By now you’ve probably seen this statistic from SiriusDecisions: 80 percent of B2B customers say that customer experience is the most significant reason behind the decision to work with a particular provider. It’s also been reported that if a customer doesn’t see value within 90 days of purchasing a product, there’s only a 10% chance they’ll remain loyal.
Findings like that are powerful, and they’ve had a big impact on Cisco and our decision to transform for customer success. The importance of customer success is also why we can’t stop talking about digitization. The two go hand in hand, because digital touchpoints drive a great deal of the value realization that is tied to customer experience today. As a partner, you either have the capability to deliver those touchpoints at scale and in a timely and personalized way—or you don’t. Partners that don’t are missing out on the windfall of profits, revenues and renewals that come from customer relationships that stand the test of time.
Nov. 14 Webinar: Join us as we discuss the customer digital experience. Register Now for “Digital: It’s Now Or Never”
Our Battle Cry: Not If but When
It’s easy to see why customer success has become our battle cry at Cisco. It’s no longer a question of if our partners should implement it in their own organizations, but a question of when. With time to value now more critical than ever across our installed base, the important thing is to get started, and the good news is that Cisco is here to help.
I’m proud to say that we’re unique in the industry in enabling our partners with everything that’s needed to effectively address the evolving requirements of today’s connected customers throughout the post-sale lifecycle. We’ve developed a comprehensive library of free digital assets on SuccessHub, along with platforms, tools and programs, such as Lifecycle Advantage, to help you create value across each phase of your customers’ post-sale journey. As you plan, build, scale and monetize a customer success practice, if you haven’t already done so, we invite you to explore these partner-focused offerings—all designed to drive growth, streamline digital engagement, and create customer stickiness for your business.
At Cisco, we believe that ensuring customers are successful is the most strategic approach to a strong future in the subscription economy, so much so that we’re betting our business on it. We are continuing to modernize practices across our organization with customer success top of mind, and we are equally committed to helping you forge stronger, more mutually beneficial customer relationships that are steeped in value.
Networking product datasheet specifications at cursory glance may appear similar when you compare vendors. However, the devil is in the details and the similarities end quickly when testing and measuring their capabilities on performance, security, power efficiency, failover handling, and software programmability.
The demand on today’s enterprise campus infrastructure is continually increasing to meet the growing needs of mobile devices, IoT and data-hungry applications. The network that connects everything has to deliver the performance for superior user experience regardless of the traffic type and connection. Another challenge is the ever increasing malicious and sophisticated attacks from a variety of sources across endpoints, network, cloud, and applications.
Businesses need to move at the speed of digital, and it is critical for IT to make sound investments that enable them to quickly respond to new business requirements.
Here are key criteria for enterprises to consider when comparing network solutions:
Security: Cybersecurity is the #1 priority for businesses worldwide because security breaches carry dire consequences for organizations. A long chain needs to establish the root of trust from secure boot to image signing, run time defenses, and securing the control plane. Otherwise the weakest link in the chain becomes susceptible to attack. The ability to identify malware in encrypted traffic is only going to increase. Accuracy and Speed of Detection, Encrypted Traffic Analysis, and Secure Encryption Matters.
QoS Support, Performance and Packet Loss: Data is made up of text, pictures, audio, speech, and video. While packet loss may not be substantial, it will increase measurably with the number of active clients. Some use cases are forgiving and packets can be identified and resent if lost. However, recurring packet loss can render videos unwatchable and drop phone calls. Quality of Service and Performance Matters.
Visibility in Identifying Application Traffic and Interference Sources: The biggest network IT expense is operations. The ability to analyze traffic is the first step in identifying sources that could pose threats. The alternative is to look for a needle in a haystack. Identifying Application Data Sources Matters.
High Availability, Contending with Interference, and Faster Fail-Over: Networks need to be fault-tolerant, able to identify sources of interference, and resilient so they continue to operate properly in the event of a failed link or device failure and restore quickly so time dependent apps can continue without interruption. Redundancy, Identifying Interference and Resiliency Matters.
Wireless AP Range, Performance, and Transmit Power: Coverage and roaming capability are key for optimal network operation. However, wireless AP’s cannot have excessively high transmit power otherwise you run the risk of running into co-channel interference that can cause client connectivity issues or degraded performance with retransmission. Optimal Transmit Power Matters.
Software Programmability: The ability to host Linux based applications that simplify automation and provisioning makes the network engineer more efficient. Flexibility in Supporting Linux Based Apps in a Secure Manner Matters.
