Cryptography is critical to secure, trustworthy communications. Recent questions within the tech industry have created entirely new discussions about the cryptography underpinning our communications infrastructure. While some in the media have focused on the algorithm chosen for Deterministic Random Bit Generation (DRBG), we’ve seen many more look to have a broader crypto conversation. With this backdrop, I’d like to take the opportunity to talk about how we select algorithms (not just the DRBGs) for our products.
Before we go further, I’ll go ahead and get it out there: we don’t use the DUAL_EC_DRBG in our products. While it is true that some of the libraries in our products can support the DUAL_EC_DRBG, it is not invoked in our products. For our developers, the DRBG selection is driven by an internal standard and delivered to those developers from an internal team of crypto experts through a standard crypto library. The DRBG algorithm choice cannot be changed by the customer. Our Product Security Incident Response Team (PSIRT) confirmed this in a Security Response published on October 16.
Read More »
Tags: cryptography, DUAL_EC_DRBG, security, Security Response
Now when I’m talking about safekeeping a mobile device, I’m not saying don’t use your Kindle by the pool or let your toddler play on the iPad while eating ice cream. These are dangerous things to be doing with a gadget, but today I want to focus more on the data within that device, rather than the device itself.
No matter what you do, your device may be stolen. It only takes a moment of inattention for someone to swipe your phone or tablet. Before that unfortunate event occurs, there are several things that you can do to mitigate the damage that occurs from the loss of a mobile device.
Read More »
Tags: data retention, encryption, mobile, ncsam-2013, passwords, phone, security, Storage, tablet
Now that we’re in the midst of October 2013’s Cyber Security Awareness Month, it’s a good time to think about the connections between security awareness and trust. This discussion centers on three questions:
- How do we trust our computers and devices?
- How do we trust our vendors?
- How do we trust the infrastructure?
We ask these questions mindful that information technology does not stand still and is probably accelerating. Forward progress, however, is unsustainable if we can’t trust the technologies we use. I don’t foresee any scenario where technology progress will come to a halt, but there are many ways it can fly off the rails if we’re not careful. This may sound dire, but I remain an optimist by nature and believe we can confidently move ahead if we take the time to think about security and trust and act on our conclusions. Cyber Security Awareness Month is a good opportunity to think about this, and I have more to say in the video blog post below:
Tags: Cyber Security Awareness Month, ncsam-2013, security awareness, trust
Many Cisco customers with an interest in product security are aware of our security advisories and other publications issued by our Product Security Incident Response Team (PSIRT). That awareness is probably more acute than usual following the recent Cisco IOS Software Security Advisory Bundled Publication on September 25. But many may not be aware of the reasoning behind why, when, and how Cisco airs its “dirty laundry.”
Our primary reason for disclosing vulnerabilities is to ensure customers are able to accurately assess, mitigate, and remediate the risk our vulnerabilities may pose to the security of their networks.
In order to deliver on that promise, Cisco has has made some fundamental and formative decisions that we’ve carried forward since our first security advisory in June 1995.
Read More »
Tags: advisories, Cisco Security, incident response, IOS, ncsam-2013, psirt, vulnerability
April first falls on a Tuesday next year. The following Tuesday is Microsoft’s monthly security update. It will be the last monthly security update for the Windows XP operating system. About one third of the computers with Windows operating systems on the Internet today are still running Windows XP, an operating system almost 15 years old. After the April 2014 update, issues with Windows XP will no longer be patched; Windows XP users should have already migrated to a more current Windows version. So with that we present, David Netterman’s Top Ten Security Related Reasons Why You Should Upgrade Your Computer’s Old Operating System:
Read More »
Tags: EoL, MAPP, ncsam-2013, security, update, Windows XP