Ed Paradise, Vice President of Engineering for Cisco’s Threat Response, Intelligence and Development Group
Much has been made of the industry-wide Heartbleed vulnerability and its potential exploitation. Cisco was among the first companies to release a customer Security Advisory when the vulnerability became public, and is now one of many offering mitigation advice.
Those dealing with this issue on a day-to-day basis know it’s not enough to just patch the OpenSSL software library. Organizations also need to revoke and reissue digital certificates for their Heartbleed-vulnerable sites. If your certificates were stored in a Trust Anchor Module (TAM), they are still safe. Otherwise, a few additional steps should be taken to ensure you and your customers are secure:
Read More »
Tags: Cisco PSIRT, Cisco Security, Heartbleed, OpenSSL, psirt, security
We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.
It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.
This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.
Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.
Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.
To our customers: we recommend staying connected to this information, and consider any implications for your network.
Tags: Cisco PSIRT, Heartbleed, security, trustworthy
Today, Cisco is celebrating a milestone in its commitment to helping you act on security intelligence—our 10th bundle of Cisco IOS Software Security Advisories. We’re proud of our commitment to these predictable disclosures (on the fourth Wednesday of March and September annually) because they originated as a direct response to your feedback. Bundled publications allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. In an upcoming post, my colleague John Stuppi will share how the Cisco Product Security Incident Response Team (PSIRT) drove the evolution from a traditional disclosure model to the current semiannual bundled publication. John’s post will also provide another vehicle to share feedback with PSIRT, the organization that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.
Make sure you take a look at the Cisco Event Response—our “go to” document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). Remember, this collateral is not unique to Cisco IOS Software Security Advisories but is part of Cisco SIO’s response to current security events.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
- Network Address Translation
- Resource Reservation Protocol
- Internet Key Exchange
- Zone-Based Firewall Session Initiation Protocol Inspection
- Smart Install
- Protocol Translation
- IP Service Level Agreement Read More »
Tags: Cisco, cisco ios, Cisco PSIRT, Cisco Security, cisco sio, IOS, vulnerability
My colleague, Dario Ciccarone from the Cisco Product Security Incident Response Team (PSIRT) will be presenting “Security Vulnerability Handling at Cisco” at (ISC)2′s New York Metro Chapter meeting on February 13th, 2013. This will be an evening of information security presentations, networking reception and filled with Chapter activity discussions during this event. This event also qualifies for 2 CPEs for certified information security professionals (CISSP). Read More »
Tags: Cisco PSIRT, Cisco Vulnerability Policy, security, vulnerability
A phrase I’ve recently been hearing repeated is that “product features will come and go, but risk mitigation is continuous.” With that in mind, our Product Security Incident Response Team (PSIRT) is doing its part by seeking ways to improve how we transparently communicate information about Cisco product vulnerabilities to our Customers and Partners. Starting in January of 2013 we will be launching a new deliverable called the Cisco Security Notice.
The purpose of the Cisco Security Notice is to make it easier for Customers and Partners to access information about low to medium severity vulnerabilities in Cisco products. A Cisco Security Notice will be the primary disclosure document for all security defects that PSIRT scores with a Common Vulnerability Scoring System (CVSS) base score from 4.0 to 6.9 and will be posted to the PSIRT publication listing page. Each vulnerability disclosed through a Cisco Security Notice will be assigned a Common Vulnerability and Exposures (CVE) Identifier to aid in identification. Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher. Read More »
Tags: Cisco PSIRT, Cisco Security, Cisco Security Notice, cisco sio, Cisco Vulnerability Policy, CVSS scoring