GRC-106 RISK MANAGEMENT
HT1-106 ADVANCED PERSISTENT THREATS
HOT-106 JOINING FORCES; PUBLIC-PRIVATE
PNG-106 GOOD SECURITY ON A GIVERNMENT BUDGET?
SECT-106 GIVE ME MY CLOUD BACK: PANEL DISCUSSION OF DATA PRIVACY CONCERNS
SP01-106: OPTIMIZING SECURITY FOR SITUATIONAL AWARENESS
STAR-106: FIREWALLS: SECURITY, ACCESS, THE CLOUD — PAST, PRESENT AND FUTURE
TECH-106: REVOCATION CHECKING FOR DIGITAL CERTIFICATES
DAS-107: THE FIRST 24
GRC-107: TAKING INFORMATION SECURITY RISK MANAGEMENT BEYOND SMOKE & MIRRORS
EXP-107: NEW THREATS TO THE INTERNET
TECH-107: STOP THE MALESTROM: USING ENDPOINT SENSOR DATA IN A SIEM TO ISOLATE THREATS
STAR-108: COMBATING ADVANCED PERSISTENT THREATS (APTS)
HT1-201: CYBER WAR: YOU’RE DOING IT WRONG!
HT2-201: THAT DOESN’T ACTUALLY WORK
EXP-201: CYBER BATTLEFIELD: THE FUTURE OF CONFLICT
PNG-201: SECURE THE SMART GRID
GRC-202: ADVERSARY ROI
PNG-202: NSA’S SECURE MOBILITY STRATEGY
STAR-202: CAN WE RECONSTRUCT HOW IDENTITY IS MANAGED ON THE INTERNET?
TECH-202: DEPLOYING IPV6 SECURELY
TECH-203: BUILDING A SECURITY OPERATIONS CENTER (SOC)
HT2-204: LIVE FORENSICS OF A MALWARE INFECTION
EXP-204: THE ROLE OF SECURITY IN COMPANY 2.0
P2P-201C: EVALUATING GARTNER
HT1-301: CODE RED TO ZBOT
SP01-301: MANAGING ADVANCED SECURITY PROBLEMS USING BIG DATA ANALYTICS
EXP-302: HACKING EXPOSED: EMBEDDED — THE DARK WORLD OF TINY SYSTEMS AND BIG HACKS
HT1-303: MODERN CYBER GANGS: WELL-ORGANIZED, WELL-PROTECTED, AND A SMART ADVERSARY
MBS-303: SECURING THE MOBILE DEVICE
PNG-303: CYBER INCIDENTS CENTERS
SECT-303: MAKING WORLD CLASS CLOUD SECURITY THE RULE
TECH-303: SECURITY DATA DELUGE — ZIONS BANK’S HADOOP BASED SECURITY DATA WAREHOUSE
GRC-304: COLLECTIVE DEFENSE: HOW THE DEFENDERS CAN PLAY TO WIN
EXP-304: GRILLING CLOUDICORNS
AST2-401: GETTING YOUR SESSION PROPOSAL ACCEPTED
LAW-401: FRAUD AND DATA EXFILTRATION
TECH-401: SCADA AND ICS SECURITY IN A POST-STUXNET WORLD
HT1-402: THE THREE MYTHS OF CYBERWAR
MBS-402: IOS SECURITY INTERNALS
EXP-402: ZERO DAY: A NON-FICTION VIEW
HT1-403: ESTIMATING THE LIKELIHOOD OF CYBER ATTACKS WHEN THERE’S “INSUFFICIENT DATA”

“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions.

“They were seriously considered because they could cripple Libya’s air defense and lower the risk to pilots, but it just didn’t pan out,” said a senior Defense Department official.

