Cisco Blogs


Cisco Blog > Security

Today’s the Day: Announcing the Cisco IOS Software Security Advisory Bundle

Today, Cisco is celebrating a milestone in its commitment to helping you act on security intelligence—our 10th bundle of Cisco IOS Software Security Advisories. We’re proud of our commitment to these predictable disclosures (on the fourth Wednesday of March and September annually) because they originated as a direct response to your feedback. Bundled publications allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. In an upcoming post, my colleague John Stuppi will share how the Cisco Product Security Incident Response Team (PSIRT) drove the evolution from a traditional disclosure model to the current semiannual bundled publication. John’s post will also provide another vehicle to share feedback with PSIRT, the organization that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.

Make sure you take a look at the Cisco Event Response—our “go to” document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). Remember, this collateral is not unique to Cisco IOS Software Security Advisories but is part of Cisco SIO’s response to current security events.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:

  • Network Address Translation
  • Resource Reservation Protocol
  • Internet Key Exchange
  • Zone-Based Firewall Session Initiation Protocol Inspection
  • Smart Install
  • Protocol Translation
  • IP Service Level Agreement  Read More »

Tags: , , , , , ,

Cisco Security Masters Dojo Course at CanSecWest 2013

My colleague, Joe Karpenko, and I will be presenting the Network Threat Defense, Countermeasures, and Controls Security Masters Dojo training course at the CanSecWest 2013 Applied Security Conference.

Attendees will perform two roles. First, as a Security Practitioner who will secure and harden devices within an organization’s network infrastructure, and second, as a Security Incident Response Investigator who must correctly detect, classify, and prevent threats targeting a network by configuring and deploying advanced network threat defenses and countermeasures. Read More »

Tags: , , ,

New PSIRT Deliverable Aids Transparency in Vulnerability Disclosure

A phrase I’ve recently been hearing repeated is that “product features will come and go, but risk mitigation is continuous.”  With that in mind, our Product Security Incident Response Team (PSIRT) is doing its part by seeking ways to improve how we transparently communicate information about Cisco product vulnerabilities to our Customers and Partners.  Starting in January of 2013 we will be launching a new deliverable called the Cisco Security Notice.

The purpose of the Cisco Security Notice is to make it easier for Customers and Partners to access information about low to medium severity vulnerabilities in Cisco products.  A Cisco Security Notice will be the primary disclosure document for all security defects that PSIRT scores with a Common Vulnerability Scoring System (CVSS) base score from 4.0 to 6.9 and will be posted to the PSIRT publication listing page.  Each vulnerability disclosed through a Cisco Security Notice will be assigned a Common Vulnerability and Exposures (CVE) Identifier to aid in identification.   Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.  Read More »

Tags: , , , , ,

Protecting Our Networks: It’s a Team Game Now!

January 3, 2013 at 12:31 pm PST

I have been coaching youth sports for the past seven plus years now and one of my common mantras when speaking to the girls and boys each season is that “we will win as a team and lose as a team.”  In other words, I will never tolerate one player acting selfishly enough to think he or she is above everyone else on the team.  I strive to instill the objective that we will collectively pool our talents for the betterment of the team.  We use this approach because each boy and girl, believe it or not, brings with himself or herself a unique set of abilities and strengths with which the entire team will benefit.

So why should you care about my coaching philosophies?  :-)  Read More »

Tags: , , , , ,

Security Assessments: More Than Meets the Eye

Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?”  A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.

In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed.  Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security.  I think that this quote from a U.S. government hearing underscores the value of that quest as well.

When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.

House of Representatives Hearing on Cybersecurity: Emerging Threats, vulnerabilities, and challenges in securing federal information systems

Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality.  Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service.  Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.

Read More »

Tags: , , , , , ,