Cisco Blogs


Cisco Blog > Security

Cisco’s onePK Part 2: Reaching out to a Network Element

Exordium

In the previous installment of the onePK series, you received a crash course on Cisco’s onePK. In this article, you’ll take the next step with a fun little exposé on onePK’s C API. You will learn how to write a simple program to reach out and connect to a network element. This is staple onePK functionality and is the foundation upon which most onePK applications are built.

Preambling Details

The following short program “ophw” (onePK Hello World), is a fully functional onePK application that will connect to a network element, query its system description, and then disconnect. It doesn’t do anything beyond that, but it does highlight some lynchpin onePK code: network element connection and session handle instantiation. This is the foundational stuff every onePK application needs before useful work can get done. Read More »

Tags: , , , , , , , , , , ,

Razzle Dazzle v2.0

During World War I, British artist and navy officer Norman Wilkinson proposed the use of “Dazzle Camouflage” on ships. The concept behind Dazzle Camouflage, as Wilkinson explained, was to “paint a ship with large patches of strong colour in a carefully thought out pattern and colour scheme …, which will so distort the form of the vessel that the chances of successful aim by attacking submarines will be greatly decreased.” The Dazzle Camouflage was not intended to hide the presence of the ships themselves, but instead was created to hide the ships size, shape, direction, and speed from would-be attackers.

dazzle_camo
Razzle Dazzle Camouflage applied to a ship

Read More »

Tags: , , , , , , ,

Big Security—Mining Mountains of Log Data to Find Bad Stuff

Your network, servers, and a horde of laptops have been hacked. You might suspect it, or you might think it’s not possible, but it’s happened already. What’s your next move?

The dilemma of the “next move” is that you can only discover an attack either as it’s happening, or after it’s already happened. In most cases, it’s the latter, which justifies the need for a computer security incident response team (CSIRT). Brandon Enright, Matthew Valites, myself, and many other security professionals constitute Cisco’s CSIRT. We’re the team that gets called in to investigate security incidents for Cisco. We help architect monitoring solutions and strategies and enable the rest of our team to discover security incidents as soon as possible. We are responsible for monitoring the network and responding to incidents discovered both internally by our systems or reported to us externally via csirt-notify@cisco.com.

Securing and monitoring a giant multinational high-speed network can be quite a challenge. Volume and diversity, not complexity, are our primary enemies when it comes to incident response. We index close to a terabyte of log data per day across Cisco, along with processing billions of NetFlow records, millions of intrusion detection alarms, and millions of host security log records. This doesn’t even include the much larger data store of authentication and authorization data for thousands of people. Naturally, like all large corporations, dedicated attackers, hacking collectives, hacktivists, and typical malware/crimeware affect Cisco. Combine these threats with internally sourced security issues, and we’ve got plenty of work cut out for us.

Read More »

Tags: , , , , , , , , , ,

Ten Simple Ways to Enhance Cyber Security for You and Others

October 3, 2013 at 5:00 am PST

Hi there and welcome to today’s U.S. National Cyber Security Awareness Month tip, courtesy of those of us involved in administering and/or contributing to Cisco Security Intelligence Operations!!

For all of you savvy technologists and those well versed in the security realm many of these tips may be old hat but, based on many of my discussions with both personal and professional peers, I know that most, if not all, of these Best Common Practices (BCPs) are not exactly “common.”  :-)

