Cisco customers have a 'hygiene' problem

Cisco's customers are not accustomed to regularly updating the operating system on their network hardware, which has left many of them with a 'hygiene' problem when it comes to security, according to Cisco's chief security officer John Stewart.According to Stewart, Cisco's customers have not had to deal with the problems traditionally associated with operating systems like Windows, Linux and Mac OS, which regularly require patches to fix newly discovered security issues.

Cisco's customers are not accustomed to regularly updating the operating system on their network hardware, which has left many of them with a 'hygiene' problem when it comes to security, according to Cisco's chief security officer John Stewart.

According to Stewart, Cisco's customers have not had to deal with the problems traditionally associated with operating systems like Windows, Linux and Mac OS, which regularly require patches to fix newly discovered security issues. This, he said, means that many administrators are still using very old versions of Cisco's Internetwork Operating System (IOS).

"Because we haven't had the traditional problems that multi-purpose operating system vendors have had, we have faced a delay in the adoption cycle of the latest [version] of IOS. Part of it is because you are affecting the infrastructure of the communications layer and part of it is because we haven't had many institutional or design threats," said Stewart.

At the Black Hat conference in the US earlier this year, Cisco tried to stop security researcher Michael Lynn from making a controversial presentation where he outlined how to exploit a flaw to attack IOS and gain control over a router. Lynn emphasised that this was a very serious issue because it was possible to create a worm that would be able to "destroy hardware".

"What is really important is that we get the problem fixed before it is at the level where somebody can write a worm... This could actually destroy the routers ability to turn on again ... certain instructions in certain parts of memory in the router tell it how to turn on... It is one of those rare cases where software can destroy hardware," said Lynn at a press conference the day after his Black Hat presentation.

Lynn's presentation was followed by Australia's Computer Emergency Response Team (AusCERT) advising all Cisco customers to protect themselves by upgrading to the latest version of IOS.

Cisco's Stewart admitted that network administrators have not paid as much attention to these calls as he hoped they would.

"What we are now experiencing is a hygiene problem, even Michael [Lynn] spoke about that. He openly stated to make sure you keep operating systems -- and it doesn't matter what type they are -- up to date. That is age old wisdom but it hasn't necessarily permeated throughout networking," said Stewart.

Shortly after Lynn's presentation, security experts called on Cisco to learn from Microsoft and build a patching infrastructure that would make the process of patching routers and switches much easier.

However, Stewart claims that Cisco's customers want to manage their upgrade process and do not want the system automated.

"We have not gone down the traditional road of automatic patching because in fact it is not what our customers want... they want to be involved in the upgrade process rather than have it automatically happening. With that in mind the major improvements we are making are in the management tools," said Stewart.

But Stewart hopes the high profile disclosure initiated by Lynn will have the beneficial effect of persuading more administrators to upgrade to the latest version of IOS.

"Part of what I hope really came out of that is the level of attention which says 'make sure you are running the code we tell you to', because it does have vulnerabilities and any complex system will," added Stewart.