Defense Media Network

Cybersecurity Strategy Keeps Networks Viable

Halting botnet activity rides on detection technique advances

Rapid technological progress, collaborative processes, and tools in today’s global networking environment make trust, visibility, and resilience vital imperatives. Each wave of computing advances places emphasis on cybersecurity to exploit information technology’s full potential.

Keeping pace with this runaway digital locomotive requires solid protection for efficient access, movement, and data integrity. Changing the way populations work, live, learn, and play, the ubiquitous Web is the most valuable strategic asset in a dynamic era of communications and information technology (IT).

Today’s network places more than 2.5 billion global users, one-third of the world’s population, online. Indeed, more than 240 million Americans, or 77 percent of the U.S. population, routinely employ the Internet. One company’s unique approach in harnessing cybersecurity uses the network’s own tools to help provide protection, according to Brad Boston, Cisco’s senior vice president, Global Government Solutions and Corporate Security Programs. “We harness the network to protect the devices such as routers, servers, and handhelds that connect to it – whatever can be attached.”

Prevalent across governments, militaries, and industries, Cisco is one major corporation that clearly understands proliferation risks and the paramount necessity of trusted networks. This IT company operates with nearly 70,000 employees in 92 countries, and generates approximately $40 billion in annual revenues.

Cisco Network Emergency Response Vehicle

Cisco’s Senior Vice President Brad Boston observes the flow of information inside the company’s Network Emergency Response Vehicle (NERV). Fully operational within 15 minutes during crises, the self-contained vehicle uses on-board power and communicates during emergencies via an Internet Protocol network. Photo courtesy of Clarence A. Robinson Jr.

“Cisco Systems constantly monitors and manages Internet activity. We have outstanding relationships with others in the IT industry, the Department of Homeland Security, and other agencies that respond to cyber incidents,” Boston said. “We collaborate and share what we learn about cyber threats and how to thwart them. One of the basics is that every organization owns critical infrastructure elements, not just government agencies. Critical infrastructure in the United States mostly involves the private sector. The key to network protection is for each organization to understand the threats, take them seriously, and focus on appropriate levels of security and defense.

“Too many organizations focus on viruses and firewalls, which is a simplistic approach. While these are absolutely necessary, today’s threats transcend conventional protection by an order of magnitude, mandating an understanding of the nature of the threats. Most organizations, especially in industry, are woefully under invested to defend against these threats,” Boston said. “A public-private partnership is necessary to deal with today’s threats. A big challenge involves legislation and title authorities established years ago that do not dovetail with the dynamic nature of evolving threats. Rushing legislation through, however, without understanding the outcome of proposed rules can lead to unintended consequences.”

“Some legislation proposals call for U.S. government agencies and companies owning and operating elements of critical infrastructure to use only certified security devices. However, today’s certification processes often take longer than the life cycle of the products involved. You may end up with certified devices that are a generation or two old while threats will have changed, providing a Maginot Line of cyber defense,” Boston said. “There must be a frank dialogue between federal agencies, lawmakers, and industry on proper cyber defense legislative steps.”

Boston’s responsibilities encompass advising government customers on business practices and technology solutions to achieve and enhance their mission goals. Dedicated Cisco teams address challenges faced by global defense, space, and security agencies. With a computer science degree from the University of Illinois, his charter also encompasses Cisco’s corporate security office. Boston focuses on ensuring the integrity, confidentiality, and availability of critical information and computing assets.

Cisco tends to dominate the Internet Protocol (IP) market with networking equipment such as switches and routers to direct data, voice, and video. Remote access servers, IP telephony, Internet conferencing, and optical components are some of this company’s product portfolio.

Cisco operates a security business unit; however, protecting networks and attached devices far transcends any one corporate element, Boston said. The company’s core infrastructure footprint across the federal government exceeds traditional security products. These technologies facilitate cyber defense capabilities, he added. “Realistically, all of our technologies should contribute to meeting cybersecurity challenges. Leveraging intrinsic features inside our core infrastructure does not always involve things we sell per se, such as security products, but rather myriad capabilities that make an agency or entity safer.”

Boston pointed out Cisco’s global ad hoc networking capability also functions with multiple security tools. “Together with the folks from the [General Dynamics] Warfighter Information Network Tactical [WIN-T], Cisco Systems is providing radio routing, which allows us to form a mesh network in areas where no infrastructure exists. Radio routers discover each other and form the network. The topology of this network changes as the radios move in relation to one another,” he said.

