Cisco Blogs


Cisco Blog > Security

Creating an Intelligence-Led Security Organization

I recently had the opportunity to sit down with Roland Cloutier, Global Chief Security Officer at ADP and former CISO at EMC, to discuss how they integrate and leverage threat intelligence into their security operations centers as well as their greater security technology infrastructure. It’s pretty rare for the CISO of a F500 company to discuss what technologies they use in such an open way, but it was really a testament to the trust they have for the solutions they have chosen. To hear Roland discuss it himself, watch the video at the end of this post or read the case study.

ADP had created a much more proactive, and dare I say “predictive” security program than most. They are consuming threat intelligence from numerous sources including AMP Threat Grid to create what Roland dubbed ‘intelligence-led decision making.’ How is this different from today? Most security organizations, whether it’s analysts in the Security Operations Center (SOC) or the <<other group>> tend to be in a very reactive mode. They see an alert pop up on screen and start to scramble. It’s tough to get ahead of the game when the technology you’ve invested in is merely a reactive one. Roland and his team have spent the time to develop and execute on a strategy that has flipped this model and puts them in a very proactive situation. So how have they done this? A few key elements: Read More »

Tags: , ,

Vulnerability Spotlight: Total Commander FileInfo Plugin Denial of Service

Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT.  This post serves as a summary of the advisory.

Credit for these discoveries belongs to Marcin Noga of Talos.

TALOS-2015-024/CVE-2015-2869

An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the ‘Size’ field of the Archive Member Header or the “Number Of Symbols” field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the “Resource Table Count” field of the LE Header or the “Object” field at offset 0x8 from a “Resource Table Entry”. An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.

These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.

Product URL

http://www.totalcmd.net/plugring/fileinfo.html

Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis.  Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.

For further zero day or vulnerability reports and information visit:
http://talosintel.com/vulnerability-reports/

Tags: , , , ,

Top 5 Success Factors for Cybersecurity Management Programs

securitySeveral years ago, an employee at an organization I worked for was terminated from his job, effective immediately. While being escorted from the facility this user picked up “his” backup media and started to leave the building. Fortunately, the security guards thought this was a little suspicious and escorted the user to the data center to ask whether this was permitted. They learned it wasn’t permitted and the user challenged the company’s right to confiscate of “his backup media”. In this case, the company had the foresight to implement an early version of a cybersecurity management program (CMP) backed by a CEO endorsed cybersecurity policy. This program contained a simple, mostly overlooked clause in the user account agreement that assigned ownership of all data created or stored on media written on by company computers, and the media itself, to the company without reservation. Since the user had signed this user account agreement, he had given up all rights to the media and its contents. The company retained the media and the former employee was summarily escorted off premises. The backup media contained some of the company’s latest designs, which he was attempting to steal. Without their CMP, the company could have been exposed to serious financial risk and potentially reputational damage. Read More »

AMP Threat Grid Integrated with Email Security

We recently announced the release of AsyncOS 9.5 for Cisco Email Security that included the integration of AMP Threat Grid. Now if Threat Grid could talk it would sound a lot like Ron Burgundy and say “I’m not sure if you know this, but I’m kind of a big deal.” Email is consistently one of the top two threat vectors for malware because so many people out there still open an attachment that looks harmless from someone they don’t know. We all want to think we won a cruise, but that’s not how it works. It’s how malware establishes a foothold on your system. AMP Threat Grid is there to make sure this doesn’t happen.

Cisco acquired Threat Grid to not only bolster its suite of advanced threat solutions, but to also integrate the technology into its advanced malware protection (AMP) products. AMP Threat Grid goes far beyond traditional sandboxing, providing a host of analytical engines to evaluate potential malware. From static and dynamic analysis to various post-processing techniques, AMP Threat Grid evaluates malware to provide the most comprehensive report for even the most junior security analysts. This video provides a more comprehensive overview. Those familiar with Cisco’s Email Security know we already had a sandbox built in and may ask ‘Why change?’ and that’s exactly the question you want to ask. There are really three key reasons: Read More »

Tags: , , ,

Microsoft Patch Tuesday – July 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.

Read More »

Tags: , , , ,