Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »

Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability

“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”

This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.

Read More »

Tags: advisories, CVSS, cybersecurity, exploits, incident response, malware, psirt, security advisories, security advisory, security notice, security notices, security top of mind, vulnerability

A few weeks ago I had the pleasure of participating, as a guest speaker, in a webinar titled “Targeted Attack, Targeted Response: Designing and Implementing an IR Plan That Works.” Joe Riggins, Senior Director of Incident Response for HBGary, moderated this Q&A format webinar. We discussed the current incident response (IR) challenges companies are facing, as well as specific steps organizations can take to design, test, and successfully implement an ongoing IR plan for their specific business environment.

The webinar recording can be accessed here.

Read More »

Tags: incident response, security

The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers.  With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.

Aside from the obvious of changing passwords, what can you and your organization do?

I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced.  The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points.  We can let them tell the story, again.

Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents.  We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.

First, let’s help our customers, users, and organizations.  Given the opportunity, many people will take the simplest and easiest way.  In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on.  We’ll see these lists of bad passwords in coming weeks too.  It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly).  As security practitioners, professionals,…we too often are setting up our users and organizations to fail.  We have to do better, and here’s how.  Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective.  In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly.  If we let a user create a password of “123456”, they have done as should be expected, and we have failed.  Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed.  For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics.  Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…

Read More »

Tags: event monitoring, incident response, password manager, passwords, situational awareness, targeted attacks

Product security covers quite a broad spectrum of knowledge areas within the realm of technologies applied to enable communications in this highly connected world. However, there is a natural tendency to first focus on the basic capabilities of the product itself. But later, questions arise such as “Is the product in operation vulnerable and if yes, what are the next steps to protecting against the vulnerability?” or “What can I do if I suspect a security issue with a product?” As much as one would like to sustain 100% immunity against any vulnerability or issue, events happen, inherent product weaknesses are discovered or new attack vectors and methods arise to expose ways to compromise a product’s operation or behavior. At Cisco, the people that rapidly converge on such occurrences or the potential for such occurrences are the Incident Managers (IM) who reside at the core of the Product Security Incident Response Team (PSIRT) within Security Intelligence Operations (SIO). I think it is fascinating how well this team seamlessly executes with the precision, efficacy, and timeliness on a day-in-day-out basis covering a large array of complex hardware, software, and technologies. The IM focuses on driving the underlying processes around the discovery of security disclosures and issues related to Cisco products and networks. I hope you will find that this article provides you with an informative and personal perspective on the IM role that is integral to the ongoing efforts essential to protecting the Cisco customer.

Read More »

Tags: incident, incident response, psirt