Security industry has created its own problems: Cisco CSO

We only have ourselves to blame for complexity, reliance on patching says Cisco's US chief security officer, John Stewart

Speaking at the Australian Information Security Association (AISA) 2011 conference in Sydney, Cisco's US chief security officer, John Stewart, said the industry was guilty of repetition, building complex systems and relying too much on old practices such as patching.

“Patching and anti-virus [programs] are the number one way that the majority of the population across the world protects themselves and that’s a dilemma,” he said.

This was because there were a number of fake anti-virus products on the market, which could lead to consumer back lash if they were compromised.

Another problem, according to Stewart, was the industry created its own mess.

“When we built information systems over the past 20 years we made decisions that meant the company absorbed the risk,” he said.

This became clear to Stewart when the Cisco security team mapped its US network and router configurations. The diagram, which he showed to delegates, was called `the bug splat’ because that is what it looked like, according to Stewart.

“It was not what I would call a very well organised system. This problem was created because when you’re building networks, engineers suck at documenting,” he said. “They’re frequently not going to care about it so you won’t have a full picture [of the network].”

His final lesson was that over the last 20 years it had created what he termed ‘asymmetrical problems’ where a USB thumb drive could be used to take out the computer security and infrastructure of billion dollar networks. A USB key was rumoured to be the attack vector used to spread the Stuxnet worm inside an Iranian nuclear facility two years ago.

“When something that costs US$2.65 can take over entire networks we have a real problem,” he said.

Stewart also conceded that the industry was fighting an unfair fight where the hackers were winning.

“The penalties for hacking need overhauling because the consequences for hacking in a malicious way are trivial in comparison to what they need to be,” he said. “So, it’s no big surprise that they [hackers] are going to continue doing it.”

Average computer users were also a hindrance as Stewart said most did not know much about security and would not care – unless they got hurt.

“We’re still going to try through awareness programs and they [users] will care for about a couple of minutes before going back to what they were doing before,” he said.

However Stewart, who also spoke about bring your own device (BYOD) security at a Cisco BYOD panel in Sydney, said the majority of office staff try to safeguard their devices but are not equipped with the knowledge to secure them effectively.

To combat these problems, he had some recommendations for the industry.

The first was to “get mad” with the hackers by getting in touch with the “offensive lines” such as AusCERT, Australian Federal Police (AFP), The Australian Department of Defence and overseas agencies like Interpol.

His second piece of advice was patching the service, rather than all computers in the system.

“Make sure what you are rendering in your data centre is safe, not every single piece of it, because you need to focus on the basics and do better.”

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags information securityciscoAISAAISA 2011

More about AISAAustralian Federal PoliceCERT AustraliaCiscoDepartment of DefenceetworkFederal PoliceInterpol

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place