Cisco's CSO talks IOS exploits, open source

A recent spate of vulnerabilities discovered in Cisco's pervasive Internetwork Operating System (IOS) and the availability of its source code have not detracted from the company's mission to keep end users informed of security issues, according to CSO John Stewart.

In Australia to brief customers and staff, Stewart defended the increased number of recent advisories for Cisco's software, saying "We are not just running the network anymore.

"As the company grew there was a correlation between the number of security advisories and the products we offer," he said, adding any assumption that more complexity will lead to more problems is unacceptable.

Why so many specific IOS vulnerabilities? Stewart said this is because Cisco is investing so much money finding vulnerabilities before they are exploited.

"Now that customers don't want the network to go down, we are spending more dollars to ensure its integrity is upheld," he said.

"The exploits have been sensationalized and such attacks are possible on any operating system not just ours."

On the black market availability of the IOS source code, Stewart is adamant that IP theft, and not exploits, is a bigger concern.

"When it comes to exploits, people are going to take a box and try to exploit it, not look at the code and find a vulnerability," Stewart said. "Customers want to align with a vendor that can deal with exploits when they are found."

Cisco itself is using open source software from the BSD and Linux ecosystems, which Stewart attributed to customer demand.

"We use OpenSSH because that's what customers want," he said. "Using Linux, Windows, or Solaris will depend on what you are trying to do. Each has its strengths and weaknesses."

Stewart has been in the security industry for 15 years, both inside and out of Cisco. The 36-year-old was with Cisco between 1994 and 1997, and returned in 2002.

"I'm the strongest advocate for the protection of our data and our customer's data," he said. "I also share the cheerleading role of security in the business."

Steward regards himself as a Cisco "customer" and therefore has the opportunity to interact with other customers, because "that dialogue is missing in security".

Page Break

Still too few CSOs in Australia

Cisco Australia's general manager of network and information security, Philip Mulley says there are still only about six CSOs within Australia's top 100 organizations. As a result, Mulley said most of the responsibility for security falls on the shoulders of the CIO. "The CIO has changed from a purely technical role to include risk management and governance," he said. The reasons for Australian companies not adopting the CSO title as rapidly as their

US counterparts relate to maturity and regulation, not just the size of the organization. "Publicly listed companies here have just as many issues," he said. Mulley said his main responsibility locally is to communicate with customers about security strategy and help organizations look at the issue from a business perspective.