gfortaine at live.com
Sat Mar 20 15:06:25 CDT 2010
> If I was such a clever 15 year old I would go to Google and enter
> "contacting cisco ios security"
> which would lead me to ->
> which would lead me to ->
> Same exercise can be repeated for most vendors you can choose.
I would counter argue by quoting this article :
Cisco Becomes The Weakest Link In National Infrastructure Security
Last week Cisco released patches in their semi-annual security
announcement. The publication includes 11 advisories that address 12
individual vulnerabilities. Ten of the advisories address
vulnerabilities in Cisco IOS and one advisory addresses a vulnerability
in Cisco Unified Communications Manager. Together these can affect
routers and switches that not only use the Cisco Unified Communications
Manager, but any device relying on the Cisco IOS operating system. To
put it bluntly, this means a ton of devices critical to any network, and
these vulnerabilities leave businesses and government agencies exposed
to a barrage of attacks including denial-of-service (DDoS) or policy bypass.
Much has been written about the announcement of the vulnerabilities.
However, details are lacking and there are more questions than answers.
This lack of information leads me to believe Cisco does not take
security seriously and continues to not know how to work with the
security community. Considering the lack of details and opinions, I
thought I would provide a few of my own.
1) Twice A Year Is Not Enough
The number of vulnerabilities patched by Cisco is not the issue. It is
the potential danger these vulnerabilities pose. One of the IOS
vulnerabilities allows unauthenticated attackers to bypass access
control policies when the “Object Groups for Access Control Lists
(ACLs)” feature is used. Your company is most likely protecting your
critical components by leveraging ACLs, now imagine they are no longer
in place. The human resources database with all that W-2 information?
Hackers now have your salary, your direct deposit account, your medical
history and of course your social security number. To make matters
worse, replace that HR database with our government’s nuclear secrets;
don’t you think Iran is aware of the Cisco vulnerabilities?
Scary stuff, for sure, but how long has the vulnerability been around
and recognized. The answer is unknown. The only fact we have is that
each of these eleven vulnerabilities may have been around for at least
six months. That is an eternity in the security space and has given
hackers too much time to walk in through an open door.
Microsoft is often a punching bag when it comes to vulnerabilities and
it is sometimes warranted, but let’s be honest, the company does a good
job of patching issues on a regular basis. With Microsoft, you know that
you are going to get a patch each month and important details that help
you make an informed security decision. Cisco should examine its
patching schedule in light of the September 24th announcement; every six
months is not acceptable.
2) Updating Routers and Switches is Now Critical
You can never diminish the importance of a switch or router to your
network infrastructure. They are the core to any network whether in a
home, a large Enterprise or the Federal Government. If one fails you
know it. However, if a vulnerability let’s people through due to a hack
do you know it? While everyone remembers to patch their Mac or Windows
laptop, how often do they patch the router, firewall or switch?
To see how up-to-date folks are with their Cisco firmware I ran a quick
test. During a 1-hour scan of the Internet I found 420 responding
systems and NONE were patched with any fixes from this cycle or the
last. That means 420 systems, at a minimum, are susceptible to a years
worth of vulnerabilities.
Microsoft had enough of people not patching and now it force feeds the
patches. While I’m not a fan of that solution, it does work. Cisco needs
to apply the same method to its products. It is irresponsible for Cisco
to run its business in a way that could cause mass disruption to
critical network infrastructures including government and military services.
Cisco is not the only one to blame in this mess, the people responsible
for getting their routers, switches and other network equipment
up-to-date also must be held accountable. How many of you updated with
the patches on September 24th, the day of the announcement? The quick
scan I did is telling me not many. Kelly Jackson Higgins of Dark Reading
put it best, “The dirty little secret about patching routers is that
many enterprises don't bother for fear of the fallout any changes to
their Cisco router software could have on the rest of the infrastructure.”
3) Testing, Testing, Testing
In this case we have a great example of why every network device needs
to be realistically tested under a variety of scenarios, both security
and performance driven. Obviously, testing must occur at the NEMs level
throughout the product lifecycle, but the enterprise must also test this
equipment before it is deployed and after updates like these are made.
Having the ability to quickly test equipment and the network after
making updates is critical.
There is no room for excuses anymore. We have been able to become more
adept at updating and testing equipment and software that are given more
regular patches. Just look at how Microsoft Tuesday has become a habit.
Other vendors have realized that this approach, ultimately, is better
for everyone. I would encourage manufacturers of any network equipment
to do the same.
The reason this is important is because the United States is currently
fighting in two wars, heavily dependent on network technologies. The
Department of Defense and other military agencies have concluded that
the next major war will be waged, in great part, in cyberspace. If Cisco
and other vendors guilty of the same security concerns do not get their
act together it will be a war we cannot win.
Until March 24, 2010, when the next Cisco bulletin is due.
More information about the NANOG