Cisco Blogs


Cisco Blog > Security

Cisco Security Disclosure: Help Us Help You!

April 15, 2013 at 4:00 am PST

Wow! We just published our tenth bundle of Cisco IOS Software Security Advisories and what a ride it’s been!! Way back when in the fall of 2008 when we produced our first Cisco IOS Software Security Advisory bundle, we had no idea of the impact that this delivery format would have on us internally and, more importantly, on you -- our customers!! The decision to deliver the biannual (on the fourth Wednesday of every March and September) Cisco IOS Software Security Advisory Bundled Publication brought with it many challenges, process changes, and—in the end—a format for Cisco Vulnerability Disclosure that we hope addresses at least some of your concerns. This format was modeled after the scheduled monthly release used by Microsoft for years, known affectionately as “Microsoft Tuesday” and based on requests we heard through discussions with many of our customers.

Read More »

Tags: , , , ,

Making Global Threat Intelligence Locally Actionable

When we talk about using the network to gather threat intelligence on a global basis, the question arises: how does someone apply that intelligence to protecting their local IT infrastructure? The key lies in maintaining a high degree of situational awareness. This begins with understanding what you are trying protect and what might interfere with it. From there, you can distinguish between relevant and irrelevant intelligence, and then act to protect the things that matter from the threats that could harm them. Read More »

Tags: , , ,

Vectoring to a New Mission

A couple of weeks ago, I announced a new name and a new mission for the group I lead at Cisco. I’ll do my best to minimize reader exposure to boring administrative details, but the long and the short of it is that the former Cisco Global Government Solutions Group (GGSG) has become the Cisco Threat Response, Intelligence, and Development (TRIAD) organization.

Any organizational name change is only a label placed on more fundamental transformations in missions, strategies, and desired outcomes. While the new organization will continue to serve government customers, the time has come to mobilize the expertise we have built up over the years to help critical infrastructure and enterprise customers strengthen their abilities to deliver IT-based services and value with minimal disturbance from unauthorized sources.

Vectoring the organization’s mission to threat is the key to understanding what TRIAD is all about. Through our work with Cisco customers, observation and analysis of phenomena visible in Cisco and customer networks, and application of innovative thinking about security practices and processes, we see enormous potential for developing and delivering threat-focused approaches to cyber security into products, services, and solutions. Read More »

Tags: , , , , , , ,

A Programmatic Approach to Using Cisco’s Security Intelligence Feed

If you’re an end-user or manager of software that has publicly known security vulnerabilities, wouldn’t you want to know about it? If you’re a software developer, wouldn’t you want to know if there are third-party software vulnerabilities that may impact your applications or products?  Do you have a patch management compliance requirement for managing software vulnerabilities? I presume the answer is a resounding “Yes” to each question that applies to you. Anything we, as cyber security professionals, can do to help automate the vulnerability management process, while integrating security intelligence into that process from both an end-user and developer perspective, is a good thing. In this post, I will discuss Cisco’s Application Programming Interface (API) that exposes security intelligence as a direct data feed into applications or portals. The API is known as the IntelliShield Security Information Service (ISIS) and has proven effective to answering these leading questions.

“Continuous improvement in vulnerability management practices is imperative to keeping pace with the changing security environment as a result of evolving threats as well as new products and technologies” Russell Smoak, Cisco Systems, Cisco 2013 Annual Security Report

The above quote underscores the importance of striving to raise the bar in protecting against vulnerabilities, which may be exploited in your environment, or in the case of a developer, the products you provide to your customers. Cisco uses ISIS several ways, both internally and externally. Internally, Cisco takes advantage of custom-built tooling that uses vulnerability data from Cisco IntelliShield to notify the product development teams when a security issue originating in third-party software may impact a Cisco product. This tool has greatly increased the ability to manage security issues that originate in non-Cisco code. Externally, ISIS is used to provide the content to several sections accessible through the Cisco SIO portal. A couple of examples include:

  1. IOS Software Checker: this tool is used to query Cisco IOS Software Releases against published Cisco Security Advisories.
  2. Security Alerts: this tool provides an “At-A-Glance” type of view of security events such as vulnerability exposures.

Technically, ISIS provides a set of services that support application-to-application interaction using SOAP over the HTTPS protocol, allowing clients to develop ISIS-dependent applications that are not dependent on the technologies used to implement ISIS. The only dependency is for the client to have the ability to produce a SOAP message, send it to ISIS over HTTPS, and ultimately decompose the SOAP response. These services also allow clients to filter the security intelligence based on various inputs, enabling clients to align IntelliShield security intelligence with the unique business needs of their environment. Read More »

Tags: , , , ,

Tips and Tricks: Nmap is still relevant

Anecdotally, it would take about a week for a single machine to ping sweep the Internet. That would be approximately 4 billion IP addresses, essentially the whole Internet. In theory, this includes every single military address, every single ISP, every home user, and every mobile device. Such a port sweep does not include all options, UDP, and Nmap Scripts, as that would take too long. But what if I want to run the same scan to my home IPv6 range? It will have a /64 allocated to it, or about 18 quintillion addresses. Let’s compare a sweep of the entire Internet with my home IPv6 range:

  • The Internet: 2^32 = 4,294,967,296 [1]
  • The home range from my ISP: 2^64 = 18,446,744,073,709,551,616 [2]

A stark difference! So, how will I scan this? Is that just one network? I am Moses Hernandez, and this is one of my tips and tricks in this series. This post is about the venerable Nmap. Read More »

Tags: , , ,