Cisco

Five actions to take based on Cisco's Annual Security Report

David Davis reviews Cisco's 52-page annual security report and suggests five actions you should take to improve your network's security status.

Cisco's Security Intelligence Operations group recently published its Cisco 2008 Annual Security Report (registration required to read). This 52-page report offers a ton of valuable insight and action items for Cisco network administrators. To save you the time of reading the 52-page report, I have researched it myself and have come up with five action items that we should take today to secure our Cisco networks.

What did Cisco's Annual Security Report tell us?

Obviously the large report had a lot to say, but here are some of the most important things I learned from the report:

  • There wasn't a single, large, well-known, security event (such as the "Code Red Worm" or "Melissa Virus") in 2008. However, just because there weren't high-profile events doesn't mean that attacks are decreasing or that we should feel more secure. Typically the attacks that make the "evening news" are attacks performed by newbies who made a mistake. The malicious attackers that really know what they are doing don't get on the news -- they accomplish their attack and get out without being detected.
  • Blended attacks are becoming more and more popular and successful. These make use of a variety of methods such as spam, cross-site scripting of Web servers, and denial-of-service (DoS) attacks. What this tells us is that we need to maintain a high level of security protecting all the attack surfaces, not just one or two.
  • New and popular technologies are high targets for attack. For example, mobile devices and virtual host servers (virtualization) are "hot targets" for attackers because their security has not been proven over time, and they may offer attackers more vulnerabilities.
  • It came as no surprise that attackers are targeting applications "used by the masses" like social networking, instant messaging, and peer-to-peer file sharing.
  • The "human factor" is still the weakest link in the security chain, and we, as network admins, need to use our technology wisely to protect and educate our end users.

Still, the single thing that I found most interesting was that denial-of-service (DoS) and buffer overflows attacks were, by far, still the most dominate vulnerability and threat activity in use in 2008. These common types of threats are very preventable, and we should make sure that our networks are protected from them.

What are five security actions that you should take today?

1. Move back into a position of active security (be more vigilant). Many of us make the mistake of periodically doing something to secure our network, then setting it aside. But you cannot "set it and forget it." Keep in mind that security must be taken into account in every project. All projects are "security projects" because security is involved in everything. Start with the security wheel (Figure A). The entry point is to have a network security policy and standards in place and then begin assessing risks. From there, we move around to implementing security, training, monitoring, and responding before starting all over again.

Figure A

Security Wheel / Security Lifecycle
2. Educate and protect end users.

It is our job to protect and educate our end users. We have to educate them because our network devices and configuration can only go so far in protecting them. If you read Cisco's report, many of the attacks on networks were from the mistakes of naïve end users. In addition to education, end user network security must be put in place, such as content filtering (see my article "Filter Web Content with Cisco IOS Routers"), anti-spam apps, anti-virus apps, and NAC.

3. Learn about Cisco security.

Cisco recommends that all vendors create a security center and that the page be /security. Cisco has done this, and you can gain access to all their security information at www.cisco.com/security.

While you are there, it is likely that you will notice that even many versions of the latest Cisco IOS, 12.4, have a vulnerability that needs to be patched (see Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks). I recommend that you subscribe to Cisco's Security Intelligence RSS Feeds to stay up to date on the latest threats and vulnerabilities in your Cisco devices (and this is a good thing to do for all your vendors).

4. Patch your routers, switches, and firewalls.

If the network is running well and you don't need any new features, why patch your routers and switches? Sorry, but we can't think that way. We need to stay active, patching vulnerabilities even if the network is stable to ensure that those vulnerabilities don't get exploited. After you have learned about network security and now know all the vulnerabilities that likely exist in your network device OS's, you need to patch those routers, switches, and firewalls. For step-by-step instructions, see

And, even better, what if you could automatically upgrade your IOS to take some of this work off of you? See my article "Is Automatically Upgrading the Cisco IOS Really Possible?"

5. Perform a vulnerability scan and check router configurations for security Issues.

Finally, you need to perform a vulnerability scan on your network (internally and externally) to ensure that your network devices are doing their part to secure your network.

More resources

Additionally, you need to check your Cisco router, switch, and firewall configurations to ensure that they are as secure as possible (remember that human error with misconfigurations is still one of the largest security threats we face). One of the most popular Cisco router security articles I have ever written is "Fundamentals: Five Ways to Secure Your Cisco Routers and Switches." Here are some of my other security-focused articles for routers and switches:

Final thoughts

In the years ahead, look forward to a worldwide implementation of DNSSEC, stronger PCI DSS (data security standards), and more tools that make security easier. In the meantime, we can learn a lot from Cisco's annual security report. I hope that you will take their well-researched recommendations to heart and get started securing your Cisco network.

3 comments
shaikh_s25
shaikh_s25

it can only happen Cisco IOS, Router, Network, Vulnerability, Cisco Systems Inc., Attack, Security, Networking not in other switch or Router

reisen55
reisen55

My former manager, a certified BCP/DR planner, posed this question: if a Denial of Service attack occured within the walls of the Enterprise network, not outside of it. Internal on the servers. Most challenging. Secondly, we all know about BIG INTERNET PIPES from the corporation to the IP carrier such as Verizon and Optimum. BUT from where do these firms get THEIR INTERNET FROM??? And what of an attack hit THEIR INTERNET??? Again, a challenging question.

ddavis
ddavis

Hi Reisen55, These are good questions! More and more we have to be watching our internal network as much as our external networks. I think this makes a case for internal IPS such as putting an IPS blade in a Cisco Cat 6500 chassis. About the second point, the Tier 1 carriers (Sprint, Verizon, AT&T, and others) are all meshed. In the USA, they are "the Internet". That's why these Tier 1 carriers have to have such a strong NOC & SOC (network & security operations centers) - to protect the Internet backbone. Still, I suspect that most of these carriers have such big backbones that they would be able to deliver a DDoS attack, at full speed, to whoever it was targetted to, without ever noticing it. It would be the targets that would be the bottleneck and be denied service. Thanks for reading my TechRepublic articles! -David Davis

Editor's Picks