WIN-T is the Army’s high-speed, high-capacity backbone communications network, linking warfighters on the battlefield with the Global Information Grid. This network introduces mobile, self-configuring, self-healing functions using satellite on-the-move capabilities. Robust network management high-bandwidth radio systems keep mobile forces connected, communicating, and synchronized. “A radio awareness routing interface provides constant information concerning link quality. This feature enables intelligent decisions about how traffic should be routed over which links, based on quality of underlying radio transmissions,” Boston said.

cyber defense National Security Agency

West Point cadets tested their cyber defense skills against veteran hackers from the National Security Agency and emerged victorious. The three-day 2011 Cyber Defense Exercise concluded April 22, 2011, giving the U.S. Military Academy its sixth win. U.S. Army photo by Mike Strasser, West Point Public Affairs

“We are taking a similar approach with our IP Routing in Space [IRIS] initiative, porting radio-aware routing to a hardware platform built for space. Now we have the capability to route communications across multiple satellite transponders and simultaneously have the transmitting modem provide information on underlying radio link quality,” Boston said. “WIN-T combined with IRIS creates for the first time a ‘space to mud’ architecture based on an IP network. So, an aircraft flying into a theater of operations, as an example, can join the network and become an integral partner with ground forces. Those units may not have line-of-sight communications with one another and the aircraft completes that link.”

Cisco is well positioned to support the ever-increasing mobile networking demands of the tactical warfighter through a wide variety of products and solution sets, Boston said. “We understand the need for tailorable networks that can be quickly configured to support weight and size requirements as the mission dictates. The primary support is in secure switching and routing areas; however, wireless content delivery, and especially converged data, voice, and video, can be major network enablers in the WIN-T program.”

Cybersecurity strategy over the past six months also enabled Cisco to better align various certification and accreditation activities with the federal government through the National Institute of Standards and Technology (NIST). This agency works with industry to develop and apply technology, measurements, and standards. The company has actually mapped its solutions portfolio directly to NIST guidelines using the same language that government customers use for cybersecurity and IT operations. Mapping NIST controls to Cisco security solutions assures Federal Information Security Management Act (FISMA) compliance, Boston explained.

“The primary incentive for FISMA compliance is to identify the people, systems, and processes an agency needs to achieve business objectives. Customers talk about boundary defense, so we created boundary defense solutions. Organizations talk about identity and access to maintain a secure state, so we have an identity and access solution. All of these solutions adhere to FISMA implementation. Some 15 solution sets are available and beneath each rides trust, visibility, and resilience. Cisco views cybersecurity as holistic and goes beyond the scope of any one internal business unit to resolve problems. Instead, solutions involve a collective set of people, processes, and technologies,” Boston said.

“As part of cybersecurity initiatives, everyone must use basic hygiene in keeping the network clean through practices that promote and preserve the entire data infrastructure,” said Boston. This approach helps reduce problems whenever they occur, making it easier to quickly spot and overcome difficulties. Hygiene overcomes negative interactions between subsystems, which can snowball. Keeping the network clean forestalls minor problems from becoming major ones, he added.

Cyber criminals seek to attach botnets to personal computers or steal information as it traverses the network. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Up to thousands of machines linked together can pose serious threats. A collection of infected computers, or bots, is taken over by bot herders to perform malicious tasks or functions. “Cyber criminals may also plant false information in the network. When we focus on protecting the network, we actually have to protect all the devices that attach,” said Boston, who previously served as Cisco’s chief information officer.

There are a number of tools in the network that can look for traffic, that can potentially compromise endpoints or steal information, Boston said. Cisco has built capabilities into firewalls, such as Deep Packet Inspection (DPI), as an example. As a packet passes an inspection point, DPI searches for protocol non-compliance, viruses, spam, or intrusions. Pre-defined criteria determine what actions to take with the packet. Advanced network management, user services, and security functions result from DPI. Intrusion detection and prevention are functions within DPI that combine with traditional state-of-the-art firewalls.

“Another technique involves profiling traffic and understanding what is normal within the network by using tools that inform when something out of the norm occurs. This technology allows reactive defenses, determining whether the traffic is legitimate or bogus and thus immediately discarded,” Boston said. “There are a number of defenses that can be used on the network, such as anti-virus tools and others, that must be installed at the endpoints of the network. One of the things we often find is that our customers, including companies, enterprises, and government organizations, have far more defensive capabilities at their disposal than they realize or routinely use,” he added.

“Arguably, too much attention focuses on firewalls and anti-virus techniques. However, a lot of organizations, we discovered, don’t even do a very good job at these basics. Additional tools have often been acquired or are part of the network infrastructure, a suite of tools that come with computer software,” Boston said. “We help customers better understand how to use these tools correctly to improve their defenses – to monitor traffic traversing the network and to spot anomalies. Many organizations look at what is coming into their network from the Internet, looking for bad traffic.

“Cisco, nonetheless, learned several years ago that you also must scrutinize traffic leaving your network. This can be a very good indication that something within the network has been compromised and is launching attacks outbound,” Boston said. “Profiling traffic inside the network is equally important,” he continued, “because something within may have become infected and could be attacking the network internally. Many companies fail to observe outbound and internal network traffic security, relying instead on incoming data. This approach can be self-defeating.”

