Cisco Blogs

Cisco Blog > Security

Safety first, business second, security none?

Based on 25 years of professional experience in various businesses around the globe, I can say that many industry verticals have a pretty good state of safety culture as it relates to the health and safety of their employees.  This is especially true for companies involved in high-risk businesses such as oil and gas, (nuclear) energy, manufacturing, chemicals, food processing, and so on.  In such industries, it is pretty clear that there is a risk that something may blow up, hurt, or even kill people.

However, it seems that the next big driver for them is business alone, and they are not as focused on information or IT security when it comes to the logic side of security like bits and bytes, document handling of confidential information, and similar subjects.  This is in stark contrast to their keen attention to physical safety and security issues.

It would seem intuitive that any organization with  a commitment to safety by counting (and incentivizing) the hours (days, weeks, months, …) of safety-incident-free time should also be easy to convince that taking a similar approach to information security would be a good thing. But it is not that easy.  Operations in these businesses are very physical, so it is not really in the mind-set of a rig guy or gal, a welder, a component mixer, machine operator, or similar, that another devastating incident (attack) could happen from “within” the system(s), by a human adversary committed to do harm in the interest of their nation state or paying agent.  All those systems in the above mentioned industries that are working at the process level (sensors/actuators, process control, SCADA (supervisory control and data acquisition) are designed for efficient and effective, good performing, and reliable operation, but they were not really designed and built to resist logic attacks from a human smart guy who can outsmart almost every defense.

In industrial networks, spanning the areas of instrumentation, control bus, operations, business, or enterprise, the often cited Purdue reference model that provides for several “levels” or “zones” of abstraction and segregation can be used.  A really good introduction can be found in the Secure Data Transfer Guidance for Industrial Control and SCADA Systems.

The main security points to address are:

Tags: , , , , , ,

Cisco Live! Milan Session Videos and Documents Now Available!

Cisco-Live_resizeIf you were unable to attend Cisco Live! Milan, or weren’t able to attend all the sessions that interested you, Cisco has made the session videos and PDFs available on the Cisco Live! website. More videos are being added daily and all should be available by February 22, 2014.

The Cisco Live! website maintains a large on-demand library with presentations and video recordings from Cisco Live! events hosted from 2011 to present. After registering, anyone can view the presentations and embedded videos at their leisure. Your Cisco Live! account is not tied to your account, so those credentials will not work!

Exciting new announcements are made regularly at Cisco Live! In Milan, Chris Young, Senior Vice President of Cisco Security, took the opportunity to share that Cisco was opening up it’s TrustSec capabilities to other vendors. In his blog post, Kevin Regan highlights what this means to the community. Read More »

Tags: , , , , ,

Summary: Tackling Mobile Security Risks for Government

As mobility becomes more pervasive, these concepts of cyber crime have become engrained in our work/life culture. These issues have earned national news headlines as governments across the globe grapple with how to build both secure and mobile-enabled infrastructures.

A few weeks ago, Cisco and Mobile Work Exchange released findings from a self-assessment tool that highlights some interesting statistics, enabling us to better understand mobile security best practices and vulnerabilities. The report specifically looks at government employees, 90 percent of whom claim to use at least one mobile device for work, and reveals that many government workers (41 percent) are putting themselves and their agencies at risk. Read More »

Tags: , , , , , , , , , , , , , , ,

Dynamic Detection of Malicious DDNS


This post was co-authored by Andrew Tsonchev.TRAC-tank-vertical_logo-300x243

Two weeks ago we briefly discussed the role of dynamic DNS (DDNS) in a Fiesta exploit pack campaign. Today we further analyze and explore the role of DDNS in the context of cyber attack proliferation and present the case for adding an operational play to the incident response and/or threat intelligence playbook to detect attack pre-cursors and attacks in progress. Read More »

Tags: , , ,

Can You Guess Your ROI on Your Secure Access?

No need to guess now!

Cisco commissioned Forrester Consulting to examine the business value and potential return on investment (ROI) enterprises may realize by implementing Cisco Identity Services Engine (ISE)—a leading secure access solution. This is available in the recently published Forrester TEI (Total Economic Impact) Research. Four customers were interviewed for this study and covered use cases for policy-governed, unified access across the following use case scenarios: guest services; BYOD; full access across wired, wireless, and VPN; and policy networking. The calculation was based on a composite organization of 10,000 employees that reflected the four interviewed customers from higher education, utilities, and financial services markets.

Benefits were 75 percent reduction in support calls related to network issues and improved compliance reducing data exposure, breaches, and potential regulatory/remediation costs that could add up to hundreds of thousands or even millions of dollars. Most recently, the Ponemon Institute Live Threat Intelligence Impact Report 2013 indicated that US$10 million is the average amount spent in the past 12 months to resolve the impact of exploits. The benefit of secure access cannot be taken lightly.

Read More »

Tags: , , , ,