Cisco Blogs

Cisco Blog > Security

2014: A Look Ahead

It’s December and the 2013 cyber security news cycle has just about run its course. We’ve seen more and increasingly virulent attacks, continued “innovation” by adversaries, and a minor revival of distributed denial of services (DDOS) actions perpetrated by hacktivists and other socio-politically motived actors.

Against this, Cisco stood up tall in recognizing the importance of strong security as both an ingredient baked into all Cisco products, services, and solutions, and a growing understanding of how to use the network to identify, share information about, and defeat threats to IT assets and value generation processes. I can also look back at 2013 as the year that we made internal compliance with the Cisco Secure Development Lifecycle (CSDL) process a stop-ship-grade requirement for all new Cisco products and development projects. Read More »

Tags: , , , , , ,

What Next-Generation Wi-Fi Models Could Mean for Secure Mobility

With the adoption of the Internet of Things and Internet of Everything, advances in mobility and next-generation Wi-Fi are driving faster speeds, higher signal quality and more reliable connectivity. With the upcoming ratification of the two waves of the 802.11ac Wi-Fi standard, how are emerging Wi-Fi models creating new security features that are defining the next-generation Wi-Fi experience?

Next Generation Wi-Fi Models

Migration to the 5 GHz-only 802.11ac is quickly becoming a reality. In a recent article by Lisa Phifer, Chris Spain, Vice President of Product Marketing for Cisco’s Wireless Networking Group, discusses more about how this migration will drive a shift in mobile device support for 5 GHz. “An increasing percentage of new mobile devices provide dual-band capability, and they generally prefer the less congested 5 GHz band,” Spain said. New Wi-Fi models, like those listed below, can help drive mobile devices to the 5GHz band:

Read More »

Tags: , , , , , , , , , ,

Features, Bugs, and Backdoors: The Differences, How Language Can Be (Mis)Used, And A Word Of Caution

Language is a powerful tool.

With acronyms like ACL, IPS/IDS, and APT*, the security world has created its own language, acronyms, and catchphrases. In our industry, sometimes the meaning of more commonly used words can cause misunderstandings. For example, is a hacker a bad actor or a well-intentioned individual? Are all software bugs also security vulnerabilities? Can the terms feature, bug, and backdoor be used interchangeably?

A feature, a bug, or a backdoor might look like the same thing to some, but they are not. Imprecision in this area can breed misunderstandings. I believe that there are two key differences between a feature, a bug, and a backdoor: intent and transparency. Read More »

Tags: , , , , ,

Beware: Insider Threats Getting Worse

Most recently ESG/Vormetric came out with a threat report that highlighted the increase in insider threats & the significance to augment perimeter and host-based security. The rationale behind the increase was that more people are accessing the network, increase cloud and network traffic are making it difficult to isolate the problem.

Almost 50% of the organizations believe they are vulnerable to insider attacks and have or plan to invest dollars.

This is alarming!

The top methods noted for these insider threat vulnerabilities were abuse of access by privileged users, contractors, and other employees. Security professionals are finding it quite difficult to monitor the users, traffic, ports, etc to identify and mitigate insider threats. They must glean this information from multiple sources and many times need to translate the data. For example, “whose IP address is this and why is Mary from finance, who is supposed to be on vacation, downloading data from the payroll server?” This process slows the resolution time. The criticality of this type of contextual information is enormous to remediate quickly.

Security needs to be pervasive and consistent to manage these inside threats—so how does one do this? Integrate security into your infrastructure (wireless, wired, VPN)! Once security is woven into your infrastructure it provides the visibility and clarity to respond in a timely manner with a high degree of efficacy and is not dependent on distinct and isolated ingress points.

Read More »

Tags: , , , , , , ,

A Thief Inside of Cisco? SecCon 2013 San Jose

A thief on the loose you say, at Cisco Systems, in San Jose? Turns out he was invited. Apollo Robbins was one of the headliners for Cisco SecCon in San Jose during the first week of December. Mr. Robbins taught us an important lesson about security: seeing is not always believing. Apollo demonstrated the art of “social engineering” using techniques he perfected working on a pickpocket show in Las Vegas. Apollo taught us to expand our thinking, to look behind the curtain of what motivates people. This helped us to better understand the trust people put in each other and in our products. Bruce Schneier was the second headliner, and spoke to us about the idea of trust. Bruce’s talk was not heavily focused on technology, but instead approached trust from the human perspective. He answered questions such as why people trust, and how trust is passed amongst groups of people. This is beneficial because Cisco strives to be trustworthy to our customers, corporately, as individuals, and with our products.

IMG_0912-300x199 - 1

SecCon is our annual internal security conference where the security community at Cisco gathers together to network and learn. 2013 represented SecCon’s sixth year. Our goal is to strengthen the security community and employee knowledge of how to build products that are more secure. This experience is not limited to those in San Jose. SecCon links remote sites such as Research Triangle Park (Raleigh), NC and Boxborough, MA with the speakers in San Jose. The remote sites also host local speakers, all in the name of growing the security community at Cisco.

IMG_1034-300x199 - 2

A Cisco Executive kicked off each morning. SVP Chris Young provided an overview of our security product strategy and spoke of the new technologies incorporated into Cisco from Sourcefire. SVP John Stewart continued his impassioned plea for engineers at Cisco to be “all in” with our approach to product security and Cisco Secure Development Lifecycle (SDL) adoption. Cisco VP Sumeet Arora spoke of how his organization is adopting Cisco SDL and how everyone must be trained in awareness of product security. One specific quote from Sumeet is, “Cisco SDL is like brushing your teeth.” That stuck with me, as a member of the core Cisco SDL team at Cisco. Cisco SDL is expected as a part of our daily routine. From all of the executive keynotes, a few messages were clear: Cisco SDL is mandatory for Cisco products, and product security awareness is a key driver for our success. We launched our product security awareness program last year at SecCon, and we saw it grow exponentially this year. This awareness program is so popular that it received plugs from each keynote as well as many times during the employee talks.

In the fifty talks given by employees, we were shown methods that some teams have used to build security in to their products. We saw reverse engineering displays and examples of historic vulnerabilities in Cisco products, all so that the people gathered can learn about the problems of the past. This builds a solid foundation for us, as a community, to minimize these problems in the future.

SecCon 2013 offered eleven security-based, bootcamp-style training classes that employees had an opportunity to attend. These classes are “boot camps” because they are in depth and demanding. The classes include lecture, but primarily each student works through interactive exercises and applies the security knowledge as they learn.

The boot camp courses were divided into three high-level categories: fundamentals of product security, hacking, and network defense. The fundamentals of product security lay a foundation for our engineers in some basic topics of security, including secure coding in C / C++, IPv6, and web application security testing. The hacking category included a basic course on the tools and techniques of hackers, understanding and hacking secure protocols, reverse engineering, and mobile application hacking. Network defense taught our students to properly configure and monitor networks. This category included “Network Threat Defense, Countermeasures, and Controls” and “Advanced IPv6 Security with Pen Testing”.

IMG_1149-300x144 - 3

This year was another great conference. You only had to listen to the quality of any talk to gain an appreciation for the depth of security knowledge and talent that exists within Cisco. With this base, we all learned that trust is so important to Cisco. Trust is the foundation of how our customers perceive Cisco and our products. It was clear through each of the presentations that trust is something that we must constantly earn. After this SecCon experience, I am even more aware of Cisco’s commitment to continue to strive to be the trustworthy IT vendor, working hard to identify and defend again the “thief” be they inside or outside our domain.

For more information on SecCon, please visit the SecCon page on Photos by Bill Thomson.

Tags: , ,