Malware, which can be delivered into a network through a variety of methods, involves programs with code, scripts, active content, and other software designed to disrupt or deny operations. Malware gathers information leading to loss of privacy or exploitation, gaining unauthorized access to system resources, and other abusive behavior. Personal computers (PCs) can be compromised via a connection over the Web by downloading an infected file via a corrupted email, through a Universal Serial Bus (USB) plug-in, a connection to a smart phone, or a bad compact disk. “There hasn’t been much focus in the industry over how the malware payloads reach their targeted systems, how they insert themselves, and steps to close these avenues of approach. Industry needs to take greater action in this area,” Boston said.

Microsoft® has taken a more aggressive approach to improving security of its newer Windows® products, making it more difficult for scammers to effectively infiltrate, Boston said. Cyber criminals have therefore moved on to other operating systems, applications, software services, and devices such as smart phones, iPads®, and iPods®, which are all experiencing increases in exploitation. Worldwide adaptation of mobile devices opens new avenues for scammers’ exploitation.

Supporting and maintaining its products, Cisco focuses on various methods cyber criminals could use to install malware on the network. Inserting malware from a remote site has become relatively easy for criminals because the computing industry built software to allow less time-consuming and more cost-effective remote maintenance and support to download fixes, Boston said.

Tools that are part of Cisco’s basic router and switch technologies enable network traffic monitoring. The company’s NetFlow is an example of a software feature that provides a key set of services for IP applications, including network traffic accounting, planning, security, and denial of service monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing, Boston said. “This is a very powerful tool that helps to identify what is transpiring in the network. Taking the initiative, Cisco also cobbled together other tools provided by specialty companies to provide an important suite of tools for managing the constant overview of network traffic.”

Several years ago, Cisco acquired a company with an endpoint intrusion prevention system. This rule-based software examines system activity and network traffic, determining which behaviors are normal and which may indicate an attack. “Called the Cisco Security Agent [CSA], this host-based software technology changed our lives,” Boston said. “This product was quickly deployed to 35,000 workstations within about a week and fundamentally changed the way our security people functioned. They no longer reacted to yesterday’s or today’s attacks. They no longer had to aggressively apply patches that came from Microsoft or others to close security holes.

“CSA bought time for the company by immediately stopping activities to insert malware. This product looked for specific types of anomalies on the network that were closely coordinated with how hackers inserted their software. As an example, if a user is on the network and someone tries to install malware, a defensive window pops up asking whether you are trying to install a piece [of] software. If not, the system informs the user to quickly kill their activity before it destroys the machine,” Boston said. “This a great example of a defense that looks for unusual or abnormal activity seeking to exploit equipment and provides a choice: Do you want this to happen?”

After CSA deployment the only problems have been when users override the system. This zero update software protection reduces emergency patching in response to vulnerability announcements, minimizing downtime and expenses. The visibility and control of sensitive data through this system protects against loss from both user actions and targeted malware.

The Department of Homeland Security has title authority to deal with critical infrastructure owned and operated by the private sector, Boston said. Military and government agencies by law are not allowed to assist private industry with cybersecurity. “The U.S. government operates with very capable people who have world-class IT knowledge and skills. In many cases, they have developed and employ capabilities that far exceed private industry. The nation needs to address how to share and harness government capabilities to help protect the rest of the critical infrastructure.”

Advanced persistent threats concern U.S. officials and other governments. These are threats based on technology providers who globalize their business, resourcing and assembling some products in far-flung parts of the world, Boston said. “The advanced persistent threat refers to products in this vast supply chain where adverse functions may have been embedded in some components or they have been modified by an adversary to perform in ways not intended.”

Cisco, working in conjunction with technology partners, is looking at how to deal with known cyber-attack vectors against hardware and software in its products. “We are doing a number of things to assure secure product life cycles in areas such as watermarking software and providing methods to verify its validity. Cisco also harnesses technology designed into its commercial systems to detect counterfeit chips embedded in products,” Boston said.

Another cybersecurity system involves Cisco’s SensorBase, which uses a rating scale to determine whether incoming traffic is from a known hostile host or a legitimate source. Cisco bought IronPort® in 2007, and SenderBase®, a reputation service, was part of that deal. IronPort provides a suite of products with high-performance and technically innovative solutions designed to secure organizations of all sizes. Deployed at the gateway to protect networks, IronPort enables a powerful perimeter defense. SenderBase evolved into SensorBase, which immediately drops connections to bad hosts based on their reputations.

“We have a great set of sensors to avoid anomalous attacks. Cisco knows what normal traffic looks like and how to quickly identify and avoid hostile traffic,” Boston said. “Strong relationships with service providers enable the company to ‘black hat’ hackers, identifying IP addresses that are part of hostile traffic. This feature enables turning off the ability of those IP addresses to communicate with us.”

Company experts study after-action reports from network attacks to learn and create better defenses. Cisco also shares information with the government on hostile actions. Constantly searching for ways to attract talent with the skills to deal with cybersecurity advances and evolving threats, Cisco develops the most innovative defenses possible, Boston said. Strong cybersecurity not only prevents information leaks and network damage, but also supports government cost-saving initiatives – cloud computing, telecommuting, and citizen self-service.


Clarence A. Robinson, Jr., is the author of Battleground High, a book in progress on...