By Ellen Messmer
For a year John Stewart has been CSO at Cisco. He's in charge of a
team of 60 information security professionals who play a role in IT
architecture, policy, audit and incident response to protect an
internal user base of about 48,000 employees worldwide. Stewart
recently discussed Cisco's risk-management strategy with Network World
Senior Editor Ellen Messmer.
What are some of Cisco's security concerns?
Over the past 18 months, we started seeing attacks against our network
timed against the end of our quarters, and we realized someone was
trying to knock the electronic-commerce service offline at the Web
portal through denial-of-service attacks. It really opened our eyes.
How do you cope with these attacks?
We use Cisco Riverhead, now called Cisco Guard since Cisco acquired
Riverhead, to block the attacks. Upstream, we have relations with
service providers - all the big ones, AT&T, MCI, Sprint - about
bandwidth consumption. We work with them in the case of a
denial-of-service attack, and it's effective in filtering it. Security
is about managing it when it happens.
How does your team interact with the rest of Cisco?
When there's an internal IT project, say overhauling the human
resources system or replacing an entire database infrastructure or
putting up connectivity between our company and another for
communications, there's an engagement process between the business
owners and IT team, plus, often, counsel as an advisor. In security,
we look to issue a report that the implementation was within the
appropriate risk tolerance.
What non-Cisco security products or services do you use and like?
We use McAfee, Symantec and Trend Micro antivirus. You want to test
technologies working with yours. We provide identity and password
management, and an audit trail of access. One product there is CA's
Netegrity, where we have a complex set of rules with our manufacturing
partners. We use the Qualys platform for vulnerability scanning, and
also Arbor's Peakflow for viewing statistical abnormalities in and out
of the network.
The job of the CSO always seems to involve writing security policies.
Do you work with the legal department to do that?
Yes, Cisco has internal and external subject-matter experts with
knowledge of different areas of the world, such as the European Union
or Asia. When we write a policy, we want a light touch because we want
these policies accepted every year. There's no Web monitoring. We have
the expectation our employees are doing the right things.
About two years ago, Cisco had its IOS code stolen after a hacker
attack. How did that investigation go?
I can't speculate on the disposition of that case, but it's still open
and we're working with law enforcement on it.
So what do you think about extrusion detection, monitoring for
outbound transmission of sensitive content?
It's interesting and we're experimenting with it. There's one thing
we've developed ourselves in our data centers for use by those writing
code. Everyone only gets to see an image of what they are involved in
for source code development, the idea being somewhat like the old
technology, X Windows. Can you still screen-scrape or take a picture?
Yes. Can you memorize it? Yes. But it won't allow file transfer. We
developed this data detection based on ClearCase View Servers and
virtual network computing connections for the desktop.
Cisco can determine its own internal technology for security purposes,
but how do you go about interacting with business partners over the
Internet or online?
Whether it's outsourcing development or manufacturing, we
contractually state the obligations for both sides. We specify a list
of conditions, such as network connections between the companies. We
list a set of specifications with host and server. It would be unfair
of us to dictate technology. But the agreement allows for a security
audit on behalf of Cisco. Most of the time, the outsourcing company is
auditing itself. And we spot-audit.
In many countries around the world, with business partners, we give
them the engineering data they need to get the job done. And we
provide them identity and password management, attempting to keep an
audit trail of access.
All contents copyright 1995-2006 Network World, Inc.
Visit the InfoSec News store!