How Sharing Thwarts Hacks

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,825430,00.asp

By Dennis Fisher
January 13, 2003 

Two Harvard University security researchers have developed a model 
showing that enterprises that share their sensitive data about network 
attacks and security breaches are less attractive targets and, hence, 
less likely to be attacked.

The paper, to be presented later this month at the Financial 
Cryptography conference in Gosier, Guadeloupe, supports the U.S. 
government's contentions about the importance of sharing attack data. 
But it also concludes that many of the benefits that can accrue from 
such an arrangement won't be realized soon.

"I absolutely believe that there's value in information sharing, and I 
think that value will grow," said Stuart Schechter, a doctoral 
candidate in computer science at Harvard, in Cambridge, Mass., and 
co-author of the paper. "I think the change [toward information 
sharing] will be driven by insurance companies, who will offer lower 
premiums for companies that share."

Schechter's paper, written with Michael Smith, a professor of computer 
science and electrical engineering at Harvard, asserts that attackers 
exploiting vulnerabilities in off-the-shelf software will be less 
likely to attack a particular company if that organization is known to 
share attack data with other enterprises and/or the government and law 
enforcement. The reason is that attackers who spend time, and in some 
cases money, finding and exploiting vulnerabilities in common 
applications will not want information about their attacks shared, as 
it would reduce their chances of compromising other potential targets.

Government security officials in recent months have talked often of 
their desire to gather more attack data from enterprises. Presumably, 
the information the government would gather would be analyzed and then 
passed to the general public to warn of ongoing attacks and potential 
threats.

The next draft of the National Strategy to Secure Cyberspace, due 
early this year, is expected to include language encouraging CIOs to 
forward more information to the government.

But not everyone agrees with the government's proposal.

"There are better ways to do that than requiring it," said Mark Rasch, 
senior vice president and chief security counsel at Solutionary Inc., 
a security vendor based in Omaha, Neb. "What they need is incident 
data, and the problem there is that it generally requires a person to 
recognize the attack and make the decision to share the information. 
It could be set up in an automated way, but the government would have 
to fund it, and the political question is the level of the 
government's involvement. What will they do with this data?"

And that is what concerns enterprises most. Security specialists and 
CIOs worry that sharing sensitive data with anyone, especially the 
government, will expose them to embarrassment and potential lawsuits 
from customers.

"How about sharing the technical details of successful intrusions in a 
more public way, via an organization that would be perceived as 
neutral? Perhaps an additional role for CERT [Coordination Center], 
SANS [Institute] or even BugTraq—an expansion of the way we now share 
reports of vulnerabilities in specific products," said Karl Keller, 
president of IS Power Inc., a custom software developer in Thousand 
Oaks, Calif. "No new bureaucracy need arise. The victim could remain 
anonymous. What is important is the publicity for 
infrastructure-specific vulnerabilities and countermeasures. That's an 
extension of the present component/vendor-specific vulnerability and 
patch reporting we're used to."

The government's hunger for attack data is partially due to the 
creation of the Department of Homeland Security, which is scheduled to 
be up and running in the next few weeks. Nearly all the federal 
information security capabilities will be consolidated in the new 
agency, which will be responsible for early warning and analysis. 
However, government sources say the consolidation effort has been 
disorganized, and many workers who are moving to Homeland Security are 
unclear what their duties will be.

"It's kind of a mess right now. No one's said who's going where and 
who's doing what," said one government security employee, who asked to 
remain anonymous.

A current version of the national strategy making the rounds in 
Washington is short on details and recommendations and long on broad 
policy pronouncements, according to people with knowledge of the 
document. Despite the government's fondness for information sharing, 
don't expect to see any mandates along those lines, sources said.

"There will be a lot of rhetoric about it because that's one of the 
few things that we can actually do," Rasch said. "It's impossible for 
[the government] to set a standard of care in this area because they 
don't do it themselves. They talk about leading by example in there, 
but that's not happening."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.