What does this mean to the CxO, network buyer, procurement buyer, and IT engineers? Answer: Cisco builds technologies with the future in mind, and offers the scalability, resiliency, and ease of operation with the defensive mechanisms and comprehensive security tools. “The Network. Intuitive.” launch is a good example of how Cisco is preparing our customer for tomorrow’s challenges through powerful automation, analytics and security innovations, so they can respond faster to changing business needs and remain competitive.
Miercom’s evaluation found that while Cisco and Huawei both offer what appears to be comparable components for building a campus-wide, wireless and wired, network infrastructure, the side-by-side testing revealed that the Cisco package offers significant and important advantages that Huawei does not. Cisco showcased superior performance against the Huawei wireless and switching solutions with a highly developed resource management, hardware, software and security platform to provide the most optimized, secure and trustworthy system to every customers.
Miercom, summed it up nicely: “Based on the results of this testing, comparing the campus wired and wireless network architectures and wares of Cisco and Huawei Technologies, we found many businesses enabling capabilities favoring the Cisco solution. We proudly award the Miercom Performance Verified Certification to Cisco’s campus-infrastructure network designs and related packages for monitoring, management, and control.”
For the full details, download the comprehensive Miercom report and accompanying test results.
Innovation in today’s disruptive digital economy can come from anyone and anywhere—inside and outside any enterprise. This means companies must fire up and fuel co-innovation like never before across all functions, grade levels, geographies, partners and customers within, without and among their four walls.
This 360-degree approach to hyper co-innovation is imperative in our new age of mass digitization. The unimagined speed and complexity of today’s digital revolution is disrupting markets in every industry routinely. And I firmly believe companies that don’t embrace this accelerated pace of change with a more holistic view of hyper co-innovation will perish or become irrelevant.
A century ago, the average life expectancy of a firm in the Fortune 500 was about 75 years, according to Deloitte. Today, corporate extinctions average fewer than 15 years and their lifespans continue to decline. Further, Gartner predicts that only 30% of digital innovation strategies will be successful in the coming years. The clarion call is loud, clear, and urgent: Widen the aperture of co-innovation and converge best practices inside and out.
Here is my three-point plan for converging disruptive co-innovation inside and outside a big company to stay ahead of the competition:
Build an external ecosystem of innovation partners
First, companies must disrupt themselves from the outside. This may be contrary to conventional innovation wisdom that begin internally, but it’s critical to let the outside in in order to adapt to digital change. This means organizations must abandon traditions of solely developing solutions in house, whether it’s the R&D, engineering or product development group. Leading-edge digitization in any market sector requires companies to build and rely more on a strong and inter-connected ecosystem of partners to co-develop solutions. No single company today can do it all alone.
One of the best ways to cultivate this ecosystem is to stand up fully-equipped working labs at locations strategic to your business. At Cisco, we have nine Innovation Centers worldwide, each bringing together local entrepreneurs, programmers, startups, accelerators, government, academia, partners and customers to co-develop either customized solutions or game-changers that can scale globally.
Each hub focuses on solutions most germane to its region, but each is also connected to all the others, creating a network multiplier effect where problem-solving and best practices are shared. From these incubation centers, we co-develop and monetize myriad leading-edge solutions we could not have done on our own.
Public innovation challenges, whether local or global, also help to stimulate introductions, interactions and relationships with your partner community. Challenges not only help to identify and nurture novel ideas, but also strengthen critical relationships with innovators who have special expertise in your own markets. To be successful for everyone, challenges must make clear the goals, types of solutions sought, timelines, judging criteria, and winning prizes, which must be worthwhile. Most importantly, follow up and help co-develop winning entries for go-to-market solutions.
There are many other ways, to build a winning co-development community, such as engaging in industry consortia or standards bodies to help shape the direction of products, solutions or services; holding hackathons or development competitions at trade shows; and, co-developing closely, transparently and directly with your customers.
Ignite a culture of start-up like innovation companywide
Second, bust up your business unit siloes internally by opening up innovation challenges companywide for EVERY employee. I started Cisco’s internal program companywide several years ago because of pressure from turned-on employees who wanted to enter the external challenge, but weren’t allowed to do so. There’s clearly a yearning from employees to want to be part of something bigger that also taps into their own passions.
At many companies, innovation programs have been isolated within the domains of R&D, engineers, product managers or individual departments. These programs are still critical, of course, but in today’s world of constant reinvention it’s imperative to think outside your silo by unleashing the passions and inner entrepreneurs of every single employee. Remember, innovation can come from anywhere and anyone.
