Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cisco Redefines How It Manages, Communicates Security Issues

    By
    Sean Michael Kerner
    -
    October 5, 2015
    Share
    Facebook
    Twitter
    Linkedin
      security management

      Finding and fixing flaws is one challenge, while effectively communicating security updates and risks to users is quite another. It’s a lesson that networking giant Cisco Systems is taking to heart, as it is redefining how it manages and communicates security issues from the Cisco Product Security Incident Response Team (PSIRT).

      The new PSIRT efforts involve Cisco making security information more transparent and valuable to users. The PSIRT communications overhaul follows several weeks after Cisco customers were impacted by an attack known as SYNful Knock, which security firm FireEye reported. Though from a timing perspective, the update to PSIRT is close to the SYNful Knock incident, Cisco claims the two are unrelated.

      “We’ve been talking about this with our customers for several months,” Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations, told eWEEK.

      Cisco is positioning the PSIRT overhaul as a streamlining of how the company communicates vulnerability information. Part of the new PSIRT communication is a Security Impact Rating (SIR) that is now being attached to vulnerability disclosure information.

      “SIR is a simplified way to categorize vulnerabilities based on a CVSS score, and it will be highly visible on the disclosure landing page,” Santos said.

      The Common Vulnerabilities Scoring System (CVSS) is a standardized way of providing a numerical value for the severity of a given vulnerability. Santos explained that with the updated PSIRT disclosures, instead of complicated numerical metrics, the SIR will clearly define for users a rating of critical, high, medium or low.

      “It also provides a more accurate and easy representation of risk in the event that there are additional factors not properly captured in the CVSS score,” Santos said.

      As part of looking at vulnerability risk, Santos commented that each advisory continues to have a section called Exploitation and Public Announcements, where Cisco PSIRT documents the exploitability of vulnerabilities.

      “We’ve also added a new section called Indicators of Compromise to advise customers on what to watch for as evidence of an intrusion,” Santos said.

      Cisco is planning to offer an API that will enable customers to directly consume and integrate product vulnerability information. Santos explained that Cisco will follow best practices for the security of the API and will have API keys to identify users.

      “Only the GET HTTP verb will be supported, meaning users will only be able to obtain information from the API and cannot push any notifications, change information or compromise the integrity of what Cisco has published,” Santos said.

      One thing that Cisco is not adding as part of its security disclosure revamp is any sort of formal bug-bounty program. Multiple reports and vendors have found great value in bug-bounty programs as a way to rapidly tap into the community of third-party security researchers.

      “Cisco’s general philosophy is not to pay for bug or vulnerability reports, primarily because we’ve had great success engaging directly with customers and the research community,” Santos said.

      While Cisco doesn’t actually pay researchers for bug reports, Santos noted that Cisco always thanks security researchers who report product vulnerabilities, unless they request not to be acknowledged publicly. At a core level, Cisco isn’t investing in bug-bounty programs because the company is continuing to invest in its own teams to break products down, find vulnerabilities and fix them.

      “For a large organization whose technology poses significant barriers to entry for the research community, we see this investment as the best way to spend our dollars,” Santos said. “Building this type of core competency is an important part of any active secure development lifecycle.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Avatar
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×