Cisco exec on security, Black Hat brouhaha

Von Matt Hamblen

Jeff Platon, vice president of product marketing for security and application networking technology at Cisco Systems Inc., talked this week with Computerworld about security technology at the networking company. Among the topics Platon touched on was the fallout from Cisco"s handling of the Michael Lynn presentation at the Black Hat conference in July and voice-over-IP (VoIP) security.

Has Cisco"s reputation been helped or hurt by the experience at Black Hat in the summer? We remain vigilant in trying to protect our intellectual property and fulfilling our obligations around full and prompt disclosure of vulnerabilities and solutions that customers need to resolve any potential risks they have with that vulnerability. So a great example was this issue with Michael Lynn. This was a previously disclosed vulnerability with patches already out.

We take a very different approach. Our large customers actually deploy the patch; we go back and help them and check them and ensure they are fully mitigated. It"s because of the obligation, especially in the carrier space, where these [vulnerabilities] become real issues. So we take a real proactive approach.

What was inappropriate with that issue was the perspective of that individual that would actually go beyond his responsibility. It would be akin to [saying], "Here"s an atomic bomb diagram, and I"m going to show you some shortcuts on how to build one in your kitchen." That was really what he did, [as if to say], "Let me show you how to exploit this vulnerability." It was all well documented. Patches were long ago sent out to customers with advisories. And it was inappropriate and bordering on the criminal, which is why law enforcement got involved. Those are criminal acts, to exploit vulnerabilities with the intent to harm. So I would summarize by saying we remain vigilant in fulfilling our obligations to customers to ensure they have the highest reliability of network-connected systems possible.

But do you feel Cisco"s image was enhanced or not as a result of your handling of Lynn? I think we were consistent in terms of the proactive nature of early disclosure and going out to customers and helping them with methods to mitigate the liability.

Still, there were descriptions in major newspapers of Cisco directing people to rip out pages from Lynn"s Black Hat presentation and other things. Have you heard any backlash from customers? We"ve had no negative comments from customers. I believe customers continue to trust us to do the right thing. What happened, it is what it is. Were there other ways it could have been handled? Certainly. But it is what it is, and we were trying to fulfill our obligations.

What about next year at Black Hat or elsewhere if something like this happened again? Have you put anything in place to change how you"d react? Yes, we have a better process in place than we had before.

Different lawyers? We have the same people involved. It wasn"t so much about our lawyers. It was the [public] perception. We have a better methodology to handle that. ... The methods may change slightly.

Earlier, you mentioned large customers had made the fix before Black Hat. So, when a large customer such as a service provider with critical networks is given a patch from Cisco, is it contractually required to install the patch? No, I think it"s a trusted advisor status where they trust us to recommend a good, proper configuration. And when we make a strong recommendation, it"s really not like you have a choice. You do really need to make this change.

How secure is VoIP? If I looked back five years when we started our journey into voice over IP, we didn"t necessarily take as complete a viewpoint with VoIP security as we did over the last three years. Of course, if any application on a network needs to be secure, it"s voice. It"s a critical one. We had to come back and do some retrofit. We had to take some of the Okena technology [purchased in 2003] and embed it into our call controller. We had to embed some encryption immediately down to the handset to prevent what"s known as Spit, a horrible name for "spam over Internet telephony."

We spent a lot of time figuring out a systemwide approach for VoIP security. We went out to a third party last year and asked them to try to break it, and after three days, they said, "Gosh, this is the only system where we couldn"t discover any VoIP vulnerability." It was based on a holistic approach with a secure infrastructure and a secure voice application. We"ve gotten some awards for most-secure VoIP business application.