Cisco Still Mum On Reported Code Theft - InformationWeek
IoT
IoT
Infrastructure
News
5/20/2004
01:58 PM
50%
50%
RELATED EVENTS
7 Key Cloud Security Trends Shaping 2017 & Beyond
Dec 15, 2016
Cloud computing is enabling business transformation as organizations accelerate time to market and ...Read More>>

Cisco Still Mum On Reported Code Theft

It's still not commenting on a report on a Russian Web site that a sizeable portion of the code for its Internetwork Operating System has been stolen and is circulating on the Internet.

Cisco Systems is still remaining quiet five days after the news broke on a Russian security firm's Web site purporting that a sizable portion of the company's Internetwork Operating System has been stolen and is circulating on the Internet.

IOS is the software that runs much of Cisco's networking gear, which many of the world's businesses and governments use to run their critical IT networks.

Research firm Gartner issued a brief analysis of the purported source-code theft late Wednesday and warned Cisco customers that the theft creates "a potentially serious security problem." However, Gartner security analyst John Pescatore says he believes it's unlikely that a worm or a sizable uptick in hacker attacks is likely to result from the availability of the IOS source code.

Pescatore says the Cisco theft closely resembles the situation Microsoft found itself in February, when portions of its Windows operating-system source code leaked onto the Internet. "We're not finding new vulnerabilities from Microsoft's source code having been leaked," he says. "Typically, with a mature software product like IOS, the skills needed to find the big flaws require a pretty experienced security professional."

Stuart McClure, president and chief technology officer at information security firm Foundstone Inc., said Thursday that the level of security risk for companies running Cisco gear largely depends on how much, and what type of, IOS source code was actually pilfered. "If it's complete modules or large chunks of code, the risk is substantially higher," McClure said.

However, if an exploit--a tool hackers can use to more easily attack software vulnerabilities--or a worm were to surface, McClure predicted a rough ride for security professionals and network administrators. An attacker "could craft more vicious worms or complicated attacks as a result of having the source code," he said. "Source-code attack vectors can be more difficult to fix and patch."

Pescatore warns of a potentially more troublesome attack, depending on how much of Cisco's source code is available to hackers. He says attackers potentially could modify Cisco's licensing and registration mechanisms, meaning that businesses could be exposed to illegally modified copies of Cisco's software--which might, for example, contain some type of backdoor or Trojan-horse application that attackers could use to gain entry into systems. "Something like that is a bigger concern than a worm," Pescatore says.

Companies may not know how much risk their IT systems actually face until more details surrounding the theft surface.

As of Thursday morning, Cisco wouldn't say anything more than it had said when the claims became public earlier this week: It's "aware that a potential compromise of its proprietary information occurred," and the company is fully investigating what may have happened.

The FBI acknowledged Tuesday that it's looking into the case. A spokesman in the FBI press office told InformationWeek, "We are assisting Cisco in the investigation of a possible theft of proprietary data."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll