Cisco Blogs


Cisco Blog > Security

Enhance Your Security Investment with Security Optimization Service

Many organizations have the same challenges when it comes to security: blurring boundaries, more and more organized cybercrimes, difficulty in finding and retaining technical talent, and keeping up-to-date with the latest security threats and tools.

In my inaugural blog, I’d like to tell you about one useful offering: the Security Optimization Service (SOS) from Cisco Services. The service can help you keep current with what is happening in the industry and in your security fabric on an ongoing basis.

Your corporate security infrastructure fabric should be treated as a dynamic living and breathing ecosystem of policy, framework, hardware, software, applications, people, and processes, with errors, omissions, and commissions all inclusive.

Ongoing care, maintenance, optimization, change support, and user education is critical to get more out of your investments and future planning. This is the philosophy behind Cisco SOS.

Read More »

Tags: , , ,

Open Sourcing FNR an Experimental Block Cipher

Traditional block ciphers work on fixed blocks of data—as an example, AES is well-defined for 128/192/256 bits. But one of the issues is the need for padding—so if you need to encrypt small amounts of data you may end with a huge difference in input vs. output size. As an example, using AES/128 on ECB mode to encrypt an IPv4 address results in an input size of 32 bits, but an output size of 128 bits. This may not be desired for some applications.

To address such needs, we have designed the FNR encryption scheme. FNR stands for Flexible Naor and Reingold. Our proposed encryption scheme is a practical variant of Naor and Reingold’s[1] work. We are releasing the reference implementation of the FNR encryption scheme under open source license LGPLv2.

FNR is an experimental small domain block cipher for encrypting objects (< 128 bits) like IPv4 addresses, MAC addresses, arbitrary strings, etc. while preserving their input lengths. Such length preserving encryption would be useful when encrypting sensitive fields of rigid packet formats, database columns of legacy systems, etc. in order to avoid any re-engineering efforts for privacy preservation.

Read More »

Tags: , , , ,

SNMP: Spike in Brute-force Attempts Recently Observed

Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.

Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.

While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.

Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:

Tags: , , , , ,

Summary: Extended By Popular Demand: The Cisco IoT Security Grand Challenge

June 16, 2014 at 8:49 am PST

Since its announcement at the RSA 2014 conference, the security community has been actively involved in the Cisco IoT Security Grand Challenge. The response has been so great that we’ve decided to extend the deadline by two more weeks -- so you now have until July 1st, 2014 to make your submission! Visit www.CiscoSecurityGrandChallenge.com for full details about the challenge and prepare your response. Good luck!

Read the full blog for more information.

Tags: , , , , , , , , , , ,

A Collection of Cryptographic Vulnerabilities.

TRAC logo
The rustic origins of the English language are evident in the words left to us by our agricultural ancestors. Many words developed to distinguish groups of different animals, presumably to indicate their relevant importance. A ‘flock’ of sheep was more valuable than a single sheep, a ‘pack’ of wolves posed more danger than a single wolf. With respect to security vulnerabilities, we have yet to develop such collective nouns to indicate what is important, and to indicate that which poses danger.

The world of Transport Layer Security has been rattled once again with the identification of a “swarm” of vulnerabilities in OpenSSL and GnuTLS. A total of seven new vulnerabilities ranging from a potential man in the middle attack, allowing an attacker to eavesdrop on an encrypted conversation, to vulnerabilities that could be used to allow attackers to remotely exploit code on a client have been identified in the popular open source libraries.
Read More »

Tags: , , , , , , , ,