Your network, servers, and a horde of laptops have been hacked. You might suspect it, or you might think it’s not possible, but it’s happened already. What’s your next move?
The dilemma of the “next move” is that you can only discover an attack either as it’s happening, or after it’s already happened. In most cases, it’s the latter, which justifies the need for a computer security incident response team (CSIRT). Brandon Enright, Matthew Valites, myself, and many other security professionals constitute Cisco’s CSIRT. We’re the team that gets called in to investigate security incidents for Cisco. We help architect monitoring solutions and strategies and enable the rest of our team to discover security incidents as soon as possible. We are responsible for monitoring the network and responding to incidents discovered both internally by our systems or reported to us externally via email@example.com.
Securing and monitoring a giant multinational high-speed network can be quite a challenge. Volume and diversity, not complexity, are our primary enemies when it comes to incident response. We index close to a terabyte of log data per day across Cisco, along with processing billions of NetFlow records, millions of intrusion detection alarms, and millions of host security log records. This doesn’t even include the much larger data store of authentication and authorization data for thousands of people. Naturally, like all large corporations, dedicated attackers, hacking collectives, hacktivists, and typical malware/crimeware affect Cisco. Combine these threats with internally sourced security issues, and we’ve got plenty of work cut out for us.
Read More »
Tags: Cisco Security, cisco sio, CSIRT, csirt-playbook, incident response, infosec, logging, logs, playbook, security, SIEM
Hi there and welcome to today’s U.S. National Cyber Security Awareness Month tip, courtesy of those of us involved in administering and/or contributing to Cisco Security Intelligence Operations!!
For all of you savvy technologists and those well versed in the security realm many of these tips may be old hat but, based on many of my discussions with both personal and professional peers, I know that most, if not all, of these Best Common Practices (BCPs) are not exactly “common.”
- Use non-trivial passwords - While most sites and applications now dictate requirements (lower/upper alphabetical, numerical, symbols, minimum length) for passwords, there are still those that rely on the user to utilize complex passwords. Password selection brings with it a challenging dichotomy -- on one hand we are being told (and sometimes forced!) to use complex not-so-easy-to-guess passwords and on the other hand we are expected to be able to remember all of these passwords without writing them down and sticking them on our laptop! Check out Numeric Password Follies and Keep passwords safe and secure with password management for some information from previous Cisco Security Blog posts that may help you choose and manage your passwords more effectively.
- And now that we have finally chosen an acceptable complex password, and we have been able to commit it to memory!, we now have to make sure we Change Our Passwords Regularly! :-) You will find that many of your “more secure” sites implement a specific time frame, e.g., 30 or 60 days, after which time you _must_ change your password. For all those sites, applications, and situations in which this is not the case, it is HIGHLY recommended that you take the proactive approach and manually change your password regularly. It shouldn’t be that hard -- just create a repeating reminder in your daily calendar to help you remember to change your passwords!
- And while on the subject of passwords, here’s another recommended best practice! Don’t use the same password everywhere!!! Again, our minds can only contain so many passwords (in addition to everything we need to remember on a daily basis) and things like passwords probably fall to the bottom of our priorities, so use a password manager tool. Because we often take the easy way out and, once we’ve developed that very complex, non-trivial password that we discussed in our first tip, we hang on to it for dear life and use it EVERYWHERE! Bad move! There are few days that go by in the security world where we don’t come across a hack or data breach that was helped along the way by the fact that so many people use the same passwords for both personal and professional sites and applications. Several examples of these breaches can be found in these previous Cisco Security Blog posts: July, a Busy Month for Breaches, Compromised Accounts, Stepping Stones, and 6.5 million password hashes suggest a possible breach at LinkedIn.
- If it looks like phish and “smells” like phish it probably is phish - Do NOT open emails that appear “phishy” – go directly to the known website of the supposed sender of the email. You should also be careful clicking links in emails from known contacts that do not have human-looking text from your friend. For example, be leery of emails which contain nothing but one URL/link or emails that start out with text such as “open this, it is funny.” Agree with your friend to send something he knows that will identify him when he sends a single link. For example ask him her to put in “I was born in XXX, July 1934″ or what team he supports.
- Keep your operating system (OS) and application software up to date. Many OS vendors, e.g., Microsoft, provide automated means of updating software on a regular basis, so take advantage of this offering if your vendor provides it. It is certainly understandable that probably a great many of you have important devices and simply cannot take the chance with automated updates, but for those with less mission-critical concerns it is a worthwhile practice to use automatic software updates. The Cisco Security Intelligence Operations portal includes a section devoted to security alerts affecting both Cisco and non-Cisco products.
