http://www.eweek.com/article2/0,3959,825430,00.asp By Dennis Fisher January 13, 2003 Two Harvard University security researchers have developed a model showing that enterprises that share their sensitive data about network attacks and security breaches are less attractive targets and, hence, less likely to be attacked. The paper, to be presented later this month at the Financial Cryptography conference in Gosier, Guadeloupe, supports the U.S. government's contentions about the importance of sharing attack data. But it also concludes that many of the benefits that can accrue from such an arrangement won't be realized soon. "I absolutely believe that there's value in information sharing, and I think that value will grow," said Stuart Schechter, a doctoral candidate in computer science at Harvard, in Cambridge, Mass., and co-author of the paper. "I think the change [toward information sharing] will be driven by insurance companies, who will offer lower premiums for companies that share." Schechter's paper, written with Michael Smith, a professor of computer science and electrical engineering at Harvard, asserts that attackers exploiting vulnerabilities in off-the-shelf software will be less likely to attack a particular company if that organization is known to share attack data with other enterprises and/or the government and law enforcement. The reason is that attackers who spend time, and in some cases money, finding and exploiting vulnerabilities in common applications will not want information about their attacks shared, as it would reduce their chances of compromising other potential targets. Government security officials in recent months have talked often of their desire to gather more attack data from enterprises. Presumably, the information the government would gather would be analyzed and then passed to the general public to warn of ongoing attacks and potential threats. The next draft of the National Strategy to Secure Cyberspace, due early this year, is expected to include language encouraging CIOs to forward more information to the government. But not everyone agrees with the government's proposal. "There are better ways to do that than requiring it," said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., a security vendor based in Omaha, Neb. "What they need is incident data, and the problem there is that it generally requires a person to recognize the attack and make the decision to share the information. It could be set up in an automated way, but the government would have to fund it, and the political question is the level of the government's involvement. What will they do with this data?" And that is what concerns enterprises most. Security specialists and CIOs worry that sharing sensitive data with anyone, especially the government, will expose them to embarrassment and potential lawsuits from customers. "How about sharing the technical details of successful intrusions in a more public way, via an organization that would be perceived as neutral? Perhaps an additional role for CERT [Coordination Center], SANS [Institute] or even BugTraq—an expansion of the way we now share reports of vulnerabilities in specific products," said Karl Keller, president of IS Power Inc., a custom software developer in Thousand Oaks, Calif. "No new bureaucracy need arise. The victim could remain anonymous. What is important is the publicity for infrastructure-specific vulnerabilities and countermeasures. That's an extension of the present component/vendor-specific vulnerability and patch reporting we're used to." The government's hunger for attack data is partially due to the creation of the Department of Homeland Security, which is scheduled to be up and running in the next few weeks. Nearly all the federal information security capabilities will be consolidated in the new agency, which will be responsible for early warning and analysis. However, government sources say the consolidation effort has been disorganized, and many workers who are moving to Homeland Security are unclear what their duties will be. "It's kind of a mess right now. No one's said who's going where and who's doing what," said one government security employee, who asked to remain anonymous. A current version of the national strategy making the rounds in Washington is short on details and recommendations and long on broad policy pronouncements, according to people with knowledge of the document. Despite the government's fondness for information sharing, don't expect to see any mandates along those lines, sources said. "There will be a lot of rhetoric about it because that's one of the few things that we can actually do," Rasch said. "It's impossible for [the government] to set a standard of care in this area because they don't do it themselves. They talk about leading by example in there, but that's not happening." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 01:16:21 PST