Why did they decide not to leverage the attacks? Not because they would not be effective. In fact, the sources in the article acknowledge that it might have reduced the risk to U.S. forces. Instead, from the article we learn, “‘We don’t want to be the ones who break the glass on this new kind of warfare,’ said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies.” So essentially the worry is once the U.S. starts leveraging cyberwarfare it invites others to do the same. The article, by Eric Schmitt and Thom Shanker, did a great job of explaining some of the trade-offs with cyberwarfare and also how hard these sorts of attacks can be to execute. From a cybersecurity perspective, there are several things to consider.

First, the evidence now seems overwhelming that any country with sufficient resources (to say nothing of non-state actors) is actively researching techniques for cyber attacks against their targets of interest. Whether you consider Stuxnet (which this article suggests American-Israeli cooperation in launching that attack) or the recent Wired article on the drone fleet infection that I previously referenced, it seems clear that major governments have paid operatives figuring out how to break into networks.

Second, I am concerned with what this means for responsible disclosure. Gone are the halcyon days, if indeed they ever existed, of a vulnerability being discovered by an intrepid researcher and responsibly disclosed to the CERT. We’re far beyond debates about whether disclosing a zero-day on bugtraq is ethical or not. It seems quite likely, though this is clearly conjecture on my part, that zero-days are being stockpiled by governments around the world against commercial software, embedded digital control systems, and everything in-between.

The question is, from a policy perspective how is this treated by the organization that discovers it? Clearly weaponizing a vulnerability is an advantage to the entity that discovers it, but if the vulnerability is in commercial software, how do you protect yourself without telling the vendor about the issue to get a fix (and thus losing the advantage of your discovery)? It would be like conventional warfare where everyone was using the same exact tanks. Imagine a mechanic discovering a hard to exploit weakness in the armor, but the only way to fix it would be to get the parts supplier to offer the fix for everyone. What do you do: protect your own troops (and everyone else’s) by disclosing the weakness to the supplier or hope the other side hasn’t discovered it yet and use it to your own advantage?

This spills over into all sorts of questions about who has the advantage in this new arms race and what role commercial security tools play in the defense against or execution of, cyberattacks. I’m just beginning to think seriously about this space and I expect the answers to these, and a host of other questions won’t come quickly or definitively.

When I returned to Cisco in the fall of 2008 I was asked to look into a trend that had troubled many folks: known at the time as “deperimeterization.” The Jericho Forum had coined the term and it struck fear into the hearts of many in the network security industry as it spelled a potential end to rich network security services and pointed towards a world of open and insecure networks interconnecting smart endpoints with security only at the application level.

My investigation into deperimeterization quickly expanded into a look at four interconnected trends: desktop virtualization, software-as-a-service, cloud computing, and IT consumerization. In the 18 months since my initial research these trends have gone from niche issues among a small group of strategists to mainstream concerns that need no explanation.

And what of deperimeterization? Cisco determined that the trend was real but instead of pointing towards open and dumb networks it actually pointed to even more sophisticated networks to enable the interconnection of the myriad devices that need to connect and collaborate. What are these devices’ sole point of commonality? Not their OS; Microsoft’s hegemony on the endpoint will continue to wane as traditional desktop PCs give way to a variety of different computing devices focused on all sorts of vertical applications and use cases. This new crop of devices will run different hardware, software, and not all devices will even have a human operator.

The only thing these devices have in common is that all will have a TCP/IP stack and will make use of a common network. This makes the network the natural architectural choice for the delivery of services across this diverse set of endpoints. Cisco has marshaled enormous resources behind this trend and has named it Borderless Networks. There is much more to say about all of this but I figured Cisco Live is as good a place as any to start the conversation.

While security best practices don’t change quickly, we wrote the original SAFE back in 2000 and a lot has happened since then. Many of the foundation best practices remain very relevant but there are some new tools and techniques that can help protect networks against today’s threats.

My biggest complaint is that in an article entitled, “Do We Need a New Internet?,” the absence of quotes from anyone who would answer that question, “No” is irresponsible, even for an op-ed. “Starting over” is a very naive perspective in the engineering of in-production systems. I’ve been in meetings throughout my career where someone in the room said, “If only we started over.” That is a tantalizing thought, but ultimately impossible in the real world.