  1. Use non-trivial passwords - While most sites and applications now dictate requirements (lower/upper alphabetical, numerical, symbols, minimum length) for passwords, there are still those that rely on the user to utilize complex passwords. Password selection brings with it a challenging dichotomy -- on one hand we are  being told (and sometimes forced!) to use complex not-so-easy-to-guess passwords and on the other hand we are expected to be able to remember all of these passwords without writing them down and sticking them on our laptop! Check out Numeric Password Follies and Keep passwords safe and secure with password management for some information from previous Cisco Security Blog posts that may help you choose and manage your passwords more effectively.
  2. And now that we have finally chosen an acceptable complex password, and we have been able to commit it to memory!, we now have to make sure we Change Our Passwords Regularly!  :-)  You will find that many of your “more secure” sites implement a specific time frame, e.g., 30 or 60 days, after which time you _must_ change your password. For all those sites, applications, and situations in which this is not the case, it is HIGHLY recommended that you take the proactive approach and manually change your password regularly. It shouldn’t be that hard -- just create a repeating reminder in your daily calendar to help you remember to change your passwords!
  3. And while on the subject of passwords, here’s another recommended best practice! Don’t use the same password everywhere!!!  Again, our minds can only contain so many passwords (in addition to everything we need to remember on a daily basis) and things like passwords probably fall to the bottom of our priorities, so use a password manager tool. Because we often take the easy way out and, once we’ve developed that very complex, non-trivial password that we discussed in our first tip, we hang on to it for dear life and use it EVERYWHERE! Bad move! There are few days that go by in the security world where we don’t come across a hack or data breach that was helped along the way by the fact that so many people use the same passwords for both personal and professional sites and applications. Several examples of these breaches can be found in these previous Cisco Security Blog posts: July, a Busy Month for BreachesCompromised Accounts, Stepping Stones, and 6.5 million password hashes suggest a possible breach at LinkedIn.
  4. If it looks like phish and “smells” like phish it probably is phish - Do NOT open emails that appear “phishy” – go directly to the known website of the supposed sender of the email. You should also be careful clicking links in emails from known contacts that do not have human-looking text from your friend. For example, be leery of emails which contain nothing but one URL/link or emails that start out with text such as “open this, it is funny.” Agree with your friend to send something he knows that will identify him when he sends a single link. For example ask him her to put in “I was born in XXX, July 1934″ or what team he supports.
  5. Keep your operating system (OS) and application software up to date. Many OS vendors, e.g., Microsoft, provide automated means of updating software on a regular basis, so take advantage of this offering if your vendor provides it. It is certainly understandable that probably a great many of you have important devices and simply cannot take the chance with automated updates, but for those with less mission-critical concerns it is a worthwhile practice to use automatic software updates. The Cisco Security Intelligence Operations portal includes a section devoted to security alerts affecting both Cisco and non-Cisco products.
  6. Have your “social engineering” guard up at all times.  For many of us, the combination of our personalities and lack of time causes us to become more trustworthy and accepting all invitations - whether by email, phone call, or text - on their surface.  What we need to do when working online is put on our “tinfoil hat” and simply not trust anyone! So, when you get that next email soliciting you to “click on the link” to resolve a banking dispute think twice, do NOT click on that link, and then log in directly to the website of your bank (or call them) and resolve that “issue” the proper way. Clicking on links sent to you via email or text could cause you to inadvertently and unknowingly provide login credentials and Personally Identifiable Information (PII) to the bad guys. Check out Levi Gundert’s recent post on how the loss (or theft) of PII can impact you.
  7. While Anti Virus (AV) Software is certainly not a silver bullet and probably won’t stop some of today’s more complex threats, it is still a useful tool to have in our security toolbox both for our corporate and personal devices. Although most corporate IT departments push out updates regularly to our professional devices, we need to also ensure that the AV Software running on our home and personal devices is kept current and is regularly updated.
  8. Understand the security measures that are available (and not available!) for social networking sites and applications. Many of you and your peers use some form of social networking -- e.g., Twitter, Facebook, LinkedIn, etc. -- and it is imperative that you are aware of what information gets shared and what mechanisms are available to you to restrict access to the data you want shared to only those people with whom you wish to share! You would probably be surprised to find out that the data that gets shared, both freely and inadvertently, is often leveraged for malfeasance such as phishing emails!
  9. Who you gonna call? Know who and how to report any suspect network security incidents, i.e., phishing, spam, malware, DoS, etc. This recommendation may border on the nebulous but it is really important, whether you are on your personal device at home or on a corporate device, that you know that there are resources available should you come across activity, e.g., phishing emails, evidence of DDoS attack activities, etc., that you can contact to get assistance. This could be your ISP, your corporate IT department, Help Desk, Information Security (InfoSec) department, or even a friend or coworker.
  10. Be vigilant and stay abreast of cyber security news! Regardless of your role and your technical acumen, find at least one source of security intelligence to monitor via RSS, email, Twitter, or by just directly visiting websites. Please visit the Cisco SIO portal, which includes a variety of information such as security alerts, blog posts, technical white papers, best common practices, and upcoming security conferences. Some additional recommended sources of this information include CERTNANOGFull DisclosureBugtraqSANS Internet Storm Center (ISC), and Krebs on Security…..to name a few.

My call to action to all of you is to go out there and work together to make our cyber world just a little bit safer - one byte, one email, one phish, and one website at a time!

Tags: , , , , , , , ,

A Weekly Dose of Cyber Security Awareness

In any given week, one doesn’t need to look very far to be reminded of the events and issues that can surface anytime, anywhere, and to anyone. Given their modes of occurrence, range of diverse levels, technical, non-technical, and globally, wouldn’t it be convenient to have a brief synopsis and analysis of the events and issues? A weekly publication from Cisco, the Cyber Risk Report, is available now to give you the awareness and insight related to these security events and issues. The Cyber Risk Report provides a lot of information that conveys thought-provoking analyses and perspective.

Why the Cyber Risk Report Matters

There are several benefits of this publication. The report provides current information on multiple topics saving you time from sifting through all of the media outlets. It can minimize your blind spots and broaden your understanding of the nature of the factors contributing to the weekly events being reported. It is not uncommon for these issues and events to surface simply because the victims have not seen them coming. The bad guys are betting on this. Is this the only source of knowledge needed? Of course not, but the Cyber Risk Report is certainly a great resource to gain insight and keep a pulse on the constantly evolving security landscape.

What the Cyber Risk Report Offers

The Cyber Risk Report contains a summary and analyses of events and issues that transpired in the week leading up to its publication. Every week a specialized team of Cisco security analysts meets to create its content based on a review of several information sources. This content is organized into categories that I have highlighted in red as shown in the snapshot below.

CRR_Sample

Figure 1: Cyber Risk Report Example

Read More »

Tags: , , , , , ,