Big companies in particular have launched plenty of innovation bombs or implosions for many reasons: one-time events that fizzle out . . . lack of C-Suite commitment . . . firm hierarchical cultures . . . aversion to risk and experimentation . . . scarce resources, tools or training . . . unclear goals and processes . . . poor follow-through on new ideas—the list goes on. Perhaps the biggest breakdown is the inability of innovation activists to enlist co-collaborators to drive disruptive thinking across all business units.
So, it can be extra daunting to launch an innovation disruption across an entire enterprise, especially if tens of thousands of employees are spread out over countries on every continent with their own micro cultures. Activating a companywide innovation programs are not for the faint of heart. You can count on plenty of resistance, but you must remain inspired, steadfast and optimistic. The end goal is too important: the survival and success of your enterprise in the digital marketplace.
A companywide innovation program often means disrupting your entire culture—from top to bottom–encouraging employees across ALL functions, grades and geographies to team up, disrupt, and co-innovate together. The goal is to transform the culture by empowering and encouraging employees everywhere to think and act more like entrepreneurs in a startup. Fostering an entrepreneurial and collaborative mindset companywide will surface new ideas that may produce game-changers, process improvements or enhancements to existing approaches. Once it’s in your culture’s DNA, co-innovation will become the gift that keeps on giving.
On Sept. 20, we launched this year’s third successive challenge, which builds on the foundational progress and momentum of prior initiatives. In my post last month catching up with last year’s results, I noted that more than 53% of our workforce from 89 countries and all Cisco organizations participated in some way. They either formed venture teams or joined them, submitted venture ideas, commented or voted on innovations, or logged onto and joined our new “Always On” innovation site—The Hub. Nearly 800 ventures were submitted by about 1,600 employees, 62% of whom were on teams.
A dozen winners and non-winners from the first year’s program continue to move their venture ideas toward monetization, with the help of more than 200 mentors and 20 executives providing them with seed funding. Most importantly, the program continues to gain momentum companywide with high and inspired engagement levels at the same time we’re beginning to reap the rewards of our first disruption two years ago.
How can you do this? My nine building blocks for a companywide innovation disruption can apply to most any company of any size in any industry. Each block is carefully crafted to optimize engagement, co-development and a spirit of entrepreneurism. Individually and collectively, they are essential to conceive, plan, and execute a successful innovation journey: Development, Coaching, Mentorship; Incentives, Rewards, Recognition; Executive Support; Resources and Tools; Transparency and Metrics; Community and Collaboration; Engagement and Communication; Alignment to Company Priorities; Make it Fun!
I won’t detail the steps here, but I’d like to emphasize a few crucial points:
This is a “grass roots movement” where employees should feel empowered to bring their ideas to life, but make sure you have strong backing and commitment from the C-Suite and other departmental executives, especially Human Resources, which should be your hand-in-hand partner.
Provide a wealth of online and in-person resources that make it easy for innovators to learn startup approaches to develop ideas, find like-minded team members and mentors, and connect Founders with Angels. Our around-the-clock Hub has more than 4,000 registered mentors.
Leverage employee communications and executives to reinforce key messages that keep innovators inspired and on track and those resisting change at bay.
Converge and synergize innovation best practices inside and out
Bring the outside in and the inside out by inviting leaders from your ecosystem to help guide venture teams, conduct workshops on lean startup methodologies, and allow employees to work alongside partners at innovation centers or contact customers to validate their ideas.
By collaborating more closely, employees across the workforce spectrum, external partners, and customers can share fresh ideas, learn how their unique talents can contribute to better business outcomes, and re-energize themselves. This is how it works in Silicon Valley—co-innovation is not a political game; it is a team sport where each player has a specific role.
This is hyper co-innovation at its best. I have always found it ironic that people in large companies sometimes think it would be better to work in a startup, yet people in startups strive to become the next Fortune 100 success story. I have worked in both environments. To me, working in an environment of hyper co-innovative is the best of all worlds for enterprises and their customers.
Note: A version of this commentary was first published in Innovation Leader.
Meanwhile, if you have questions, get stuck, or need an innovation therapist, don’t hesitate to contact me:
FDX DOCSIS is a truly significant innovation to DOCSIS. A critical mid-life upgrade for the HFC network, FDX DOCSIS will help to position the industry at the forefront of innovation, providing the service provider market with an access network scalable well beyond that of the competition. The FDX DOCSIS innovation is also why Remote PHY is so important to the market, without Remote PHY we would not be able to evolve to a highly distributed network and support FDX to its fullest extent.
Let me expand on what we showed at ANGAcom, we had two cable modems based on the Intel® Puma™ 7 SoC in the setup, one was receiving data in the downstream and the other transmitting in the upstream, both in the same spectrum of 108MHz to 204MHz. What we demonstrated there was our “Echo cancellation” capability which enables the use of the same spectrum, Full Duplex. This was done in collaboration with Intel, and we are again working with Intel on the SCTE demo.
