CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Precision security fighting at Cisco

Cisco security maven John Stewart says never mind the OS--Attackers are after the apps, from IM to Office.

Cisco Systems Chief Security Officer John Stewart worries most about stealthy, targeted attacks--Forget those mass-mailer Trojan horses.

Some years ago Stewart was putting out large-scale fires, responding to the latest outbreak of a computer worm or virus. With advances in security systems and changing threats, the job has morphed. These days, Stewart and his team are precision fighters, working to prevent stealthy attacks that are after corporate secrets.

Stewart heads up Cisco's global IT security team, among other security-related groups. With his staff, he secures a network used by about 50,000 people, with more than 60,000 PCs and countless other network-connected devices including 50,000 voice over Internet Protocol, or VoIP, phones.

The experiences at Cisco mirror what pundits say is the daily grind for security pros in large organizations all over the world. They face criminal organizations that look to exploit security holes for financial gain. These attackers increasingly target applications instead of operating system code.

But the single biggest threat to companies, according to Stewart, is unstructured data. He sat down with CNET News.com recently to explain what keeps him up at night and what solutions to data leaks might be.

Q: What is making you want to take a vacation?
Stewart: The world has wrapped around its head (the idea) that just because there is no news, life is good. In fact, it's ironic because in a sense it was good that threats used to be a mainstream topic. It brought attention and reminded everybody that it is a considerable issue. But now, botnets are off the charts, and low and slow is the attacker's approach. Not trying to generate massive amounts of spam, massive amounts of control chain that would be signaled, means that you've got a whole new layer of aggression.

I would worry about all the other third-party software that's bundled when you buy a computer. PDF flaws, the instant-messaging worms. This is an order of magnitude more complex than dealing with operating system flaws.

You're talking about targeted attacks that go below the radar?
Stewart: Targeted or untargeted, but below the radars. One is just obvious, clearly aimed at one organization. The other one is just as deadly. It is the very slow, quiet one, where the infection vector probably still is traditional, but not causing a computer to display any ill characteristics immediately. It'll go quiescent for a given period of time, it will just quietly send information out, as opposed to spiking the CPU, ripping the hard drive as fast as possible and propagating as fast as possible. That's because the intent is not to be found, the intent is to get the information, but avoid detection. Frankly, the sophistication is getting significant.

That's what the pundits say. Consumers are hit by botnets, but businesses are targeted by attacks aimed at stealing trade secrets. Is that true? Are bots not a problem at Cisco?
Stewart: We've got the same problem consumers have, but we've got signaling mechanisms that can pick up control channels faster than any consumer network can. We've also got a network that will protect us, versus the free and open Internet. Corporations have a dedicated team. We've got IT professionals.

So essentially you can deal with botnets because you're better prepared.
Stewart: Absolutely.

So, you don't have a botnet problem inside Cisco?
Stewart: That's a leap I don't want to take. It is a manageable one. If a bot picks up, typically we will see it. It doesn't mean we will never get a bot, it just means that we will pick it up fast and we will shut it off. That's different in the consumer space.

If the botnets are under control, what things are worrying you? These targeted attacks? How do you deal with those, or do you find out when it's too late?
Stewart: At the moment, I'd say that there aren't enough ways to see this type of attack. The security industry has mostly given us a number of abilities to pinpoint problems, but not a correlation between them all. If you can get collaboration between disparate types of systems, then you will see the problems faster.

What also doesn't let me sleep very well is changing targets. Operating system vendors have always been the target. They are getting better and, as a result, the attackers are going after the application space. Applications are where the data is, where it's being stored, where it's being downloaded, where it's unstructured.

Are you worried about all these zero-day flaws in Office applications?
Stewart: I worry about that. I would worry about all the other third-party software that's bundled when you buy a computer. PDF flaws, the instant-messaging worms. This is an order of magnitude more complex than dealing with operating system flaws. There is also an infrastructure side of this problem, all the Web developers that have thrown application after application on the Web storing your data.

Is your job ever going to change from being the fireman and putting out fires to building fire hydrants or sprinkler systems to prevent fires from occurring?
Stewart: I think it already has. We're still putting out fires, but three years ago where you never knew what was going to happen next, I was fighting the stomp and crush of finding the latest infected computer, finding whatever idiot did it, and shutting it down. That's firefighting; that's not my problem today.

Now I'm getting the sophisticated fires, not flash fires, not forest fires. I'm dealing with the sparkles, the ones that are designed to get at very sensitive data, and I'm not handling the massive outbreak, and I'm not even worried about the massive outbreak. So I don't feel like a firefighter.

Do you believe in things like whitelisting or blacklisting applications on desktops?
Stewart: To me, whitelisting is more important than blacklisting. Whitelisting is where you have a confidence factor..., not wholeheartedly, that the application is safe, but that you have a reasonable assertion that it was installed by somebody or something that is known, and that it came from a known vendor you look to if there is any issue.

Blacklisting, on the other hand, automatically shuns an application that (subsequently) never recovers from blacklisting. And I'd rather focus on an unknown application that is an anomaly--it can still be good, it can still be bad, but we scrutinize it differently.

Unstructured data is the single biggest risk to companies, bar none, and it's because it leaves in unorthodox ways. It leaves on USB keys, PDAs, iPods, CD writers, in electronic mails where you accidentally type the first couple of letters and then, oops, it gets sent it off to the wrong place.

Do you use any whitelisting tools or blacklisting tools?
Stewart: In some respects, Cisco Security Agent is a little bit like a whitelisting tool. It says that there are a certain number of actions and a certain number of applications that have received those actions that are allowed.

What do you think of data leak protection tools that are popping up everywhere to make sure sensitive data doesn't leave your enterprise?
Stewart: We've got a (variety) of issues around unstructured data leakage. It is a nascent and important market. I've watched this space for a while because, in the data center, for example, if you know that a structured set of data is supposed to leave, it is a great place to set a perimeter and protect.

Similarly... Connections between companies where you have a vehicle by which you feel confident what data is supposed to go between you and a partner, (are) a great place to determine it is only that data going between them.

Unstructured data is the single biggest risk to companies, bar none, and it's because it leaves in unorthodox ways. It leaves on USB keys, PDAs, iPods, CD writers, in electronic mails where you accidentally type the first couple of letters and then, oops, it gets sent it off to the wrong place.

And the solution to it is still to be determined?
Stewart: It's still to be determined and different companies can approach it different ways. One company might go back to the mainframe era where all data is in a controlled environment. Another company will look at it and say that data needs to be moved and manipulated, and assert that only the data can move in certain criteria.

If you could have one wish granted in terms of the security space and work that you do, what wish would that be?
Stewart: I would love to have an open standard, universally adopted data tagging mechanism. That mechanism could assert criteria about data as it's moving. Once that's done, every signaling system can look for those tags and you would know if data is in the wrong spot, you know how it is moving and you can redirect the data if it is going to the wrong place. You could, for example, assert on an endpoint that it can't get the data it's trying to get. You could have networks actually watch data in flight and watch not so much that data's contents, but its classification.

Does any of that exist at all?
Stewart: At a very basic level. The Microsoft team, the Adobe team, the Open Office guys, they've all worked at ideas, but they still haven't managed to make basic parts of this actually an open standard.