In late March, a group of teenage Italian hackers called the BlackAngels descended on Cisco Systems Inc., publicizing...
security vulnerabilities in the company's network operating system. As it turned out, that was only the beginning.
In the weeks to come, Cisco would respond to or announce six different security flaws -- more than one a week on average-- in products such as its Wireless LAN Security Engine; its authentication protocol, Lightweight Extensible Authentication Protocol (LEAP); its Catalyst 6500 switch; its IPSec VPN 3000 Concentrator and its Internet Operating System (IOS), which runs its switches and routers.
By month's end, the networking giant's was facing a devastating list of security woes. With such an alarming string of problems surfacing one after the next, some have said Cisco's security record is starting to resemble that of another dominant technology company. So, when it comes to security, is Cisco the next Microsoft?
The new target
In some ways, the answer is yes, said Aaron Vance, an analyst with the Scottsdale, Ariz.-based Synergy Research Group. Cisco has a lock on the networking market, with market shares that run as high as 75% in some niches. In that sense, Vance said, its presence is as ubiquitous as Microsoft's. Any security flaw is potentially devastating to a vast number of businesses, not to mention the Internet itself.
Because its products are so widely used, Cisco, like Microsoft, has become a target for hackers, said Merike Kaeo, an author and CEO of the Santa Cruz, Calif.-based security consultancy Merike Inc. Until April 2000, Kaeo worked on security at Cisco.
For example, a hacking tool was released this April designed to target the flaw in Cisco's LEAP protocol. According to a post on SecurityFocus.com's Bugtraq discussion board, Joshua Wright, the tool's author, released the tool because he felt that Cisco was endorsing its proprietary LEAP protocol over other, more secure standards, in an attempt to gain further market share.
Jeff Platon, senior director of product marketing with Cisco, declined to address whether the company had become a target for hackers, but did say that because of the increased use of global networks, much more information is at risk today should networks be compromised.
Another reason that hackers like the BlackAngels may be focusing their attacks on Cisco is that Cisco gear, and, therefore the code it relies on, such as the IOS, is more accessible than it once was, said Dan Golding a senior analyst with the Midvale, Utah-based research firm Burton Group.
While Cisco devices usually cost tens of thousands of dollars, if not more, ever since the dot-com bubble burst and companies began to shed their unnecessary networking gear, Cisco products have been available at bargain prices. On the online auction site eBay, for example, one can find Cisco switches that use IOS for as little as $2,000.
"Bad guys can now get their hands on these devices to prove their exploits," Golding said.
The human factorPerhaps the biggest challenge that any organization faces when it comes to network security is human error. Kaeo said many organizations don't even take the simple step of creating unique and complex passwords.
"Unbelievable as it may be, a lot of passwords are just 'Cisco,'" she said. "That is inexcusable."
Many businesses also have organizational and knowledge gaps between networking groups and security groups, said Golding.
"Enterprises are behind the eight ball on this," said Golding. "Network guys do not know security, and security guys do not know networks."
Emmett Hawkins, chief technology officer at Leapfrog Services Inc., an Atlanta-based network service provider, said that many organizations are vulnerable to network attacks because of a lack of knowledge about security, and a dearth of time to address security issues. While he said that Cisco and other networking companies often release patches for vulnerabilities before they are exploited, businesses don't always implement those releases.
"There is so much to be on top of, especially for smaller organizations, that being able to read every advisory and act on it is difficult," Hawkins said.
The best practices
Despite the challenges, there are simple steps that can be taken to ensure that there is a basic level of network security.
For starters, companies should use Secure Shell (SSH) instead of Telnet to make network configuration changes, Kaeo said. Telnet can be easily intercepted, while SSH provides a higher level of secure communications to ensure that network device passwords and commands are not intercepted.
Golding recommends ensuring that network devices are not using default passwords.
Part of the reason that Cisco has drawn so much attention to itself on security issues recently is because the company has proactively informed its users of problems and fixes, said Cisco's Platon. Businesses should do their best to take advantage of that by setting up procedures to apply software upgrades and patches in a timely way, Golding said.
In addition, Platon said Cisco provides Web-based security seminars, as well as Internet-based content to help educate customers about security.
The most important thing to remember, Platon said, is that the importance of security needs to be communicated throughout an organization, because it's everyone's responsibility.