Today, we released the first Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:
“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”
This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.
“Change is inevitable—except from a vending machine.”
In the spirit of Robert C. Gallagher’s famous quote—and in our quest to never be a vending machine—we’ve rolled out several updates to Cisco’s Security Intelligence Operations (SIO) Portal which I trust you will find useful. Thanks to your feedback, we continue to evolve the Portal to ensure that relevant security content is where you need it, when you need it. Providing timely information to our customers requires not only a global team of Cisco security experts to pipeline the latest information, but a complementary team who ensures that the most significant issues are also the most visible. In fact, that’s the most exciting change we made: a new ‘Security Highlights’ tab which allows a cross-functional group, led by our content managers, to call out the most important issues to our customers. That way, instead of looking at IntelliShield alerts, Cisco Security Notices, or Event Responses individually when time is scarce, this new tab gives you an at-a-glance view of Cisco security content our experts feel is most pressing given all of the events into which we have a view.
Security automation is a hot topic these days. Most organizations have many systems to patch and configure securely, with numerous versions of software and features enabled. Many security administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess their devices, and ensure compliance so they can allocate resources to focus on other areas of their network and security infrastructure.
Cisco is committed to protect customers by sharing critical security-related information in different formats.