[Air-L] Cisco 2008 Annual Security Report

Richard Forno rforno at infowarrior.org
Fri Jan 16 10:35:36 PST 2009

Although I've just skimmed it -- it certainly looks like a decent  
precis of the major items of Internet security interest, well- 
presented and readable.  I'll try to get 'round to reading it through  
over the holiday weekend.

But skipping to the Key Recommendations, I have to sit up and go  
"well, duh."  There is NOTHING new in those recommendations -- indeed,  
we in the Internet security world have been saying this same stuff for  
at least 10 to 20 years. (which leads me to a whole 'nother rant about  
what passes as "acceptable" Internet security if we're still saying  
the same stuff and thinking the same way, but that's for another post  
sometime.)  To that end, noticebly absent are the items that would  
require fundamentally changing how we design, view, and build 'secure'  
or 'resilient' networks.....the cynic in me believes that folks don't  
want to really have truly secure systmes/networks/services, just ones  
that are 'good enough'.    IMHO the Internet security status quo,  
flawed as it is, creates economic opportunity for consultants,  
products, and services to deploy upon both the flawed network  
foundations and administered by similarly-flawed principles,  
practices, and failure tolerances, thus creating the self-licking  
icecream cone.   Effective Internet security requires a technological  
and cultural paradigm shift at the most fundamental level -- but there  
are too many forces/considerations working against us for it to become  
a reality, to include plain old human complacency.

To wit: here in DC I have been involved in several senior-level  
working groups on Internet security over the years. Almost all the  
recommendations, threats, vulnerabilities, and risks described in  
those reports/panels/papers/events/speeches on cybersecurity are the  
same from year to year, commission to commission, and report to  
report.   So clearly the status quo is acceptable   I wonder if the  
2009 and 2010 Annual Reports from Cisco, Microsoft, Symantec, VENDOR$,  
or AGENCY$ will say anything significantly different -- my guess is no.

On a side note, as someone working in the Internet security industry,  
I always take such "register to download our report" type of documents  
from vendors (like this one) with a grain of salt -- since it's  
clearly done to collect marketing information.  :)

That said, it looks to be an interesting read, and perhaps I'll be  
pleasantly surprised!


On Jan 16, 2009, at 06:44 , Alaa Al-Din Al-Radhi wrote:

> Dear Colleagues
> A very good resource to read
> http://cisco.com/en/US/prod/vpndevc/annual_security_report.html
> Alaa
> __________________________________________________________________
> Ask a question on any topic and get answers from real people. Go to  
> Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
> Join the Association of Internet Researchers:
> http://www.aoir.org/

More information about the Air-L mailing list