Why did we show a proof of concept that only does 96 MHz symmetrical, when the goal is 576 MHz of shared spectrum? Because current silicon technology on the Remote Phy Device and cable modem have limitations – maxing out at an upstream spectral location of 204 MHz. The 96 MHz shared spectrum in the demo had a downstream rate of 890 Mbps (with 4K QAM) and an upstream rate of 680 Mbps (with 1K QAM). For our SCTE demonstration, we’ll be using the same spectrum and bandwidth, but that’s where the comparison stops.
At SCTE, our FDX DOCSIS demo will include seven cable modems based on the Intel Puma SoC. Why seven? By incorporating seven modems in the demo, we can show you the FDX DOCSIS Interference Groups (IG) including IG discovery capabilities. And it will also demonstrate how normal DOCSIS 3.0 modems can work on the same network as FDX DOCSIS modems, considering the sheer volume of DOCSIS 3.0 modems deployed, this functionality is compelling.
Why is it important to demonstrate Interference Groups? With FDX DOCSIS, the network supports simultaneous bi-directional transmissions across the same spectrum, hence full duplex. And interferences between the full-duplex transmissions must be mitigated for it to work. Remember, DOCSIS is a shared medium, where multiple cable modems connect to the same Converged Cable Access Platform(CCAP) port or network segment. When one cable modem transmits upstream to the CCAP, that upstream signal may interfere with other cable modems that are receiving data from the CCAP (downstream) at the same frequency. This type of co-channel interference (CCI) is different from the DS to US interference, where the source of the interference is known and can be canceled out via echo cancellation at the node, as we showed at ANGAcom. FDX DOCSIS resolves this CM-to-CM CCI issue by grouping cable modems that interfere with each other into Interference Groups. Cable modems in the same Interference Group must transmit or receive along the same direction at any given frequency and time. Cable modems from different IGs have enough “RF isolation” to allow simultaneous upstream and downstream transmissions at the same frequency. Read how John Chapman explains this in a recent Lightreading blog.
How do we determine if there is enough “RF isolation”? Enter the Inference Group Discovery protocol, a new capability introduced in FDX DOCSIS that enables the CCAP to conduct cable modem to cable modem interference measurement via sounding. During sounding, the CCAP selects one or more FDX DOCSIS capable cable modems to transmit test signals on designated frequency locations, while directing other FDX DOCSIS capable cable modems to compute and report the received MER (RxMER) on those frequencies. The CCAP then repeats this procedure until the CCI levels on all relevant frequencies are tested between all possible cable modem combinations. Based on the results, the CCAP forms the Interference Groups.
Although it may sound easy, this is complicated technology. Here’s a quick explanation, to find out more, stop by and see us at SCTE, where we’ll gladly walk you through the demo and answer your questions in more detail.
At SCTE, we are demonstrating the Continuous Wave (CW) sounding method, designed for a deployment scenario where DOCSIS 3.1 cable modems, after a software upgrade, can share the DS spectrum with FDX DOCSIS cable modems. For example, a low-split or mid-split DOCSIS 3.1 cable modem can share the downstream spectrum between 108 to 684 MHz, and a high-split DOCSIS 3.1 cable modem can share the downstream spectrum between 258 to 684MHz. During the CW sounding process, one or multiple FDX cable modems send CW test signals at selected downstream subcarriers, while the rest of the cable modems, including both legacy D3.1 and FDX cable modems, measure the MER using the DOCSIS 3.1 RxMER method.
The IGs we will be demonstrating at the SCTE are another step toward making FDX DOCSIS operational. Please make sure you stop by and see us at our SCTE booth (#987); we are honored to be demonstrating this new FDX DOCSIS capability together in conjunction with Intel.
On October 16th,Mathy Vanhoef and Frank Piessens, from the University of Leuven, published a paper disclosing a series of vulnerabilities that affect the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These are protocol-level vulnerabilities that affect wireless vendors providing infrastructure devices and wireless clients, which follow the WPA and WPA2 specifications. These vulnerabilities were also referred to as “KRACK” (Key Reinstallation AttaCK) and details were published at: https://www.krackattacks.com
It is important to note both affected access points and the associated clients must be patched in order to fully remediate this issue. Installing the patches only in infrastructure wireless devices will not be sufficient in order to address all of the vulnerabilities. Similarly, fixing only the client will address nine (9) of the ten (10) vulnerabilities; however, it will not fix the vulnerability documented at CVE-2017-13082.
