Cisco Adds Severity Scores to PSIRT Security Advisories

Market Wire, January, 2007

The Cisco® (NASDAQ: CSCO) Product Security Incident Response Team (PSIRT) will include severity scores in every security advisory that it issues in 2007 and beyond, Cisco announced today. The inclusion of these scores, which measure the risk levels posed by a particular vulnerability, or multiple vulnerabilities, is intended to help Cisco customers better prioritize their software change- and patch-management projects.

The PSIRT security advisories now include scores using base and temporal metrics, two of the three groups in the Common Vulnerability Scoring System (CVSS). The base metric group comprises seven fundamental, immutable qualities of a vulnerability, such as a system's authentication requirements. The temporal metric group represents the time-dependent qualities of a vulnerability, such as its exploitability, and comprises three components. The third metric group is not included, as it represents the implementation- and environment-specific qualities of a vulnerability that can be best determined by the customers themselves.

CVSS is a vendor-agnostic, industry-open standard designed to convey the common attributes of vulnerabilities in computer hardware and software systems. CVSS was developed as a cooperative effort between the National Infrastructure Advisory Council and a number of security industry vendors and research organizations including Cisco. The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of CVSS to promote its adoption globally. (See: http://www.first.org/cvss/ )

"The decision to include the CVSS base and temporal metrics in our security advisories is based on direct feedback from our customers requesting that Cisco provide guidance regarding vulnerabilities to facilitate more accurate risk assessments and prioritization. Customers can now compute a score allowing them to set priorities based on the risk to the specific environment," said Russ Smoak, director of technical support for Cisco PSIRT. "Over the years, many of PSIRT's policies and processes have been developed or have evolved through a number of factors, with customer feedback being one of the more important ones."

About Cisco PSIRT

Cisco's Product Security Incident Response Team (PSIRT) is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks. The on-call PSIRT team works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks. More information can be found at http://www.cisco.com/go/psirt .

About Cisco Systems

Cisco (NASDAQ: CSCO) is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com . For ongoing news, please go to http://newsroom.cisco.com .

Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. This document is Cisco Public Information.

For direct RSS Feeds of all Cisco news, please visit "News@Cisco" at the following link:

http://newsroom.cisco.com/dlls/podcasts/rss.html

Press Contact: John Noh Cisco Systems, Inc. 408 853-8445 Email Contact Industry Analyst Contact: Lisa Caywood Cisco Systems, Inc. 408 853-0242 Email Contact Investor Relations Contact: Liz Lemon Cisco Systems, Inc. 408 527-8452 Email Contact