[ISN] How Sharing Thwarts Hacks

From: InfoSec News (isnat_private)
Date: Mon Jan 13 2003 - 23:00:48 PST

  • Next message: InfoSec News: "Re: [ISN] RIAA defaced -again!"

    http://www.eweek.com/article2/0,3959,825430,00.asp
    
    By Dennis Fisher
    January 13, 2003 
    
    Two Harvard University security researchers have developed a model 
    showing that enterprises that share their sensitive data about network 
    attacks and security breaches are less attractive targets and, hence, 
    less likely to be attacked.
    
    The paper, to be presented later this month at the Financial 
    Cryptography conference in Gosier, Guadeloupe, supports the U.S. 
    government's contentions about the importance of sharing attack data. 
    But it also concludes that many of the benefits that can accrue from 
    such an arrangement won't be realized soon.
    
    "I absolutely believe that there's value in information sharing, and I 
    think that value will grow," said Stuart Schechter, a doctoral 
    candidate in computer science at Harvard, in Cambridge, Mass., and 
    co-author of the paper. "I think the change [toward information 
    sharing] will be driven by insurance companies, who will offer lower 
    premiums for companies that share."
    
    Schechter's paper, written with Michael Smith, a professor of computer 
    science and electrical engineering at Harvard, asserts that attackers 
    exploiting vulnerabilities in off-the-shelf software will be less 
    likely to attack a particular company if that organization is known to 
    share attack data with other enterprises and/or the government and law 
    enforcement. The reason is that attackers who spend time, and in some 
    cases money, finding and exploiting vulnerabilities in common 
    applications will not want information about their attacks shared, as 
    it would reduce their chances of compromising other potential targets.
    
    Government security officials in recent months have talked often of 
    their desire to gather more attack data from enterprises. Presumably, 
    the information the government would gather would be analyzed and then 
    passed to the general public to warn of ongoing attacks and potential 
    threats.
    
    The next draft of the National Strategy to Secure Cyberspace, due 
    early this year, is expected to include language encouraging CIOs to 
    forward more information to the government.
    
    But not everyone agrees with the government's proposal.
    
    "There are better ways to do that than requiring it," said Mark Rasch, 
    senior vice president and chief security counsel at Solutionary Inc., 
    a security vendor based in Omaha, Neb. "What they need is incident 
    data, and the problem there is that it generally requires a person to 
    recognize the attack and make the decision to share the information. 
    It could be set up in an automated way, but the government would have 
    to fund it, and the political question is the level of the 
    government's involvement. What will they do with this data?"
    
    And that is what concerns enterprises most. Security specialists and 
    CIOs worry that sharing sensitive data with anyone, especially the 
    government, will expose them to embarrassment and potential lawsuits 
    from customers.
    
    "How about sharing the technical details of successful intrusions in a 
    more public way, via an organization that would be perceived as 
    neutral? Perhaps an additional role for CERT [Coordination Center], 
    SANS [Institute] or even BugTraq—an expansion of the way we now share 
    reports of vulnerabilities in specific products," said Karl Keller, 
    president of IS Power Inc., a custom software developer in Thousand 
    Oaks, Calif. "No new bureaucracy need arise. The victim could remain 
    anonymous. What is important is the publicity for 
    infrastructure-specific vulnerabilities and countermeasures. That's an 
    extension of the present component/vendor-specific vulnerability and 
    patch reporting we're used to."
    
    The government's hunger for attack data is partially due to the 
    creation of the Department of Homeland Security, which is scheduled to 
    be up and running in the next few weeks. Nearly all the federal 
    information security capabilities will be consolidated in the new 
    agency, which will be responsible for early warning and analysis. 
    However, government sources say the consolidation effort has been 
    disorganized, and many workers who are moving to Homeland Security are 
    unclear what their duties will be.
    
    "It's kind of a mess right now. No one's said who's going where and 
    who's doing what," said one government security employee, who asked to 
    remain anonymous.
    
    A current version of the national strategy making the rounds in 
    Washington is short on details and recommendations and long on broad 
    policy pronouncements, according to people with knowledge of the 
    document. Despite the government's fondness for information sharing, 
    don't expect to see any mandates along those lines, sources said.
    
    "There will be a lot of rhetoric about it because that's one of the 
    few things that we can actually do," Rasch said. "It's impossible for 
    [the government] to set a standard of care in this area because they 
    don't do it themselves. They talk about leading by example in there, 
    but that's not happening."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 01:16:21 PST