- Have your “social engineering” guard up at all times. For many of us, the combination of our personalities and lack of time causes us to become more trustworthy and accepting all invitations - whether by email, phone call, or text - on their surface. What we need to do when working online is put on our “tinfoil hat” and simply not trust anyone! So, when you get that next email soliciting you to “click on the link” to resolve a banking dispute think twice, do NOT click on that link, and then log in directly to the website of your bank (or call them) and resolve that “issue” the proper way. Clicking on links sent to you via email or text could cause you to inadvertently and unknowingly provide login credentials and Personally Identifiable Information (PII) to the bad guys. Check out Levi Gundert’s recent post on how the loss (or theft) of PII can impact you.
- While Anti Virus (AV) Software is certainly not a silver bullet and probably won’t stop some of today’s more complex threats, it is still a useful tool to have in our security toolbox both for our corporate and personal devices. Although most corporate IT departments push out updates regularly to our professional devices, we need to also ensure that the AV Software running on our home and personal devices is kept current and is regularly updated.
- Understand the security measures that are available (and not available!) for social networking sites and applications. Many of you and your peers use some form of social networking -- e.g., Twitter, Facebook, LinkedIn, etc. -- and it is imperative that you are aware of what information gets shared and what mechanisms are available to you to restrict access to the data you want shared to only those people with whom you wish to share! You would probably be surprised to find out that the data that gets shared, both freely and inadvertently, is often leveraged for malfeasance such as phishing emails!
- Who you gonna call? Know who and how to report any suspect network security incidents, i.e., phishing, spam, malware, DoS, etc. This recommendation may border on the nebulous but it is really important, whether you are on your personal device at home or on a corporate device, that you know that there are resources available should you come across activity, e.g., phishing emails, evidence of DDoS attack activities, etc., that you can contact to get assistance. This could be your ISP, your corporate IT department, Help Desk, Information Security (InfoSec) department, or even a friend or coworker.
- Be vigilant and stay abreast of cyber security news! Regardless of your role and your technical acumen, find at least one source of security intelligence to monitor via RSS, email, Twitter, or by just directly visiting websites. Please visit the Cisco SIO portal, which includes a variety of information such as security alerts, blog posts, technical white papers, best common practices, and upcoming security conferences. Some additional recommended sources of this information include CERT, NANOG, Full Disclosure, Bugtraq, SANS Internet Storm Center (ISC), and Krebs on Security…..to name a few.
My call to action to all of you is to go out there and work together to make our cyber world just a little bit safer - one byte, one email, one phish, and one website at a time!
Tags: antivirus, Cisco Security, cisco sio, cyber security, NCSAM, ncsam-2013, passwords, security, social engineering
In any given week, one doesn’t need to look very far to be reminded of the events and issues that can surface anytime, anywhere, and to anyone. Given their modes of occurrence, range of diverse levels, technical, non-technical, and globally, wouldn’t it be convenient to have a brief synopsis and analysis of the events and issues? A weekly publication from Cisco, the Cyber Risk Report, is available now to give you the awareness and insight related to these security events and issues. The Cyber Risk Report provides a lot of information that conveys thought-provoking analyses and perspective.
Why the Cyber Risk Report Matters
There are several benefits of this publication. The report provides current information on multiple topics saving you time from sifting through all of the media outlets. It can minimize your blind spots and broaden your understanding of the nature of the factors contributing to the weekly events being reported. It is not uncommon for these issues and events to surface simply because the victims have not seen them coming. The bad guys are betting on this. Is this the only source of knowledge needed? Of course not, but the Cyber Risk Report is certainly a great resource to gain insight and keep a pulse on the constantly evolving security landscape.
What the Cyber Risk Report Offers
The Cyber Risk Report contains a summary and analyses of events and issues that transpired in the week leading up to its publication. Every week a specialized team of Cisco security analysts meets to create its content based on a review of several information sources. This content is organized into categories that I have highlighted in red as shown in the snapshot below.
Figure 1: Cyber Risk Report Example
Read More »
Tags: Cisco Security, cisco sio, cyber risk report, cybersecurity, NCSAM, ncsam-2013, security top of mind
For the last couple of years, Cisco Security Intelligence Operations has released a series of blog posts for National Cybersecurity Awareness Month. The theme for this month from the National Cyber Security Alliance is “Our Shared Responsibility.” The Department of Homeland Security is running a series on this theme, as are many other private organizations.
Our action and inaction have consequences for systems and services used by us, our friends, and our places of employment. Attackers use accounts compromised due to poor passwords and lack of two-factor authentication to launch other attacks on users connected to those accounts. End-user systems infected with malicious software are leveraged to conduct distributed denial of service attacks against financial and government websites. Users who fall victim to spear phishing attacks open the door for attackers to leap frog their way through sensitive networks and collect proprietary information from our places of employment.
Read More »
Tags: Cisco Security, cisco sio, cyber risk report, cyber security, cyber-security-month-2011, cyber-security-month-2012, ncsam-2013
Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!
During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.
How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit? Read More »
Tags: Cisco Security, exploits, pen testing, penetration testing, security