David Davis reviews Cisco's 52-page annual security report and suggests five actions you should take to improve your network's security status.
Cisco's Security Intelligence Operations group recently published its Cisco 2008 Annual Security Report (registration required to read). This 52-page report offers a ton of valuable insight and action items for Cisco network administrators. To save you the time of reading the 52-page report, I have researched it myself and have come up with five action items that we should take today to secure our Cisco networks.
What did Cisco's Annual Security Report tell us?
Obviously the large report had a lot to say, but here are some of the most important things I learned from the report:
- There wasn't a single, large, well-known, security event (such as the "Code Red Worm" or "Melissa Virus") in 2008. However, just because there weren't high-profile events doesn't mean that attacks are decreasing or that we should feel more secure. Typically the attacks that make the "evening news" are attacks performed by newbies who made a mistake. The malicious attackers that really know what they are doing don't get on the news -- they accomplish their attack and get out without being detected.
- Blended attacks are becoming more and more popular and successful. These make use of a variety of methods such as spam, cross-site scripting of Web servers, and denial-of-service (DoS) attacks. What this tells us is that we need to maintain a high level of security protecting all the attack surfaces, not just one or two.
- New and popular technologies are high targets for attack. For example, mobile devices and virtual host servers (virtualization) are "hot targets" for attackers because their security has not been proven over time, and they may offer attackers more vulnerabilities.
- It came as no surprise that attackers are targeting applications "used by the masses" like social networking, instant messaging, and peer-to-peer file sharing.
- The "human factor" is still the weakest link in the security chain, and we, as network admins, need to use our technology wisely to protect and educate our end users.
Still, the single thing that I found most interesting was that denial-of-service (DoS) and buffer overflows attacks were, by far, still the most dominate vulnerability and threat activity in use in 2008. These common types of threats are very preventable, and we should make sure that our networks are protected from them.
What are five security actions that you should take today?1. Move back into a position of active security (be more vigilant). Many of us make the mistake of periodically doing something to secure our network, then setting it aside. But you cannot "set it and forget it." Keep in mind that security must be taken into account in every project. All projects are "security projects" because security is involved in everything. Start with the security wheel (Figure A). The entry point is to have a network security policy and standards in place and then begin assessing risks. From there, we move around to implementing security, training, monitoring, and responding before starting all over again.
Security Wheel / Security Lifecycle2. Educate and protect end users.
It is our job to protect and educate our end users. We have to educate them because our network devices and configuration can only go so far in protecting them. If you read Cisco's report, many of the attacks on networks were from the mistakes of naïve end users. In addition to education, end user network security must be put in place, such as content filtering (see my article "Filter Web Content with Cisco IOS Routers"), anti-spam apps, anti-virus apps, and NAC.3. Learn about Cisco security.
Cisco recommends that all vendors create a security center and that the page be /security. Cisco has done this, and you can gain access to all their security information at www.cisco.com/security.
While you are there, it is likely that you will notice that even many versions of the latest Cisco IOS, 12.4, have a vulnerability that needs to be patched (see Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks). I recommend that you subscribe to Cisco's Security Intelligence RSS Feeds to stay up to date on the latest threats and vulnerabilities in your Cisco devices (and this is a good thing to do for all your vendors).4. Patch your routers, switches, and firewalls.
If the network is running well and you don't need any new features, why patch your routers and switches? Sorry, but we can't think that way. We need to stay active, patching vulnerabilities even if the network is stable to ensure that those vulnerabilities don't get exploited. After you have learned about network security and now know all the vulnerabilities that likely exist in your network device OS's, you need to patch those routers, switches, and firewalls. For step-by-step instructions, see
And, even better, what if you could automatically upgrade your IOS to take some of this work off of you? See my article "Is Automatically Upgrading the Cisco IOS Really Possible?"5. Perform a vulnerability scan and check router configurations for security Issues.
Finally, you need to perform a vulnerability scan on your network (internally and externally) to ensure that your network devices are doing their part to secure your network.
Additionally, you need to check your Cisco router, switch, and firewall configurations to ensure that they are as secure as possible (remember that human error with misconfigurations is still one of the largest security threats we face). One of the most popular Cisco router security articles I have ever written is "Fundamentals: Five Ways to Secure Your Cisco Routers and Switches." Here are some of my other security-focused articles for routers and switches:
- Learn the Benefits of Cisco's Security Device Manager (SDM)
- How to Properly Secure Your Cisco Router with Passwords
- Lock Down Cisco Switch Port Security
- Understand the Levels of Privilege in the Cisco IOS
- Be Aware of How Easily Someone Can Crack a Cisco IOS Password
- Router Configuration 101: Configuring and Securing the Router
- Configure a Cisco PIX Firewall with This Template
- Get to Know Your Logging Options in the Cisco IOS
In the years ahead, look forward to a worldwide implementation of DNSSEC, stronger PCI DSS (data security standards), and more tools that make security easier. In the meantime, we can learn a lot from Cisco's annual security report. I hope that you will take their well-researched recommendations to heart and get started securing your Cisco network.