Cisco Blogs


Cisco Blog > Security

Let’s Hack Some Cisco Gear at SecCon!

December 18, 2012 at 8:54 am PST

Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.

It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.

I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:

Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »

Tags: , , , , , , , ,

Cisco Wraps Up 5th Annual SecCon Conference

Having recently wrapped up the 5th Annual Cisco SecCon Conference, I’d like to take this opportunity to share with you what Cisco SecCon is and the benefits to our products and you, our customers. With that, let’s start with a brief overview!

What is Cisco SecCon?

SecCon is a security conference for Cisco engineers that focuses on two critical elements for a healthy corporate Security intelligence: 1) expansion of knowledge for all and 2) building a sense of community. We allocate two days for intensive hands-on security training, and then we provide two general session days to discuss a variety of security topics including:

  • Cisco Secure Development Lifecycle
  • Best practices for security test suites
  • Cutting-edge cryptography
  • Implementation challenges
  • Current threat landscape
  • Vulnerability trends

Read More »

Tags: , , , , , ,

Bringing Up the Social Media Baby

According to a Nielsen study, social media is no longer in its infancy.  No kidding.

During the November military confrontation between Israel and Hamas, social media played a very grown-up role.  What distinguished it from past politically-charged social media exchanges was the participation of state and pseudo-state spokespersons.  Official announcements were issued by the Israeli Defense Forces (IDF) and Hamas’ Al-Qassam Brigade via Twitter and Facebook in near real-time.

  • The IDF announced the initiation of the military campaign via Twitter, and tweeted in caps that it had “ELIMINATED” Hamas military commander Ahmed Jabari in an airstrike.
  • The Brigade responded with threats of retaliation; both sides posted minute-by-minute updates as the fighting unfolded.

The evolution of social media into an official communications venue should come as no surprise.  It follows a time-honored pattern of disruptive ideas and technologies gaining acceptability as they move into the mainstream.  The Nielsen Social Media 2012 study tells us that 30 percent of individuals’ mobile device time is spent accessing social media.  That qualifies as mainstream.

Read More »

Tags: , , , , , , , , ,

Network Attacks: The Who, What, Where and Why

As security practitioners, we generally see three types of perpetrators with different motives:

  • Financial
  • Political
  • General trouble-making

Each of these attackers can display various levels of organizational structure:

  • Individual
  • Well-organized, persistent group
  • Ad-hoc groups pursuing a common purpose

Each one of these subsets has their own techniques and goals, but unfortunately, can strike anywhere at anytime.

As different attack types come in and out of vogue, we are closely watching all of these perpetrators and their preferred methods of attack to better understand how to recognize and counteract them.

In the video linked here, I discuss some of the latest threat trends, and how businesses and individuals can prepare and protect themselves.

Tags: , , ,

The Power of Mobility & Learning

December 11, 2012 at 11:18 am PST

The mobility trend holds great promise for improved productivity and new engagement models. These are most powerful in a learning effort—imagine learning anywhere and anytime. I just wish I had the Internet and the mobility that students have today when I went to school. Yet, mobility is an IT tsunami that will not recede. One of the most damaging aspects of this storm is the possibility of numerous personal devices that are entering organizations, accessing the network and eventually critical assets, and stealing sensitive data or mistakenly bringing malware. Many people know this policy as BYOD or bring your own device. This is not a new phrase but it is still quite prevalent. Inventory and provisioning of personal mobile devices is just the tip of this wave. Organizations want to control mobile devices to ensure acceptable usage and minimize security incidents.

Read More »

Tags: , , , ,