The USIRP enables Product Security Incident Response Teams (PSIRTs) from ICASI member companies to collaborate quickly and effectively to resolve complex, multi-stakeholder Internet security issues. These issues include: vulnerabilities in commonly-used software; incidents – urgent or emergent – that affect multiple ICASI member organizations; and ongoing or long-term problems that warrant a strategic response.
Cisco also worked with the researchers, CERT coordination center, the Wi-Fi Alliance, and several other industry peers during the investigation of these vulnerabilities.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant to reinstall a previously used pairwise key.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between supplicant and authenticator and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13078
Reinstallation of the group key in the Four-way handshake.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant to reinstall a previously used group key.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between supplicant and authenticator and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13079
Reinstallation of the integrity group key in the Four-way handshake.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant to reinstall a previously used integrity group key.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between supplicant and authenticator and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13080
Reinstallation of the group key in the Group Key handshake.Reinstallation of the group key in the Group Key handshake.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant to reinstall a previously used group key.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between supplicant and authenticator and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13081
Reinstallation of the integrity group key in the Group Key handshake.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant to reinstall a previously used integrity group key.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between supplicant and authenticator and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13082
Accepting a retransmitted Fast BSS Transition Re-association Request and reinstalling the pairwise key while processing it.
The vulnerability could allow an unauthenticated, adjacent attacker to force an authenticator to reinstall a previously used pairwise key.
An attacker could exploit this vulnerability by passively eavesdropping on an FT handshake, and then replaying the re-association request from the supplicant to the authenticator.
CVE-2017-13084
Reinstallation of the Station-to-station link (STSL) Transient Key (STK) in the PeerKey handshake.
The vulnerability could allow an unauthenticated, adjacent attacker to force an STSL to reinstall a previously used STK.
An attacker could exploit this vulnerability by establishing a man-in-the-middle position between the stations and retransmitting previously used messages exchanges between stations.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant that is compliant with the 802.11z standard, to reinstall a previously used TPK key.
An attacker could exploit this vulnerability by passively eavesdropping on a TDLS handshake and retransmitting previously used message exchanges between supplicant and authenticator.
CVE-2017-13087
Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant that is compliant with the 802.11v standard, to reinstall a previously used group key.
An attacker could exploit this vulnerability by passively eavesdropping and retransmitting previously used WNM Sleep Mode Response frames.
CVE-2017-13088
Reinstallation of the integrity group key (IGTK) when processing a WNM Sleep Mode Response frame.
The vulnerability could allow an unauthenticated, adjacent attacker to force a supplicant that is compliant with the 802.11v standard, to reinstall a previously used integrity group key.
An attacker could exploit this vulnerability by passively eavesdropping and retransmitting previously used WNM Sleep Mode Response frames.
Impact Categories
The aforementioned vulnerabilities can be grouped into two categories:
those that affect wireless endpoints acting as a “supplicant”
those that affect wireless infrastructure devices acting as “authenticators”
Exploitation
Exploitation of these vulnerabilities depend on the specific device configuration. Successful exploitation could allow unauthenticated attackers the reinstallation of a previously used encryption or integrity key (either by the client or the access point, depending on the specific vulnerability).
Once a previously used key has successfully being reinstalled (by exploiting the disclosed vulnerabilities), an attacker may proceed to capture traffic using the reinstalled key and attempt to decrypt such traffic. In addition, the attacker may attempt to forge or replay previously seen traffic.
An attacker can perform these activities by manipulating retransmissions of handshake messages.
In all cases, an attacker will need to be adjacent to the access point, wireless router, repeater, or the client under attack. In other words, the attacker must be able to reach the affected
wireless network.
A Way to Detect the Attacks
Several of the attacks disclosed for attacker to “present” the same Basic Service Set Identification (BSSID) as the real access point (AP), but instead operating on a different channel. An SSID is the primary name associated with wireless local area network (WLAN) including enterprise networks, home networks, public hotspots, and more.
Client devices use this name to identify and join wireless networks.This can be detected by Cisco enterprise wireless access points and customer can take actions based on notifications from the Wireless LAN Controllers (WLCs).
There are two fundamental ways that the KRACK attacks can be executed against WLANs:
Faking an infrastructure AP (rogue AP): this includes creating same MAC address, but different channel. This is fairly easy to do; however, the attack is “very visible” (i.e., it can be easily detected).
Injecting frames into a valid connection, forcing the client to react: this attack can be a little harder to detect; however, it can still be detected by looking for null key attacks, or Initialization Vector (IV) reuse. The wireless infrastructure devices (APs, WLCs, etc.) to detect data frames sent with its own mac address on currently operating channel. Wireless SMEs are looking into this.
