For a year John Stewart has been CSO at Cisco. He's in charge of a team of 60 information security professionals who play a role in IT architecture, policy, audit and incident response to protect an internal user base of about 48,000 employees worldwide.
Stewart recently discussed Cisco's risk-management strategy with Network World senior editor Ellen Messmer.
What are some of Cisco's security concerns?
Over the past 18 months, we started seeing attacks against our network timed against the end of our quarters, and we realised someone was trying to knock the electronic-commerce service off-line at the Web portal through denial-of-service attacks. It really opened our eyes.
How do you cope with these attacks?
We use Cisco Riverhead, now called Cisco Guard since Cisco acquired Riverhead, to block the attacks. Upstream, we have relations with service providers - all the big ones, AT&T, MCI, Sprint - about bandwidth consumption. We work with them in the case of a denial-of-service attack, and it's effective in filtering it. Security is about managing it when it happens.
How does your team interact with the rest of Cisco?
When there's an internal IT project, say overhauling the human resources system or replacing an entire database infrastructure or putting up connectivity between our company and another for communications, there's an engagement process between the business owners and IT team, plus, often, counsel as an advisor. In security, we look to issue a report that the implementation was within the appropriate risk tolerance.
What non-Cisco security products or services do you use and like?
We use McAfee, Symantec and Trend Micro antivirus. You want to test technologies working with yours. We provide identity and password management, and an audit trail of access. One product there is CA's Netegrity, where we have a complex set of rules with our manufacturing partners. We use the Qualys platform for vulnerability scanning, and also Arbor's Peakflow for viewing statistical abnormalities in and out of the network.
The job of the CSO always seems to involve writing security policies. Do you work with the legal department to do that?
Yes, Cisco has internal and external subject-matter experts with knowledge of different areas of the world, such as the European Union or Asia. When we write a policy, we want a light touch because we want these policies accepted every year. There's no Web monitoring. We have the expectation our employees are doing the right things.
About two years ago, Cisco had its IOS code stolen after a hacker attack. How did that investigation go?
I can't speculate on the disposition of that case, but it's still open and we're working with law enforcement on it.
So what do you think about extrusion detection, monitoring for outbound transmission of sensitive content?
It's interesting and we're experimenting with it.
There's one thing we've developed ourselves in our data centres for use by those writing code. Everyone only gets to see an image of what they are involved in for source code development, the idea being somewhat like the old technology, X Windows. Can you still screen-scrape or take a picture? Yes. Can you memorise it? Yes. But it won't allow file transfer. We developed this data detection based on ClearCase View Servers and virtual network computing connections for the desktop.
Cisco can determine its own internal technology for security purposes, but how do you go about interacting with business partners over the Internet or online?
Whether it's outsourcing development or manufacturing, we contractually state the obligations for both sides.
We specify a list of conditions, such as network connections between the companies. We list a set of specifications with host and server. It would be unfair of us to dictate technology. But the agreement allows for a security audit on behalf of Cisco. Most of the time, the outsourcing company is auditing itself. And we spot-audit.
In many countries around the world, with business partners, we give them the engineering data they need to get the job done. And we provide them identity and password management, attempting to keep an audit trail of access.