Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Last week Cisco released patches in their semi-annual security announcement. The publication includes 11 advisories that address 12 individual vulnerabilities. Ten of the advisories address vulnerabilities in Cisco IOS and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Together these can affect routers and switches that not only use the Cisco Unified Communications Manager, but any device relying on the Cisco IOS operating system. To put it bluntly, this means a ton of devices critical to any network and these vulnerabilities leave businesses and government agencies exposed to a barrage of attacks including denial-of-service DDoS or policy bypass. Much has been written about the announcement of the vulnerabilities. However, details are lacking and there are more questions than answers. This lack of information leads me to believe Cisco does not take security seriously and continues to not know how to work with the security community. Considering the lack of details and opinions, I thought I would provide a few of my own. 1 Twice A Year Is Not Enough ----------------------------- The number of vulnerabilities patched by Cisco is not the issue. It is the potential danger these vulnerabilities pose. One of the IOS vulnerabilities allows unauthenticated attackers to bypass access control policies when the Object Groups for Access Control Lists ACLs feature is used. Your company is most likely protecting your critical components by leveraging ACLs, now imagine they are no longer in place. The human resources database with all that W-2 information Hackers now have your salary, your direct deposit account, your medical history and of course your social security number. To make matters worse, replace that HR database with our government s nuclear secrets don t you think Iran is aware of the Cisco vulnerabilities Scary stuff, for sure, but how long has the vulnerability been around and recognized. The answer is unknown. The only fact we have is that each of these eleven vulnerabilities may have been around for at least six months. That is an eternity in the security space and has given hackers too much time to walk in through an open door. Microsoft is often a punching bag when it comes to vulnerabilities and it is sometimes warranted, but let s be honest, they do a good job of patching issues on a regular basis. You know that you are going to get a patch each month and important details that help you make an informed security decision. Cisco should examine their patching schedule in light of the September 24th announcement every six months is not acceptable. 2 Updating Routers and Switches is Now Critical ------------------------------------------------ You can never diminish the importance of a switch or router to your network infrastructure. They are the core to any network whether it s a home, a large Enterprise or the Federal Government. If one fails you know it. However, if one let s people through due to a hack do you know it While everyone remembers to patch their Mac or Windows laptop, how often do they patch the router, firewall or switch To see how up-to-date folks are with their Cisco firmware I ran a quick test. During a 1-hour scan of the Internet I found 420 responding systems and NONE were patched with any fixes from this cycle or the last. That means 420 systems, at a minimum, are susceptible to a years worth of vulnerabilities. Microsoft had enough of people not patching and now they force feed it. While I m not a fan of that solution, it does work. Cisco needs to apply the same method to their products. It is irresponsible for Cisco to run their business in a way that could cause mass disruption to critical network infrastructures including government and military services. Cisco is not the only one to blame in this mess, the people responsible for getting their routers, switches and other network equipment up-to-date also must be held accountable. How many of you updated with the patches on September 24th, the day of the announcement The quick scan I did is telling me not many. Kelly Jackson Higgins of Dark Reading put it best, The dirty little secret about patching routers is that many enterprises don't bother for fear of the fallout any changes to their Cisco router software could have on the rest of the infrastructure. 3 Testing, Testing, Testing ---------------------------- In this case we have a great example of why every network device needs to be realistically tested under a variety of scenarios, both security and performance driven. Obviously, testing must occur at the NEMs level throughout the product lifecycle, but the enterprise must also test this equipment before it is deployed and after updates like these are made. Having the ability to quickly test equipment and the network after making updates is critical. There is no room for excuses anymore. We have been able to become more adapt at updating and testing equipment and software that are given more regular patches. Just look at how Microsoft Tuesday has become a habit. Other vendors have realized that this approach, ultimately, is better for everyone. I would encourage manufacturers of any network equipment to do the same. The reason this is important is because the United States is currently fighting in two wars, heavily dependant on network technologies. The Department of Defense and other military agencies have concluded that the next major war will be waged, in great part, in cyberspace. If Cisco and other vendors guilty of the same security concerns do not get their act together it will be a war we cannot win. Until March 24, 2010, when the next Cisco bulletin is due.

Les mots clés de la revue de presse pour cet article : cisco security
Les videos sur SecuObs pour les mots clés : cisco security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : cisco security





Les derniers articles du site "BreakingPoint Labs Blog" :

- Data Sheets Lie and How To Truly Measure the Performance and Security of a Network Device
- Webcast and Research Paper Mobile Network Traffic Optimization
- IPv6 Everywhere You Turn
- Dig pcap File For Fun and Productivity
- Resiliency. Don't Leave Home Without It
- From the Floor at RSA 2010 Real-World Mobile Network Traffic Validation
- Replace Vendor Assurances With Measurable Answers
- Testing and Validation of Network Security Devices
- Application Protocol Fuzzing
- Proxies

---

S'abonner au fil RSS global de la revue de presse

---