Cisco Blogs


Cisco Blog > Security

Cisco Live 2014 San Francisco: Security Technology Track

Cisco Live, May 18-24, 2014, is quickly approaching and registration is open. This is the 25th anniversary of Cisco Live and we return to the Bay Area at San Francisco’s Moscone Center. Educational sessions are organized into technology tracks to make it easy to find the topics that most interest you. With network and data security being top of mind, I’d like to highlight the Security technology track’s exciting content lineup. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Year-Long Exploit Pack Traffic Campaign Surges After Leveraging CDN

TRACThis post is coauthored by Andrew Tsonchev.

Anyone can purchase an exploit pack (EP) license or rent time on an existing EP server. The challenge for threat actors is to redirect unsuspecting web browsing victims by force to the exploit landing page with sustained frequency. Naturally, like most criminal services in the underground, the dark art of traffic generation is a niche specialty that must be purchased to ensure drive-by campaign success. For the past year we have been tracking a threat actor (group) that compromises legitimate websites and redirects victims to EP landing pages. Over the past three months we observed the same actor using malvertising -- leveraging content delivery networks (CDNs) to facilitate increased victim redirection -- as part of larger exploit pack campaigns. Read More »

Tags: , , , , , , , , , , ,

Heartbleed: Transparency for our Customers

We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.

It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.

This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.

Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.

Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.

To our customers: we recommend staying connected to this information, and consider any implications for your network.

Tags: , , ,

Ferguson Group Ltd keeps an Eye on Operations with Cisco Physical Security

April 11, 2014 at 9:21 am PST

I remember growing up in the UK years ago during the UK’s  ‘North Sea Oil Boom’. It was a time of great excitement and opportunity for the nation. A whole industry was developed to deal with offshore exploration to ‘bring the energy home’.

It was Aberdeen’s local ‘moon landing’ event -  just five months after Neil Armstrong landed on the moon, the North Sea oil fields were discovered off the east coast of Scotland. Certainly parts of Scotland, Aberdeen especially, saw an uptick in employment from the gloomy ’60s, and the economy changed from rural farming, fishing and textiles to include a more industrial oil and gas setting. Employment, property prices and investment in the City boomed.

Video Surv. from Ferguson Case StudyFerguson is a great Scottish name, but the founder is a great example of how folks were attracted  from outside Scotland (founder Bill Ferguson Jr. is an American) to help further the oil industry in Scotland. Today, Ferguson Group are a key part of the Aberdeen economy, as a leading suppliers of containers, accommodations, and workspace modules for the offshore energy industry (now worldwide).

I thought I’d share how Ferguson conquered a business challenge -- namely protecting high-value equipment and, at the same time, use a standardized system and process worldwide whilst keeping up with industry security standards.

As Graham Cowperthwaite said in a recent article: “For years our headquarters in Scotland relied on an analog video security system”. Graham is director of operations at Ferguson Group, and went on to say “That system wasn’t meeting our needs in terms of image quality and remote accessibility.” He added: “For example, our board members are often traveling between bases, and want to have the ability to check back on facilities from any networked location, even from an iPad. We simply couldn’t do that with an analog system.”

So Ferguson switched from a an analog security system to an IP-based solution, from Cisco. And it wasn’t just cameras and door hardware. They also needed to consider the security and reliability of the network on which camera images and access history would be transmitted and stored.

 ”We looked at other physical security offerings on the market, but nothing came close to Cisco in terms of comprehensiveness,” says Graham Cowperthwaite. “Only Cisco could provide us with a total combination of Cisco IP video cameras, door readers, firewalls, and routers, all available globally with the highest levels of vendor support. We were already a Cisco house in terms of our network infrastructure, and the interoperability of these solutions fit in perfectly with our goals for standardization.”

Ferguson Group now relies on the Cisco® Video Surveillance Manager to monitor its entire facility in Aberdeenshire, including doors, buildings, and the many valuable assets in the company’s storage yard. Supervisors on the Ferguson network can access live, high-quality footage on a laptop or mobile device. They can even review recorded footage as necessary. This all runs on an integrated Cisco architecture (based on Cisco Desktop Virtualization with VMware (VXI), running on the Cisco Unified Computing System™ (UCS®), for the techies amongst you!).

The business results? Read More »

Tags: , , , , , , , , , ,

March 2014 Threat Metrics

The median rate of web malware encounters in March 2014 was 1:260, compared to a median rate of 1:341 requests in February. At least some of this increased risk appears to have been a result of interest in the NCAA tournaments (aka March Madness), which kicked off during the second week of March in the United States.

Mar2014rate

In February 2014, web malware encounters from sports and video sites were in the 18 and 28 spot, respectively. During March 2014, web malware from sports- and video-related sites jumped to the number 7 and 8 spots, respectively. The presumed longer time spent viewing sports-related content may have been a factor in a 1% decrease in the total volume of web requests in March coupled with a corresponding 18% increase in terabytes received.

Mar2014catall

The ratio of unique non-malicious hosts to unique malware hosts decreased by 1%, at 1:4841 in March 2014 compared to 1:4775 in February. The ratio of unique non-malicious IP addresses to malicious unique IP addresses also dropped from 1:1351 in February 2014 to 1:1388 in March. There was also far less volatility in the rate of unique malicious IP addresses throughout March compared to February.

Mar2014hosts

Java encounters dropped from 9% of all web malware encounters in February 2014 to 6% in March. At 43% of all Java encounters, Java version 7 exploits were the most frequently encountered, with 26% targeting Java version 6, and 32% targeting other versions of Java.

 

Mar2014java

Web malware encounters from mobile devices decreased 24% from February to March 2014. In March 3.6% of all Web malware encounters resulted from mobile device browsing, compared to 4.7% in February. Conversely, web malware encounters from non-Android and non-iOS devices doubled for the period, from 0.1% in February to 0.2% in March. The cause of this increase was not due to any specific device, but rather an across-the-board increase affecting all non-Android and non-iOS devices.

Mar2014mobile

At 18%, advertising was the most common vector of mobile device encounters, followed by business-related sites at 13% and video-related sites at 11% of mobile device encounters. For comparison purposes, in February 2014, sites in the business category were the most common vector of mobile device encounters (20%), followed by advertising (13%) and personal sites (8%). Video came in fourth in February, at 7%.

Mar2014catmob

Pharmaceutical & Chemical remained at 1100% of median risk for web malware encounters in March 2014, the same rate experienced in February. Companies in the Entertainment vertical experienced an increase from 321% in February to 643% in March. The Energy, Oil & Gas vertical increased from a rate of 276% in February to 397% in March.

To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.

 

Mar2014vert

Following a 73% increase from January to February, spam volumes increased another 45% in March to an average of 207 billion spam messages per day.

Mar2014spamvol

The top five global spam senders in February 2014 were the United States at 8%, followed by the Republic of Korea at 5%, Russian Federation at 3%, China at 2%, and Ukraine at 1%.

Tags: , , , , ,