Cisco Blogs


Cisco Blog > Security

Vectoring to a New Mission

A couple of weeks ago, I announced a new name and a new mission for the group I lead at Cisco. I’ll do my best to minimize reader exposure to boring administrative details, but the long and the short of it is that the former Cisco Global Government Solutions Group (GGSG) has become the Cisco Threat Response, Intelligence, and Development (TRIAD) organization.

Any organizational name change is only a label placed on more fundamental transformations in missions, strategies, and desired outcomes. While the new organization will continue to serve government customers, the time has come to mobilize the expertise we have built up over the years to help critical infrastructure and enterprise customers strengthen their abilities to deliver IT-based services and value with minimal disturbance from unauthorized sources.

Vectoring the organization’s mission to threat is the key to understanding what TRIAD is all about. Through our work with Cisco customers, observation and analysis of phenomena visible in Cisco and customer networks, and application of innovative thinking about security practices and processes, we see enormous potential for developing and delivering threat-focused approaches to cyber security into products, services, and solutions. Read More »

Tags: , , , , , , ,

A Programmatic Approach to Using Cisco’s Security Intelligence Feed

If you’re an end-user or manager of software that has publicly known security vulnerabilities, wouldn’t you want to know about it? If you’re a software developer, wouldn’t you want to know if there are third-party software vulnerabilities that may impact your applications or products?  Do you have a patch management compliance requirement for managing software vulnerabilities? I presume the answer is a resounding “Yes” to each question that applies to you. Anything we, as cyber security professionals, can do to help automate the vulnerability management process, while integrating security intelligence into that process from both an end-user and developer perspective, is a good thing. In this post, I will discuss Cisco’s Application Programming Interface (API) that exposes security intelligence as a direct data feed into applications or portals. The API is known as the IntelliShield Security Information Service (ISIS) and has proven effective to answering these leading questions.

“Continuous improvement in vulnerability management practices is imperative to keeping pace with the changing security environment as a result of evolving threats as well as new products and technologies” Russell Smoak, Cisco Systems, Cisco 2013 Annual Security Report

The above quote underscores the importance of striving to raise the bar in protecting against vulnerabilities, which may be exploited in your environment, or in the case of a developer, the products you provide to your customers. Cisco uses ISIS several ways, both internally and externally. Internally, Cisco takes advantage of custom-built tooling that uses vulnerability data from Cisco IntelliShield to notify the product development teams when a security issue originating in third-party software may impact a Cisco product. This tool has greatly increased the ability to manage security issues that originate in non-Cisco code. Externally, ISIS is used to provide the content to several sections accessible through the Cisco SIO portal. A couple of examples include:

  1. IOS Software Checker: this tool is used to query Cisco IOS Software Releases against published Cisco Security Advisories.
  2. Security Alerts: this tool provides an “At-A-Glance” type of view of security events such as vulnerability exposures.

Technically, ISIS provides a set of services that support application-to-application interaction using SOAP over the HTTPS protocol, allowing clients to develop ISIS-dependent applications that are not dependent on the technologies used to implement ISIS. The only dependency is for the client to have the ability to produce a SOAP message, send it to ISIS over HTTPS, and ultimately decompose the SOAP response. These services also allow clients to filter the security intelligence based on various inputs, enabling clients to align IntelliShield security intelligence with the unique business needs of their environment. Read More »

Tags: , , , ,

Cross-Site Request Forgery Attacks and Mitigations

Cross-Site Request Forgery (CSRF) attacks: there are already enough articles out there that can explain what a CSRF attack is and provide potential examples. There are also plenty of security alerts that have been released by various vendors whose products are affected by CSRF-related vulnerabilities.

CSRF attacks usually target web applications and attempt to make unwanted changes on server data or extract sensitive information from a web application. Attackers do this by luring an authenticated user into making a specially crafted web request. It’s important, regardless of role, for everyone to have a basic understanding of CSRF attacks and the available options to protect against them.

For more information about basic CSRF concepts and potential mitigations, see our new Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors. Although this document does not attempt to provide all the technical details associated with CSRF, it does aim to summarize the CSRF technique and provide methods that can be potentially used by developers, network administrators and users to protect against CSRF attacks.

For all things related to Security don’t forget to visit the Cisco Security Intelligence Operations (SIO) Portal—the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content. Just go to cisco.com/security.

Tags: , , , , , ,

Apache Darkleech Compromises

Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While various researchers have reported various segments of the attacks, until Dan’s article, no one had connected the dots and linked them all together.

Dubbed “Darkleech,” thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting iframes in real-time, only at the moment of visit.

Because the iframes are dynamically injected only when the pages are accessed, this makes discovery and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional criteria to avoid detection:

  • Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
  • Checking User Agents to target specific operating systems (to date, Windows systems);
  • Blacklisting search engine spiders;
  • Checking cookies to “wait list” recent visitors;
  • Checking referrer URLs to ensure visitor is coming in via valid search engine results. Read More »

Tags: , , , , , ,

March Madness May Equal to Malware Madness

March 29, 2013 at 8:05 am PST

basketball1Are you excited about March Madness? Turn on a TV and it will be hard to avoid the games, the news, the commentaries, and the jokes about it. If you eavesdrop in any restaurant, bar, or office conversation, I can assure you that you will hear something about it. Even U.S. President Barack Obama filled out a March Madness bracket. Productivity in many offices drops significantly as employees search and watch videos to see how their bracket picks are progressing. At Cisco, we have an open policy and employees can watch and search the scores of their favorite teams. Watch this video posted by CNN where Kip Compton, Cisco’s Video Collaboration Group CTO, talks about March Madness.

During the last couple of years, the industry saw a spike in web malware during the March Madness season. SQL injection attacks, iframe injections, JavaScript, and Java malware were some of the most prevalent. A few months ago, I provided details about some of today’s cyber-criminal tools— exploit kits—and some of the weapons of choice like Blackhole, RedKit, Styx, CrimeBoss, and Cool.

A few things to keep in mind:

  • Legitimate business sites may have vulnerabilities that allow a hostile site to deliver malware.
  • In most drive-by downloads, the victim is willing to dismissively click pop-ups and warnings as they navigate to the desired content. In this case, users may just click on pop-ups or ads to watch videos about their favorite team.
  • Most drive-by downloads can be prevented by keeping software up to date. Read More »

Tags: , , , , , , , ,