This week, Cisco provided comments on the Department of Commerce’s Bureau of Industry and Security (BIS) proposed cybersecurity regulations. These comments reflect the realities of how Cisco looks to protect both our customers and our products. They also emphasize the critical role that security researches, access to tools, and qualified talent have in cybersecurity.
Cisco has hundreds of dedicated security engineers and researchers throughout the company and around the globe, who use the latest and greatest tools and techniques to test our technology. We proactively attempt to break into our own products, our own services, and our own networks, in order to close identified weaknesses and vulnerabilities as soon as possible and to develop better protections against attack. Many of these same people are responsible for investigating reported vulnerabilities or compromises of our products and running these reports to ground with absolute certainty. In doing this, we have resolved countless bugs and vulnerabilities and continue to improve the security of our products with what we learn. Along the way we have discovered many interesting and creative adversaries and certainly learned that there are some very resourceful people out there. Read More »
Tags: penetration testing, Secure Development Lifecycle, security, trustworthy systems, Vulnerability Research
Today, Cisco filed comments on a Proposed Rule published by the Department of Commerce’s Bureau of Industry and Security (BIS) in an effort to comply with an international agreement called the Wassenaar Arrangement. The proposal would regulate a wide array of technologies used in security research as controlled exports, in the same manner as if they were munitions. Cisco, along with many other stakeholders in the cybersecurity research field, has identified a number of significant concerns that we believe require BIS to revisit the text of the Proposed Rule.
BIS’ focus on limiting the cross-border trafficking of weaponized software is well-intentioned, but the current text would cause significant unintended consequences that must be addressed in a revised draft of the Proposed Rule. If implemented in its current form, the Proposed Rule would present significant challenges for security firms that leverage cross border teams, vulnerability research, information sharing, and penetration testing tools to secure global networks, including Cisco. The result would be to negatively impact—rather than to improve—the state of cybersecurity.
The goal of regulating the export of weaponized software is understandable. However, many of the same techniques used by attackers are important to developers testing their defenses and developing new effective responses. Cisco needs access to the very tools and techniques that attackers use if we have any hope of maintaining the security of our products and services throughout their anticipated lifecycles. The development of new export control requirements must, therefore, be done carefully and based upon the needs of legitimate security researchers. Otherwise, we will leave network operators blind to the attacks that may be circulating in the criminal underground—and ultimately blind to the very weaponized software that the proposed rule intends to constrain.
The requirements in the Proposed Rule are far broader than necessary to address BIS’ stated intent—controlling the export of weaponized software. We look forward to working with the Department of Commerce to ensure that the goals of the proposal can be met in a manner that is technology neutral, narrowly tailored to the actual risks faced by the nation, and reflective of the needs of legitimate security researchers seeking to protect the information technologies upon which we increasingly rely.
We look forward to continuing the conversation.
Tags: Intrusion Detection System, penetration testing, security, Vulnerability Research
Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!
During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.
How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit? Read More »
Tags: Cisco Security, exploits, pen testing, penetration testing, security
Security professionals are planners by nature. Our industry expects planning, legal and standards compliance requires it, and we drive ourselves toward it. However, the best plans fall out of date quickly. And as the adage commonly paraphrased as “no plan survives contact with the enemy” states, even properly maintained, up-to-date, and well-thought-out plans may fall apart during an incident.
What’s the remedy? We certainly shouldn’t throw out our plans. Instead, we should test and adjust our plans so that when the real enemy shows up, we might have a plan that survives, at least from a broad perspective. In short: security professional, hack thyself!
Read More »
Tags: penetration testing, security
Tell me if this sounds familiar… you are asked to perform a penetration test on customer’s network to determine the security posture of their assets and the first thing they do is give you a list of assets that you are NOT allowed to test, because they are critical systems to the business. Ironic isn’t it? This is exactly the difficulty you can expect when performing penetration testing in the cloud, but multiplied by ten.
There is a lot to think about and plan for when you want to perform a penetration test in a cloud service provider’s (CSP) network. Before we get into the technical details, we need to start with the basics.
Read More »
Tags: cloud, Cloud Computing, cloud security, penetration testing, vulnerability assessment