Cisco Blogs


Cisco Blog > Security

Let’s Hack Some Cisco Gear at SecCon!

December 18, 2012 at 8:54 am PST

Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.

It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.

I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:

Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »

Tags: , , , , , , , ,

Cisco Wraps Up 5th Annual SecCon Conference

Having recently wrapped up the 5th Annual Cisco SecCon Conference, I’d like to take this opportunity to share with you what Cisco SecCon is and the benefits to our products and you, our customers. With that, let’s start with a brief overview!

What is Cisco SecCon?

SecCon is a security conference for Cisco engineers that focuses on two critical elements for a healthy corporate Security intelligence: 1) expansion of knowledge for all and 2) building a sense of community. We allocate two days for intensive hands-on security training, and then we provide two general session days to discuss a variety of security topics including:

  • Cisco Secure Development Lifecycle
  • Best practices for security test suites
  • Cutting-edge cryptography
  • Implementation challenges
  • Current threat landscape
  • Vulnerability trends

Read More »

Tags: , , , , , ,

The Power of Mobility & Learning

December 11, 2012 at 11:18 am PST

The mobility trend holds great promise for improved productivity and new engagement models. These are most powerful in a learning effort—imagine learning anywhere and anytime. I just wish I had the Internet and the mobility that students have today when I went to school. Yet, mobility is an IT tsunami that will not recede. One of the most damaging aspects of this storm is the possibility of numerous personal devices that are entering organizations, accessing the network and eventually critical assets, and stealing sensitive data or mistakenly bringing malware. Many people know this policy as BYOD or bring your own device. This is not a new phrase but it is still quite prevalent. Inventory and provisioning of personal mobile devices is just the tip of this wave. Organizations want to control mobile devices to ensure acceptable usage and minimize security incidents.

Read More »

Tags: , , , ,

Where the Rubber Meets the Road: The Security Control Framework

When Cisco introduced the Cisco SecureX Architecture at the 2011 RSA Conference in San Francisco, it aimed to provide network security practitioners the following benefits of a security architecture:

  • Contextual awareness
  • Comprehensive visibility
  • Scalable control
  • Dynamic adaptability to new threats
  • Data and application protection

What exactly does this mean? What does it do? How is it implemented? Which products are needed to achieve the benefits of a Cisco SecureX Architecture?

These are just some of the questions we hear when consulting with people tasked with the protection of an organization’s information and providing appropriate security controls around current and/or new business initiatives.

Around business initiatives, joint research conducted by IBM developerWorks and the IBM Center for Applied Insights has reported four information technologies (mobile technology, business analytics, cloud computing, and social business) that are rapidly reshaping how enterprises operate. This joint research has been published in the 2012 IBM Tech Trends report and security has been identified as a threat to innovation and a top barrier to adopting business-critical technology.

“Mobile technology, business analytics, cloud computing, and social business are rewriting strategic playbooks across industries. In these spaces, new business possibilities are emerging faster than many organizations can act on them, with significant IT skill shortages and security concerns threatening progress. Yet, some companies are equipped to innovate at the front edges of these fast-moving technology trends and drive strategic advantages for their organizations.” -- 2012 IBM Tech Trends pdf

With that introduction of how security relates to business innovation, the aim of this blog post is to raise awareness that the Cisco SecureX architecture is beyond marketing and that in the background, Cisco and our partners are developing products, technology, services, and learning curricula—to help practitioners deploy cyber security architectures using models such as the Cisco Security Control Framework—so that a security architectural blueprint can be in place to allow organizations to have the confidence and agility to accelerate business transformation.

Read More »

Tags: , ,

Real World DNS Abuse: Finding Common Ground

Prologue

The Domain Name System (DNS) is the protocol leveraged within the Internet´s distributed name and address database architecture. Originally implemented to make access to Internet-based resources human-friendly, DNS quickly became critical infrastructure in the intricate behind-the-scenes mechanics of the Internet, second only to routing in its importance. When DNS becomes inaccessible, the functionality of many common Internet-based applications such as e-mail, Web browsing, and e-commerce can be adversely affected—sometimes on a wide scale. This short blog post will explore some real-world examples of DNS abuse. I would like to welcome and thank Andrae Middleton for joining me as a co-author and presenting his expertise on this article.

There are a few different types of DNS attacks: cache poisoning, hijacking attacks, and denial of service (DoS) attacks (which primarily include reflection and amplification). In the news as of late are widespread and focused DoS attacks. Cisco Security Intelligence Operations (SIO), with its distributed sensors, is able observe and measure various aspects of the global DNS infrastructure. What follows are two vignettes detailing recent Internet DNS DoS attacks against the Internet’s DNS infrastructure. We will see that, though the attacks are different, the results are similar and the countermeasures and mitigations are the same.

Read More »

Tags: , , ,