Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal. The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.
I am often asked about how I transitioned from a music teacher to a Data Privacy and Compliance Leader. Reflecting on my journey over the last 15 years, I have realized that it’s the same strengths that I demonstrated as a music teacher that have contributed to my success in the high tech sector. One of the lessons I learned is trying to turn weaknesses into strengths doesn’t work for me. Focusing on my core strengths regardless of which sector I work in is what enables me to achieve my best results. I encourage you to do the same as too often we don’t focus enough on our strengths and what sets us apart. Here’s what’s worked for me: Read More »
Industrial control system (ICS) operators and owners have found themselves in an unenviable position. Once air-gapped, serial-based critical industrial control systems are now becoming more and more connected. And while many of the systems themselves have not changed, the networking world around them has changed dramatically, introducing vulnerabilities and threats that had been nearly non-existent ten or 20 years ago. Each networked connection from the control network to the corporate network is another potential avenue of attack. Control networks are designed to be static and predictable, but more and more commercial off-the-shelf applications and operating systems, as well as routable protocols, are now being introduced. This is creating more complexity with no greater visibility leaving operators blind to what is on their networks.
Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an application security awareness program.
When you think about security awareness, do you envision phishing e-mails, Nigerian princes, and tailgating cyber criminals? Security vulnerabilities are a fact of life, but we can help our organizations develop a greater level of understanding and a desire to put security first in their development efforts. At Cisco, we believe that security awareness training should feature traditional training about crazy links you should not click under any circumstances and how to stop strangers from entering your buildings, as well as application security awareness. Application security awareness, when done well, can drive security culture change to make a company and its products and solutions safer. Moving an organization to focus on security is possible, because we have done it.
Enough talking about it, please take a sneak peek at how we do it here in this video.
Yesterday, I reported on Cisco’s new ACI security announcements and an overview of our secure data center strategy. Today, I wanted to share some interesting market insights that we pulled from a survey conducted by Enterprise Strategy Group (ESG) that Cisco commissioned, and that validates some key data center security trends and requirements that support our product strategy. Some of the key conclusions and data collected were shared in press coverage of the product announcement. The full survey results are here, and below are some summary graphics we prepared for our launch event.
Cisco commissioned the survey (conducted by ESG) to learn more about the challenges and issues IT professionals face when planning and implementing data center security.
- The survey sampled 154 IT security professionals in North America responsible for network security requirements and operations. All respondent organizations had to be using physical firewalls (or virtual firewalls) and access control lists (ACLs).
- Most respondents represented large midmarket organizations (defined as organizations with 500 to 999 employees) and enterprise organizations (organizations with 1,000 up to 10,000 employees). 71 percent operated from three up to 20 data centers worldwide.
- The study included broad representation from industry verticals: financial, manufacturing, health care, government, retail and business services.
- The survey was conducted in April 2015.
Top Survey Findings
The people problem: Implementing network security controls is tedious and time-consuming.
- 69 percent of organizations reported it takes from one man-hour up to four man-hours on average to convert a single new application network requirement into a network device or firewall configuration (before they even implement the new configuration, test it, etc.)
- 74 percent say that it takes days or weeks to implement security device updates from request all the way through to production implementation. (See InstaGraphic below)
Solution: Just like SDN revolutionized the data center by automating network configuration changes, ACI is accelerating security changes by automating device updates and configuring how security services are inserted into application networks, helping to ensure greater accuracy and allowing IT to keep up with business requirements.