Your Trusted Security Advisor NOT!
July 29th, 2005 by Quan Tranh
ISS and Cisco have demonstrated to the world that they are untrustworthy. After hanging researcher Michael Lynn out to dry for doing what he felt was right at the time. During the late 1990s ISS’ slogan was “your trusted security advisor”. There was lots of cheerleading and fanfare that security was job one and the customer always came first. After seeing this latest demonstration of security being job one I’m certainly glad to see other companies take the lead in the security market space. It is very difficult to be a trusted security advisor if you are selling your own employees down the river and becoming very cozy with giants like Cisco and Microsoft. There was a time when ISS would not have held back on disclosing a newly discovered vulnerability. As time has gone on they have become, shall we say big corporate. Making sure that money from Cisco continues to roll in is apparently more important than backing your own research let alone your own researcher.
In several news articles Cisco had accused Lynn of illegally reverse engineering their IOS. One thing that nobody has pointed out yet from reading between the lines is the that Cisco went to ISS and asked their researchers to attempt to find vulnerabilities in IOS through reverse engineering. In my opinion it is kind of difficult to accuse someone of illegally reverse engineering your product whenever you asked them to. In my view and was acting as an agent of ISS and fully had Cisco’s permission to reverse engineer their router software. The Cisco PR machine is cranking out victim propaganda faster than Osama bin Laden can crank out terror propaganda. As the old saying goes, be careful what you wish for because it might come true. Cisco should have been more careful.
Bruce Schneier has a wonderful editorial on the topic at his blog. I would have to agree that full disclosure is a necessary evil in the security world. In this particular case my blanket answer for the problem of letting the bad guys know about your vulnerabilities doesn’t really apply, but for the record here it is. If you are either a manager or an engineer in operations is your responsibility to make sure that all of your employer’s information systems are up and running with no excuses for downtime or security breaches. With traditional operating system vulnerabilities it is not necessary to wait for a vendor to produce a patch. There are many IPS solutions available that allow you to create custom signatures. Astaro Security Linux is one that comes to mind that uses snort. If there is a zero day vulnerability that is revealed then it is up to operations staff to download the exploit code and craft their own IPS signature to protect against said attack. Nobody is going to look out for you except for yourself and any person working in IT who believes that the vendor is going to take care of all their security problems with a magic patch is being naïve.
At the end of the day we’ll probably see Michael Lynn as a net legend and sales of Foundry and Juniper equipment begin to overtake Cisco.
Lynn’s Presentation can be found by reading this notice. It’s probably not going to be too long before this site has to take it down, but multiple copies are floating around on P2P networks.
This entry was posted on Friday, July 29th, 2005 at 5:54 pm and is filed under Geek/Tech/Sci. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.