Cisco Blogs


Cisco Blog > Security

Targeted Attack, Targeted Response: Designing and Implementing an Incident Response Plan That Works

September 4, 2012 at 7:30 am PST

A few weeks ago I had the pleasure of participating, as a guest speaker, in a webinar titled “Targeted Attack, Targeted Response: Designing and Implementing an IR Plan That Works.” Joe Riggins, Senior Director of Incident Response for HBGary, moderated this Q&A format webinar. We discussed the current incident response (IR) challenges companies are facing, as well as specific steps organizations can take to design, test, and successfully implement an ongoing IR plan for their specific business environment.

The webinar recording can be accessed here.

Read More »

Tags: ,

Global Correlation: IPS + SIO = Greater Protection

The Cisco Intrusion Prevention System (IPS) includes Global Correlation capabilities that utilize real-world data from Cisco Security Intelligence Operations (SIO). We have seen on this blog before how IPS Global Correlation can be used to detect and validate the urgency of emergent threats as well as allow our team to hone the protection capabilities of our IPS Sensors.

Perhaps more fundamentally however, Global Correlation allows Cisco IPS Sensors to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco SensorBase using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.

Our team has recently published a new white paper that explores the benefits of IPS Global Correlation and how they relate to various IPS deployment scenarios. I would like to share a couple of items from the white paper and encourage you to read it for more information.

Read More »

Tags: , , ,

New Java Vulnerability Used in Targeted Attacks

Security researchers discovered a Java vulnerability (documented in IntelliShield alert 26751) that attackers are using to install malicious software on a victim’s systems. No software updates are available that correct the vulnerability (Updates are now available, see Part 2 of the blog).  The attacks are currently limited in nature. There have been few reports of attacks that rely on the vulnerability. Now that Metasploit developed a functional exploit, continued attacks that leverage this vulnerability increase in likelihood as time goes on. US-CERT has issued a related vulnerability note. Administrators can monitor this and other ongoing activity at the Cisco Security Intelligence Operations portal.

It is not yet clear what attackers hope to gain out of the attacks observed in the wild. Goals may differ between individual attacks. Current exploits appear to install a malicious software dropper that may install other malicious software, but to what end is unknown. Attackers may attempt to install malicious software that monitors keyboard input and network communication, hoping to gain user credentials for either external resources to aid in fraudulent activity or to access other internal systems within the targeted site.
Read More »

Tags: , , ,

Bundled Third-Party Software Security at OSCON 2012

The practice of using Open Source Software (OSS) and other third-party software (TPS) to build products and services is well established. Not only can it create tremendous efficiency--why build an operating system or web server if you don’t need to?--it also allows individual products to leverage best-of-breed functionality. This best-of-breed functionality can be critical on today’s Internet as security and scalability are often difficult or even patently ignored until it is too late.

The use of TPS to build things has been so successful and is so widespread that many products may even be assembled from a majority of software written by unknown third parties. This practice is not without its challenges. One of those challenges is security.

How does the security of a product’s constituent TPS affect its own security? How does the creator of the product learn of, manage and ultimately resolve security issues that originate in the relevant TPS packages?

These are the types of questions I attempted to address during a recent presentation at O’Reilly OSCON 2012. During that session I touched on seven challenges and offered five tools that I believe can make a difference.

Our friends on the Cisco Security Marketing team have posted the slides from that presentation online at slideshare.net.

Managing the Security Impact of Bundled Open Source Software from OSCON from Cisco Security

Is this an area of concern for you? If it is, I’d like to know how you are tackling it. What is working well? What is working not-so well?

Tags: , , ,

Who Keeps Your IPS Up To Date?

The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.

And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.

Read More »

Tags: , , , , , , ,