On December 29, 2013, the German news publication Der Spiegel
published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article:
On December 30, 2013, the Cisco Product Security Incident Response Team (PSIRT) opened an incident to investigate the alleged creation of implants for some Cisco PIX and Cisco ASA platforms.
Cisco formally requested additional information about these allegations from both the United States Government and the German news publication Der Spiegel. No further details were provided.
The Cisco PSIRT led a comprehensive evaluation of the Cisco ASA platform, working closely with the company’s engineering, support, and supply chain organizations around the world. The Cisco ASA platform was the primary focus, as the Cisco PIX platform has reached End of Support
The investigation (PSIRT-1384943056) reviewed Cisco’s development and supply chain procedures, historical customer support data for ASA and PIX platforms, and operational data from devices installed in various production networks in different parts of the world.
Advice from internal and external industry experts was used to create and implement different test scenarios focusing on the Cisco ASA platform’s BIOS, operating system, and applications. Cisco professionals from around the world conducted tests of every existing model of the Cisco ASA family.
No evidence of any procedural irregularities or tampering of the BIOS, operating system, or applications was revealed. As a result, Cisco PSIRT has now closed this investigation.
Cisco is continuing to develop capabilities to allow customers to perform integrity checking of Cisco ASA platforms. Once complete, these capabilities will be integrated into Cisco ASA software as part of the normal Cisco product release process.
As part of Cisco’s ongoing commitment to customers, all products are subjected to regular penetration testing and security evaluations. Findings through testing, inspection will be communicated in accordance with our security vulnerability policy
. These vulnerabilities may be discovered as part of internal testing, or reported to Cisco by customers and other external parties.
As always, Cisco recommends security and industry best practices including:
- Ongoing patch management to address defects and software vulnerabilities.
- Protection of administrative credentials and physical access for network devices.
- Conduct pervasive network monitoring and analysis of network telemetry.
Additional customer information on security best practices can be found at: http://tools.cisco.com/security/center/intelliPapers.x?i=55
Additional information is also available on Cisco's secure development lifecycle
and industry-leading supply chain operations
Customers who observe any suspicious or malicious activity through network management practices are encouraged to engage their normal support programs and escalate to Cisco PSIRT. Instructions for engaging Cisco PSIRT can be found in our public security vulnerability policy
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt