Editor’s Note: This is the third part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program (USM). In this installment, we discuss the effectiveness of the USM program at Cisco.
Information security is all about risk reduction, and risks are notoriously difficult to measure – ask any insurance salesman or actuary. So how do we handle this conundrum for a security metrics program that hasn’t even reached its second anniversary yet?
Peter Drucker, noted business management author, once said, “Efficiency is doing the thing right. Effectiveness is doing the right thing.” Even at this early stage of the USM program, we can see four clear indicators demonstrating we’re doing the right things to improve Cisco’s security posture across the IT organization and Cisco. They include the creation of newly defined partnerships, leveraging existing IT risk management frameworks, developing well-defined feedback mechanisms, and gaining increased support and visibility at the CIO level.
Read More »
Tags: information security, infosec, metrics, security, unified security metrics program, usm
Cisco Live, May 18-24, 2014, is quickly approaching and registration is open. This is the 25th anniversary of Cisco Live and we return to the Bay Area at San Francisco’s Moscone Center. Educational sessions are organized into technology tracks to make it easy to find the topics that most interest you. With network and data security being top of mind, I’d like to highlight the Security technology track’s exciting content lineup. Read More »
Tags: ASA, byod, cisco live, Cisco Live US, Cisco Live! 2014, Cloud Computing, cybersecurity, data security, firewall, IoT, malware, mitigations, network security, Network Threat Defense, psirt, security, security training, training, vpn
This post is coauthored by Andrew Tsonchev.
Anyone can purchase an exploit pack (EP) license or rent time on an existing EP server. The challenge for threat actors is to redirect unsuspecting web browsing victims by force to the exploit landing page with sustained frequency. Naturally, like most criminal services in the underground, the dark art of traffic generation is a niche specialty that must be purchased to ensure drive-by campaign success. For the past year we have been tracking a threat actor (group) that compromises legitimate websites and redirects victims to EP landing pages. Over the past three months we observed the same actor using malvertising – leveraging content delivery networks (CDNs) to facilitate increased victim redirection – as part of larger exploit pack campaigns. Read More »
Tags: advertising, cdn, Exploit, html, iframe, malvertising, Pack, redirection, security, Snort, Styx, TRAC
At Cisco, security runs through everything that we do. It is our commitment to deliver verifiable, trustworthy network architectures built on secure software and secure hardware, backed by prudent supply chain security practices.
That’s why Cisco created the Cisco Secure Development Lifecycle (Cisco SDL) to ensure that security is central through the entire product development process. CSDL is a repeatable and measurable process we’ve designed to fortify the resiliency and trustworthiness of our offerings, allowing our customers to deploy high-quality products that they can trust.
Cisco SDL utilizes many industry standards and best practices, including ISO certification as part of our development processes. ISO certification provides customers validation and confidence that our processes, such as common technology requirements, secure coding procedures, code reviews, testing, and verification are consistently executed within our product development.
In 2013, we made internal compliance with the Cisco SDL process a stop-ship-grade requirement for all new Cisco products and development projects. As we make our way through 2014, we are building on this commitment, holding our teams accountable and training stakeholders to understand the importance of Cisco SDL process, adoption, and compliance.
From our Integrated Service Routers (ISRs) to our Aggregation Services Routers (ASRs), more products are being introduced across the Cisco portfolio that are Cisco SDL compliant. We look forward to keeping you up to date on progress with the CSDL initiative over the coming months.
Check out the video below where I explain Cisco SDL in more detail:
Learn more about Cisco SDL here: http://www.cisco.com/web/about/security/cspo/csdl/index.html
Tags: cisco sdl, cybersecurity, product certifications, supply chain, trustworthy systems
We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.
It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.
This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.
Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.
Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.
To our customers: we recommend staying connected to this information, and consider any implications for your network.
Tags: Cisco PSIRT, Heartbleed, security, trustworthy