[ISN] The man behind Cisco's security

InfoSec News isn at c4i.org
Wed Feb 15 03:14:29 EST 2006


By Joris Evers 
Staff Writer, CNET News.com
February 14, 2006

Cisco Systems drew the ire of the hacking community last summer when 
it decided to sue a security researcher. 

The lawsuit was retaliation for disclosing research into the security 
of software that runs Cisco routers and switches. The networking giant 
was already a target for cyberattacks, but that move probably put even 
more heat on its security team. 

For example, shortly after Cisco sued, and settled, with the 
researcher, its Web site security was breached. The company alerted 
customers and advised them to change their passwords. 

John Stewart is Cisco's chief security officer and heads up the 
company's IT security team, among other security-related groups. With 
his staff, Stewart secures a network used by about 40,000 people with 
more than 60,000 PCs and countless other network connected devices, 
including 50,000 voice over Internet Protocol, or VoIP, phones. 

On the day before the annual RSA Conference security confab in San 
Jose, Calif., Stewart talked to CNET News.com about his 

Q: There is a big bull's-eye on Cisco as an organization. What do you 
do to defend yourself against being attacked by hackers? Is there a 
simple solution?

Stewart: I don't think there is a simple solution. Probably the best 
way to describe it is that we never stop trying to think like our 
attackers. The best way to think about a defense is to think about the 
offense. The means by which we approach it go from everything from 
technology to how we educate and train people toward being aware of 
the risks and ideally to get security as a piece of every network 
element and into every person's mind. 

A lot of people tend to talk about security as the latest security 
patch or the latest vulnerability that's out there. Do you see 
security in that way? 

Stewart: No, those are a great deal about a known class of threats and 
usually there is a technology answer to your problem. We have a 
tendency to think about whole classes of problems. Patching is an 
availability problem just as much as it's a security problem. A virus 
is just as much a user awareness issue as it is a technology threat. 
In focusing on trying to handle classes of problems like that, we want 
to take people issues first, define it and then get a technology 
answer toward mitigating classes of problems. 

What would you say are some of the key issues you face in terms of 
security at Cisco and in defending the Cisco network? 

Stewart: The types of threats that we all face now are motivated by 
true financial gain. Often times what we had was an annoyance, or a 
disruptive kind of threat, something that was not really trying to 
damage or steal, but we have moved away from that now. This is about 
mitigating theft and mitigating true damage. That's most different 
then what we faced in the last few years. 

If you can describe some of the attacks that you face, what types of 
attacks are those and do you see many? 

Stewart: We face distributed denial of service attacks against our Web 
site, sometimes right towards the end of our quarter. That's a level 
of business knowledge that an attacking team has. In an attempt to 
disrupt electronic commerce, we will get an attack near the end of our 
quarter. That's a different style then we've seen in the past. We 
certainly face a lot of the more common ones, or the more frequently 
talked about ones, be it spam, be it the viruses and worms, but we 
have mitigated to a great degree the risks associated with those. 

How do you measure if you have been successful in your job as a 
security professional at Cisco? 

Stewart: That nobody knows we're there and they are feeling safe. 

Microsoft is releasing a new operating system later this year, Windows 
Vista. Microsoft likes to tout all the security enhancements in Vista, 
do you care about things like that? Do you look at that and think: 
'This is going to help me in terms of my security exposure?'

Stewart: Not at an operating system by operating system level. Any new 
technology is one that will have positives in its ability to protect 
itself and it will have new threats. That's not a Microsoft problem, 
it is every operating system developed. 

When you're protecting your own network, what kind of products do you 
like to use, what sort of technologies do you use? 

Stewart: We use behavioral technology. The first and best defense we 
use on computers at Cisco is the Cisco Security Agent. And by 
behavioral, what it is really doing is saying an operating system is 
running this way normally, but everything else is questionable. It 
might be OK, but you have to pose a question to find out whether it 
really is or isn't. Single handedly the most important technology we 
have deployed for protecting our computers in the past couple of 
years. We still use antivirus, we still use anti-spyware, those are 
key elements. We use all three of Symantec, Trend and McAfee.

You mentioned you use Cisco products also to protect your own network. 
What do you do if you have a problem with a Cisco product and does 
that ever occur? 

Stewart: It absolutely occurs. But being a part of engineering, as my 
team is, and we're part of IT as well, we get to work with engineering 
very closely. If there is ever a unique need on a product or there is 
a whole product we have not even invented yet that would be best 
suited to protect an enterprise, being so collaborative with my 
engineering team means that we can see the problem from both sides. 
They can use us as the practicing arm of what they are developing. I 
am a customer and I'd like to say that I am in a class of good tough 

Would you say that in terms of security at Cisco you are also 
accountable for security and totally responsible? 

Stewart: I think everybody at Cisco is accountable for security at 
Cisco. What I am uniquely accountable for, as is my team, is education 
and awareness and the use of technology to help best protect our 
company. What I'd rather never say is that a security team is 
responsible for security at a company, namely my security team is 
responsible for security at Cisco. That means that 99 percent of the 
company somehow isn't. That's the inverse of what I am looking for. 
I'd rather be helpful to the business, towards it understanding that 
we're all responsible. 

Do your users seem to understand that as well, or do they say: 'John 
is responsible for everything, I can go connect my laptop to a rogue 
wireless access point, he's going to take care of it anyway. I can go 
download spyware or Kazaa onto my PC, John is going to take care of 
it, it is not really my deal?'

Stewart: With this many people, there will always be cases where a 
person did not realize that they could not do something. From John 
Chambers as our CEO on down, we all realize that security is part of 
our responsibility. 

Is there any technology you won't use because of security reasons? I 
know of companies that won't use wireless networking, let mobile 
devices such as Palm Treo smart phones onto their networks, or let 
somebody connect an iPod to their work computer because of possible 
security issues. 

Stewart: We put security software on the Treos and allow them to be 
deployed. Most people want the Treos not only for contact information, 
they also want to use other application like e-mail. We say they are 
allowed to use it with e-mail, if they install security software. It 
is part of making security part of the generic process. We know that 
you want to do something productive, here is how you do it safely.

©2006 CNET Networks, Inc

More information about the ISN mailing list