resource center
  See your link here
|
Subscribe to Computerworld Computerworld -
I read the latest Security Manager's Journal, "Peers Say Cisco Ended Up Wearing the Black Hat," written by C.J. Kelly, and I was somewhat surprised by the gist of the comments. But I guess I shouldn't be. It's another case where the details of a situation take a back seat to the hype surrounding it.
The controversy surrounding Michael Lynn making a presentation at the Black Hat event has given most people the impression that the events involve someone who is trying to let the world know about some critical vulnerability that Cisco Systems Inc. was hiding from the world. The details aren't as noble as the reality.
According to published reports, Lynn, during the course of his work at Internet Security Systems Inc., discovered a vulnerability in the Internetworking Operating System from Cisco. The exploitation of the vulnerability would result in control of the router. Cisco created a fix for the problem and released it without describing the details. At the same time, Lynn submitted a presentation about the vulnerability to the Black Hat conference, which was reviewed internally at ISS and disclosed to Cisco. At some point prior to the presentation, after the approvals were given out, ISS and/or Cisco changed its mind and wanted Lynn to edit the presentation. Lynn didn't want to and resigned his position. Despite warnings, Lynn still made his presentation at Black Hat.
Immediately prior to Lynn giving the presentation, he stated that he would be "sued into oblivion." I can only assume that this was in reference to the fact that he was warned that, since he created the presentation during his employment at ISS, the presentation was the property of ISS. That didn't change when he resigned. As a matter of fact, it likely made it worse, since he didn't have any legal right to access the materials after he left.
The fact is that the Lynn incident became an issue primarily involving the protection of intellectual property and consistent application of human resource guidelines. The question of proper disclosure is secondary. Lynn wanted to make the point that Cisco wasn't telling how critical the new vulnerability could be and that similar vulnerabilities could exist in the system. There were other ways he could have done that.
I agree that Cisco and ISS giving approval for the presentation and then withdrawing it is bad. I would also give a person credit for quitting because of a personal belief. However, what Lynn did after that is what created all the problems.
It's ironic
Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
Since the adoption of SOX, much has been learned about IT compliance. Discover how to make SOX efforts more effective in "Sustaining Sox...
Why Compliance Pays
This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data...
IDC White Paper: CCM for IT Compliance and Risk Management
Learn from industry analysts how IT organizations are using configuration management to meet compliance requirements and instill best practices. Find out how these...
Best Practices for Managing Business Risks from the Use of IT
(Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of...
Keep it Clean: Maintaining the Integrity of your CMDB through Change Detection
Learn how configuration drift can challenge configuration management database (CMDB) integrity and how a configuration audit tool and an effective change management process...
Managing And Protecting Your Ever Increasing Mobile Assets
(Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie...
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
HIPAA requires businesses that handle personal health information (PHI) to set up strong controls to ensure the security and integrity of that information....
Sun OpenSSO Enterprise Webinar
(Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access...
Configuration Assessment: Choosing the Right Solution
Configuration assessment lets businesses proactively secure their IT infrastructure and achieve compliance with important industry standards and regulations. Learn why configuration assessment is...
Agile Enterprise Content Management (ECM) for Rapid ROI
(Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential...
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
