Cisco Blogs

Cisco Blog > Security

Is Your Team Prepared for a Cyber Attack? Get Ready with CyberRange Training

The fire alarm went off in my building again, but fortunately, it was only a drill. By now, we are all used to the periodic fire drills for emergency preparedness in our workplaces. But have you ever wondered if there is a similar exercise possible for a cyber attack? The same logic applies. Your team will be better prepared to handle a disaster if they are trained for it.

Seeing is believing: Today I am excited to share this video from our Cisco Korea team that showcases Cisco CyberRange.

Read More »

Tags: , , , ,

Threat Spotlight: A String of ‘Paerls’, Part One

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.


Read More »

Tags: , , , , , , , , , ,

#CiscoPublicSafety Series: Connected Justice Solutions for Correctional Facilities

Two of the biggest problems that prison staff must face every day are security and cost. From visitation to healthcare to education, cost-efficient technology solutions can make the lives of inmates safer and better.

Cisco® Connected Justice™ and Renovo Software have partnered to integrate Renovo’s expertise in inmate visitation management and Cisco’s open communications infrastructure. This combination provides prisons and courts with the ability to offer telecommunications services that improve lives and uphold public safety standards while cutting costs.

A great example of this theory in practice is Muskegon County Jail. The Michigan jail will leverage Renovo’s videoconferencing technologies to facilitate visitation for inmates and their families, as well as streamline communication with courtrooms and lawyers. Televisitation allows inmates to maintain frequent face-to-face contact with their legal counsel and visitors without the concerns of physical safety and contraband. This technology alleviates a burden on prison personnel and eases the physiological impact of visiting a prison for families of inmates, especially children. Video visitation is not new, but Muskegon County is a pioneer in fully adopting the practice and planning for its future use. Read More »

Tags: , , , , ,

A Holistic Approach to Secure Enterprise Mobility

Cisco_FOM_Podcast_Gordon 6.18.14“It’s not secure enough… so we are not going to allow it to happen.”

Does this phrase seem all too familiar?

Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.

As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?

Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.

Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:

“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”

With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?

Complexity: There Are No Boundaries Anymore

One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.

Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.

A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!

IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.

Read More »

Tags: , , , , , ,

Cisco Web Security and the Health Insurance Portability and Accountability Act (HIPAA)

Spurred by the Health Insurance Portability and Accountability Act (HIPAA), which outlined a set of standards and guidelines for the protection and transmission of individual health information, as well as the subsequent amendment to address standards for the security of electronic protected health information, customers often ask me the following questions:

  • Is your product HIPAA certified?
  • Is your product HIPAA compliant?
  • Will your product meet HIPAA standards?
  • If I implement your products, will I be HIPAA compliant?

While this blog post is in no way to be construed as legal advice, I wanted to provide an overview pertinent to answering the above questions.

The Reality

In short, the answer to the above questions is NO! Here is why. There are no products on the market that are HIPAA certified or HIPAA compliant! I know this sounds challenging and some vendors have claimed that implementing their products will make the customer HIPAA compliant, but that is not the case.

HIPAA cannot be addressed with a single product or set of products. HIPAA is a series of policies and procedures that “covered entities” must implement to safeguard information. Products manufactured by Cisco and other technology companies can be used to implement those defined policies and procedures but the simple inclusion of a technology in the network does not automatically make an entity compliant. Products have to be configured to adhere to the standards set forth by HIPAA.

For a better grasp on the implications of HIPAA, let’s take a look at some of the details outlined in the Act.

Covered Entities

First, let’s examine a 2“covered entity” as defined by HIPAA.

HIPAA standards apply only to:

  • Health care providers who transmit any health information electronically in connection with certain transactions
  • Health plans
  • Health care clearinghouses

What is a Health Care Provider?

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

Protected Information

1The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193).

3The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Technical Safeguards

HIPAA defines security controls around the storage, access, control, and transmission electronically of the above noted protected information.

1Technical Safeguards (§ 164.312)

We proposed five technical security services requirements with supporting implementation features: access control, audit controls, authorization control, data authentication, and entity authentication. We also proposed specific technical security mechanisms for data transmitted over a communications network, communications/network controls with supporting implementation features; integrity controls; message authentication; access controls; encryption; alarm; audit trails; entity authentication; and event reporting.

In this final rule, we consolidate these provisions into § 164.312. That section now includes standards regarding access controls, audit controls, integrity (previously titled data authentication), person or entity authentication, and transmission security.

4Technical Safeguards Summary

  • Access Control—A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls—A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls—A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security—A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Cisco believes that today’s dynamic threat landscape, new business models, and complex regulatory requirements require a new threat-centric approach to security. This new security model reduces complexity, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum. This makes it easier for customers to act more quickly before, during, and after an attack, which is particular important to risk management and reduction.

In regards to Cisco Web Security products and transmission security conformance, Cisco Web Security products provide the necessary encryption services along with audit, entity authentication, and event reporting to help address the technical safeguards.

Cisco Web Security products do not determine that the receiving website is of the appropriate type or has implemented the appropriate controls for handling HIPAA protected data but ensures that the information was transmitted securely upon request by the transmitter (think data loss prevention, not covered in this paper). It is the responsibility of the customers’ security and administrative staffs to determine which sites are deemed acceptable for receiving or transmitting this data. Cisco Web Security products can provide transmission security, transmission entity authentication, event reporting, and integrity of the transmission via the HTTPS protocol.


The Department of Health and Human Services HIPAA Act of 1996 amended in 2003 has many complex provisions and should be reviewed on a regular basis by any covered entity’s security and administrative staffs for conformance. The intent of the Act is the protection of private health information via both administrative and technical safeguards. Cisco provides a range of security products that can be used by customers to meet many of the requirements outlined in the HIPAA standards but only if properly configured, maintained, and monitored. As stated earlier, deployment of a single product or set of products will not, in and of themselves, ensure HIPAA compliance.


  2. 45 CFR §§ 160.102, 164.500

Tags: , , , ,