I’m often asked how to deal with the security threat landscape within the context of running a business. The security threat landscape can seem like a highly complex challenge, yet as I’ve looked at it through my work with Cisco and the broader industry, it can actually be boiled down into three simple phases: before, during and after attack.
It sounds simple in theory, but in practice the conversation often focuses predominantly on the “before” phase; that is, minimizing a hacker’s chances of success. While this is clearly the most important phase, it’s also crucial to have a clear threat containment strategy for “during” an attack, and a visibility and forensics plan for “after” it as well. It seems complex, but it can be surprisingly simple. Take a look at a recent video blog I did on the topic.
Tags: Attack, Cisco, forensics, John Stewart, security
The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.
These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.
* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.
Read More »
Tags: Attack, Cisco Security, DDoS, dns, DNS Server, intellishield, IPS, security, Security Intelligence Operations (SIO), targeted attacks
In the recently posted research paper “Off-Path TCP Sequence Number Inference Attack: How Firewall Middleboxes Reduce Security“, Zhiyun Qian and Z. Morley Mao from the University of Michigan discuss a method to try to infer the sequence numbers in use by a TCP connection -- and if successful, how to try to hijack the connection and inject data on it in order to, as an example, steal credentials to web sites (banking, social networking, etc.)
Before talking further about their research, I would like to talk a bit about the Maginot Line. The Maginot Line was a line of fortifications located in France, established after World War I, and roughly following France’s borders with Germany and Italy. The idea behind it: in case of another war with Germany, the line would hold the enemy attacks, giving the French Army the chance to regroup and counterattack. The problem: the line only extended so far up North. So during World War II, and instead of attacking the line from the East, the German army completely bypassed it – by attacking Belgium first and then flanking the line.
So a lot of resources were allocated to set-up defenses for a very specific attack scenario – but that scenario never happened, as an easier way was found to bypass the defenses. And the mere fact of allocating so many resources to counter a specific threat significantly reduced the number of resources available to protect against other threats.
The method posited by Qian and Mao on their research paper strongly reminds me of the assumptions made by the French while building the Maginot Line.
Read More »
Tags: Attack, research, security, TCP