EAPoL Attack Protections
The following applies to vulnerabilities described in CVE-2017-13077 through CVE-2017-13081. Wireless clients can be protected relatively easy using Cisco Wireless LAN Controllers (WLCs).
In order to successfully exploit these vulnerabilities the attacker needs at least one additional EAPoL retry generated by the authenticator during the WPA 4-way handshake , or during the broadcast key rotation. Blocking the retries will prevent exploitation of the Pairwise Transient Key (PTK)/Group-wise Transient Key (GTK) vulnerabilities.
Configuration
There are two mechanisms available to achieve this configuration:
Global: available in all releases
Per WLAN: available from Cisco WLC 7.6 to latest
The global option is the easiest to implement from the two options. All Cisco WLC versions support this option. When configuring .
Per WLAN configuration setting allows a more granular control, with the possibility to limit which SSID gets impacted, so the changes could be applied per device types, etc, if they are grouped on specific wlans. This is available from version 7.6
For example, it could be applied to a generic 802.1x WLAN, but not into a voice specific WLAN, where it may have a larger impact
How to Identify if a Client is Deleted Due to Zero Retransmissions:
Client would be deleted due to max EAPoL retries reached, and deauthenticated. The retransmit count is 1, as the initial frame is counted
*Dot1x_NW_MsgTask_6: Oct 19 12:44:13.524: 28:34:a2:82:41:f6 Sending EAPOL-Key Message to mobile 28:34:a2:82:41:f6
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
..
*osapiBsnTimer: Oct 19 12:44:14.042: 28:34:a2:82:41:f6 802.1x 'timeoutEvt' Timer expired for station 28:34:a2:82:41:f6 and for message = M3
*Dot1x_NW_MsgTask_6: Oct 19 12:44:14.042: 28:34:a2:82:41:f6 Retransmit failure for EAPOL-Key M3 to mobile 28:34:a2:82:41:f6, retransmit count 1, mscb deauth count 0
..
*Dot1x_NW_MsgTask_6: Oct 19 12:44:14.043: 28:34:a2:82:41:f6 Sent Deauthenticate to mobile on BSSID 58:ac:78:89:b4:19 slot 1(caller 1x_ptsm.c:602)
Rogue Detection
Several of the attack techniques for the vulnerabilities against the client PMK/GTK encryption, need to “present” a fake AP with the same SSID as the infrastructure AP, but operating on a different channel. This can be easily detected and the network administrator can take physical actions based on it, as it is a visible activity.
There are 2 ways proposed so far to do the EAPoL attacks :
Faking infrastructure AP, in other words, acting as rogue AP, using same mac address, of a real AP, but on a different channel. Easy to do for the attacker but visible
Injecting frames into a valid connection, forcing the client to react. This is a lot less visible, but detectable under some conditions, it may need very careful timing to be successful
The combination of AP impersonation features and rogue detection can detect if a “fake ap” is being placed in the network.
Complete the following steps in a Wireless LAN Controller (WLC):
Step 1. Make sure rogue detection is enabled
Step 2. Create a rule to flag rogue APs using “managed SSIDs” as malicious:
Step 3. Navigate to Wireless > 802.11a/n/ac > RRM > General and ensure that Channel List is set to “All Channels” under the Noise/Interference/Rogue/Clean Air Monitoring Channels section.
Cisco Mobility Services (CMS) and Cisco Connected Mobile Experiences (CMX)
Cisco Mobility Services (CMS) coupled with Cisco Connected Mobile Experiences (CMX) software allows for detection of KRACK.
With Cisco Connected Mobile Experiences (CMX) 10.4 (coming out November 2017) or MSE 8.0MR5 with PI 2.2 and later, the location of the Rogue AP will be shown to the network administrator.
This is done by leveraging Cisco CMX location algorithms coupled with the RSSI strength signal. The result will help pinpoint any rouge AP’s and thus help discover possible KRACK atttacks.
Workarounds
The IEEE 802.11r or fast BSS transition (FT) — also called “fast roaming” – could be disabled in a wireless infrastructure device to mitigate some of these vulnerabilities. Unfortunately, disabling FT will introduce performance issues in busy environments.
The FT key hierarchy is designed to allow clients to make fast BSS transitions between access points (APs) without requiring re-authentication at every AP. Modern WLAN devices support FT and typically it is enabled by default. When FT is enabled, the initial handshake allows the wireless client and APs to calculate the Pairwise Transient Key (PTK) in advance. These PTK keys are applied to the client and the AP after the client does the re-association request or response exchange with new target AP. Disabling FT could cause instability and performance issues in wireless networks and why it is not considered as a workaround in most environments.
