Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cisco Redefines How It Manages, Communicates Security Issues

    By
    Sean Michael Kerner
    -
    October 5, 2015
    Share
    Facebook
    Twitter
    Linkedin
      security management

      Finding and fixing flaws is one challenge, while effectively communicating security updates and risks to users is quite another. It’s a lesson that networking giant Cisco Systems is taking to heart, as it is redefining how it manages and communicates security issues from the Cisco Product Security Incident Response Team (PSIRT).

      The new PSIRT efforts involve Cisco making security information more transparent and valuable to users. The PSIRT communications overhaul follows several weeks after Cisco customers were impacted by an attack known as SYNful Knock, which security firm FireEye reported. Though from a timing perspective, the update to PSIRT is close to the SYNful Knock incident, Cisco claims the two are unrelated.

      “We’ve been talking about this with our customers for several months,” Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations, told eWEEK.

      Cisco is positioning the PSIRT overhaul as a streamlining of how the company communicates vulnerability information. Part of the new PSIRT communication is a Security Impact Rating (SIR) that is now being attached to vulnerability disclosure information.

      “SIR is a simplified way to categorize vulnerabilities based on a CVSS score, and it will be highly visible on the disclosure landing page,” Santos said.

      The Common Vulnerabilities Scoring System (CVSS) is a standardized way of providing a numerical value for the severity of a given vulnerability. Santos explained that with the updated PSIRT disclosures, instead of complicated numerical metrics, the SIR will clearly define for users a rating of critical, high, medium or low.

      “It also provides a more accurate and easy representation of risk in the event that there are additional factors not properly captured in the CVSS score,” Santos said.

      As part of looking at vulnerability risk, Santos commented that each advisory continues to have a section called Exploitation and Public Announcements, where Cisco PSIRT documents the exploitability of vulnerabilities.

      “We’ve also added a new section called Indicators of Compromise to advise customers on what to watch for as evidence of an intrusion,” Santos said.

      Cisco is planning to offer an API that will enable customers to directly consume and integrate product vulnerability information. Santos explained that Cisco will follow best practices for the security of the API and will have API keys to identify users.

      “Only the GET HTTP verb will be supported, meaning users will only be able to obtain information from the API and cannot push any notifications, change information or compromise the integrity of what Cisco has published,” Santos said.

      One thing that Cisco is not adding as part of its security disclosure revamp is any sort of formal bug-bounty program. Multiple reports and vendors have found great value in bug-bounty programs as a way to rapidly tap into the community of third-party security researchers.

      “Cisco’s general philosophy is not to pay for bug or vulnerability reports, primarily because we’ve had great success engaging directly with customers and the research community,” Santos said.

      While Cisco doesn’t actually pay researchers for bug reports, Santos noted that Cisco always thanks security researchers who report product vulnerabilities, unless they request not to be acknowledged publicly. At a core level, Cisco isn’t investing in bug-bounty programs because the company is continuing to invest in its own teams to break products down, find vulnerabilities and fix them.

      “For a large organization whose technology poses significant barriers to entry for the research community, we see this investment as the best way to spend our dollars,” Santos said. “Building this type of core competency is an important part of any active secure development lifecycle.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×