a system. But, what about our own users? Increasingly we need to look at how user behavior contributes to attacks and how to deal with that.

The 2013 Verizon Data Breach Investigation Report found that 71 percent of malware attacks target user devices. And, the 2014 report finds that the use of user devices as an attack vector has been growing over time, probably because they offer an easy foot in the door. According to the 2014 Cisco Midyear Security Report, global spam is at its highest level since 2010 and that’s just one technique targeted at end users. “Watering hole” attacks, phishing, and drive-by attacks launched from mainstream websites are all popular ways to target devices. And, then there’s the shadow IT phenomenon where users will ignore approved corporate standards to use the hottest technologies or whatever device or application will help them get their job done faster, better, and easier.

Educating users is important. They need to be wise to attackers’ techniques and the dangers that unsanctioned websites and applications can present. Also, putting policies in place to restrict user behavior can go a long way toward preventing malicious attacks that often rely on relatively simple methods. But it is not enough.

Read More »

Tags: , ,

Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities

This post was authored by Yves Younan

Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.

Read More »

Tags: , , , , ,