No workarounds have been identified for any of these vulnerabilities, with the exception of a workaround for CVE-2017-13082.
AP impersonation
On default configuration, the infrastructure can detect if the attack tool is using one of our AP mac addresses. This is reported as an SNMP trap and would be indication that the attack is taking place.
Impersonation of AP with Base Radio MAC bc:16:65:13:a0:40 using source address of bc:16:65:13:a0:40 has been detected by the AP with MAC Address: bc:16:65:13:a0:40 on its 802.11b/g radio whose slot ID is 0
Remediation
Cisco has started providing fixes for affected products, and will continue publishing software fixes for additional affected products, as they becomes available. The details about all affected products and available fixes can be found at the Cisco Security Advisory.
It’s no secret that Cisconians are fueled by creativity, collaboration, and innovation – but did you know there’s something else that keeps us going too? FOOD! 😀 Not only are we surrounded by delicious meals throughout our Cisco cafes daily – we also have dedicated Cisco Foodies on our teams as well!
Food and nutrition help to maintain our productivity and provide energy throughout our work day, (naturally, we’re okay if you Instagram it too! 😀) and, in true Cisco Fashion, our Workplace Resources team thought, “Why shouldn’t every trip to the café be a culinary adventure?!”
Want to travel around the world? You can do that through the Cisco cafes! From comfort food like the American grilled cheese, to adding a little spice to your day with authentic carnitas tacos – we love having a global approach to the flavors we bring to the table.
Here’s a few of our favorite stops:
1.Fresh Fish Market: The east coast docks come to life at café 11 as Chef Juan and his team make these incredible made to order dishes (poached salmon or freshly marinated ceviche, anyone?) right out of the Fisherman’s Wharf!
2.Seasonal Pho Bar: Café 21 might offer the Pho Bar of your dreams as it’s not only made to order, but build your own! Yes, please! Or, when Pho’s not in season, what you find might take you to a different part of the country. For the months when fish is at its best, you’ll find Chef Joe playing around with his famous Poke Bowl.
3.The Republic of Spice: What’s special about this location? Featuring Indian cuisine, this station has lifelong Indian chefs preparing and cooking all of these recipes, and for an extra added dose of authenticity? They’re sharing recipes from their own families that have been passed down over the years! Now that’s love you can taste! Come say hi to Anita in café 11, Amar in café 21, or Mohammed in café 17. 😀
Justin Riray, a Cisco employee for Customer & Partner Experience, appreciates that the diversity we have on campus, is also reflected in the daily cuisine offerings, “My go-to for lunch spot has to be Café 11 – they’ve got a great variety of cuisine. Sometimes I just want a cheeseburger, cheesesteak, or a pizza. But if I want chicken tikka masala, a burrito, or teriyaki bowls? They have those as well. Chef Herb and his staff are awesome and are very open to feedback from us Cisconians on meals we’d like to try.”
Umashankar Meda, who’s the Global Lead for ICON (Indians Connecting People) an employee resource organization (ERO) at Cisco also shares similar sentiments, “Dining at Cisco is not just about eating but an opportunity to explore diversity and multiculturalism, I see the specialized chefs in our own Cisco Cafes always thinking of ways to reinvent standard favorites by adding flavors and ingredients found in recipes from other countries and cultures.”
Food can also be the staple that brings people (and events) together! Any time a campus-wide event is being planned Cisco’s HR team partners with the campus dining providers, LifeWorks Restaurant Group, to take the culinary experience to a brand new level. Recently, we were focused on our Parties on the Patio (POP) events. The POPs this past summer challenged the head chefs to think outside the box and featured cuisines from the Caribbean (Jamaican Beef Curry with Plantains) to Midwest Barbeque (Blue Moon Drunken Chicken). One word to describe these events? “Yum!”
Katie Meitzler from Cisco’s HR team spearheads all the Parties on the Patio events in San Jose, and is constantly coming up with new and innovative ways to increase attendance – and unique storytelling through food is just one of those ways! She shared a recent favorite POP event called “At Your Service” which celebrated a new 5-star support service for employees. The theme for this POP was “upscale” so our chefs had to come up with a 4-course tasting menu, complete with amuse bouche tasting shooters, a seafood, meat or vegan entrée, side dishes, and dessert! Employees loved the creativity behind it, and really enjoyed selecting their food choices.
You may have heard that Cisco loves celebrating diversity. Now you know that Cisconians also come to work knowing that their company celebrates that diversity – even as they sit down to lunch. Here at the Cisco cafes, we think there is no better way to celebrate the richness of culture and community than to taste it.
