It's still not commenting on a report on a Russian Web site that a sizeable portion of the code for its Internetwork Operating System has been stolen and is circulating on the Internet.
Cisco Systems is still remaining quiet five days after the news broke on a Russian security firm's Web site purporting that a sizable portion of the company's Internetwork Operating System has been stolen and is circulating on the Internet.
IOS is the software that runs much of Cisco's networking gear, which many of the world's businesses and governments use to run their critical IT networks.
Research firm Gartner issued a brief analysis of the purported source-code theft late Wednesday and warned Cisco customers that the theft creates "a potentially serious security problem." However, Gartner security analyst John Pescatore says he believes it's unlikely that a worm or a sizable uptick in hacker attacks is likely to result from the availability of the IOS source code.
Pescatore says the Cisco theft closely resembles the situation Microsoft found itself in February, when portions of its Windows operating-system source code leaked onto the Internet. "We're not finding new vulnerabilities from Microsoft's source code having been leaked," he says. "Typically, with a mature software product like IOS, the skills needed to find the big flaws require a pretty experienced security professional."
Stuart McClure, president and chief technology officer at information security firm Foundstone Inc., said Thursday that the level of security risk for companies running Cisco gear largely depends on how much, and what type of, IOS source code was actually pilfered. "If it's complete modules or large chunks of code, the risk is substantially higher," McClure said.
However, if an exploit--a tool hackers can use to more easily attack software vulnerabilities--or a worm were to surface, McClure predicted a rough ride for security professionals and network administrators. An attacker "could craft more vicious worms or complicated attacks as a result of having the source code," he said. "Source-code attack vectors can be more difficult to fix and patch."
Pescatore warns of a potentially more troublesome attack, depending on how much of Cisco's source code is available to hackers. He says attackers potentially could modify Cisco's licensing and registration mechanisms, meaning that businesses could be exposed to illegally modified copies of Cisco's software--which might, for example, contain some type of backdoor or Trojan-horse application that attackers could use to gain entry into systems. "Something like that is a bigger concern than a worm," Pescatore says.
Companies may not know how much risk their IT systems actually face until more details surrounding the theft surface.
As of Thursday morning, Cisco wouldn't say anything more than it had said when the claims became public earlier this week: It's "aware that a potential compromise of its proprietary information occurred," and the company is fully investigating what may have happened.
The FBI acknowledged Tuesday that it's looking into the case. A spokesman in the FBI press office told InformationWeek, "We are assisting Cisco in the investigation of a possible theft of proprietary data."
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.