Are you ready to order up the Cisco Life and join us? We’re hiring! Apply Now.
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 6 and October 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
You know what they say: Time is money. That’s especially true in the fast-paced financial services industry, where powerful new digital solutions are quickly transforming the field — separating innovative early adopters from those firms lagging behind. Consider the findings from the recent survey report, “The Path to Digital Leadership,” from the experts at Roubini Thoughtlab: Leading finserv companies that have undergone an advanced digital transformation are seeing an 8.6% increase in revenue, an 11.3% rise in productivity, and a 6.3% improvement in market share. Those that haven’t stand to lose $79 million per billion in revenue each year.
If you haven’t started on your own transformation yet, it’s not too late to make a change — so long as you act now. But what does it take to get on the path to becoming a digital leader in the financial services industry by the year 2022?
Join in on our next #CiscoChat, Tuesday, October 17, at 1 p.m. EST.
The chat will be moderated by Financial Services Marketing Manager D’Auria Henry on the Cisco Financial Services Industry Twitter account (@CiscoFSI). D’Auria will be joined by and Roubini ThoughtLab CEO and Founder Louis Celi (@Rthoughtlab) and Cisco Banking Portfolio Manager Danny Vicente (@Danny_vicente77). In the chat, Lou, Danny, and D’Auria will take a finserv-focused look at digital transformations and the investments they require.
To participate in the chat:
Make sure you’re logged into your Twitter account.
Search for the #CiscoChat hashtag and click on the “Latest” tab.
Follow the moderator’s account to participate.The Twitter chat will be moderated by the moderator of the Cisco Financial Services Industry Twitter account (@CiscoFSI), who will begin welcoming guests at 1 p.m. EST (10 a.m. PST) and posting questions for discussion.
If you need multiple tweets to answer a question, preface each tweet with “1A,” “2A,” etc. in order to make it easier for others to follow along with the conversation.
Be sure to use the #CiscoChat hashtag at the end of each tweet, so that others can find your contributions to the discussion.
Got any questions for the group? Ask away during the #CiscoChat. We look forward to tweeting with you!
The Team (Nasser and Nagaraja) is back in town after a fun week in Austin for Spiceworld 2017. They got the opportunity to spend time with the Spiceheads as we showed off our product and of course, FindIT. Our Cisco Social Media Team was there to Facebook Live two of the FindIT Demonstrations. So here you go. Nasser and Nag are halfway to stardom!
We were showing our products like the Cisco Small Business RV130W and WAP125, which are perfect for a Small Home Office or Business. The WAP581, which offers 802.11ac WAVE2. This particular model can take advantage of Mgig and Link Aggregation. Look for news on some new Mgig Switches..
Also pictured here is the new Cisco 2960L Switch and Aeronet 1815.
that begin internally, but it’s critical to let the outside in in order to adapt to digital change. This means organizations must abandon traditions of solely developing solutions in house, whether it’s the R&D, engineering or product development group. Leading-edge digitization in any market sector requires companies to build and rely more on a strong and inter-connected ecosystem of partners to co-develop solutions. No single company today can do it all alone.
Second, bust up your business unit siloes internally by opening up innovation challenges companywide for EVERY employee. I started Cisco’s 
It’s no secret that Cisconians are fueled by creativity, collaboration, and innovation – but did you know there’s something else that keeps us going too? FOOD! 😀 Not only are we surrounded by delicious meals throughout our Cisco cafes daily – we also have dedicated Cisco Foodies on our teams as well!
Food can also be the staple that brings people (and events) together! Any time a campus-wide event is being planned Cisco’s HR team partners with the campus dining providers, LifeWorks Restaurant Group, to take the culinary experience to a brand new level. Recently, we were focused on our Parties on the Patio (POP) events. The POPs this past summer challenged the head chefs to think outside the box and featured cuisines from the Caribbean (Jamaican Beef Curry with Plantains) to Midwest Barbeque (Blue Moon Drunken Chicken). One word to describe these events? “Yum!”
Katie Meitzler from Cisco’s HR team spearheads all the Parties on the Patio events in San Jose, and is constantly coming up with new and innovative ways to increase attendance – and unique storytelling through food is just one of those ways! She shared a recent favorite POP event called “At Your Service” which celebrated a new 5-star support service for employees. The theme for this POP was “upscale” so our chefs had to come up with a 4-course tasting menu, complete with amuse bouche tasting shooters, a seafood, meat or vegan entrée, side dishes, and dessert! Employees loved the creativity behind it, and really enjoyed selecting their food choices.
