http://www.eweek.com/article2/0,3959,825430,00.asp

By Dennis Fisher
January 13, 2003

Two Harvard University security researchers have developed a model
showing that enterprises that share their sensitive data about network
attacks and security breaches are less attractive targets and, hence,
less likely to be attacked.

The paper, to be presented later this month at the Financial
Cryptography conference in Gosier, Guadeloupe, supports the U.S.
government's contentions about the importance of sharing attack data.
But it also concludes that many of the benefits that can accrue from
such an arrangement won't be realized soon.

"I absolutely believe that there's value in information sharing, and I
think that value will grow," said Stuart Schechter, a doctoral
candidate in computer science at Harvard, in Cambridge, Mass., and
co-author of the paper. "I think the change [toward information
sharing] will be driven by insurance companies, who will offer lower
premiums for companies that share."

Schechter's paper, written with Michael Smith, a professor of computer
science and electrical engineering at Harvard, asserts that attackers
exploiting vulnerabilities in off-the-shelf software will be less
likely to attack a particular company if that organization is known to
share attack data with other enterprises and/or the government and law
enforcement. The reason is that attackers who spend time, and in some
cases money, finding and exploiting vulnerabilities in common
applications will not want information about their attacks shared, as
it would reduce their chances of compromising other potential targets.

Government security officials in recent months have talked often of
their desire to gather more attack data from enterprises. Presumably,
the information the government would gather would be analyzed and then
passed to the general public to warn of ongoing attacks and potential
threats.

The next draft of the National Strategy to Secure Cyberspace, due
early this year, is expected to include language encouraging CIOs to
forward more information to the government.

But not everyone agrees with the government's proposal.

"There are better ways to do that than requiring it," said Mark Rasch,
senior vice president and chief security counsel at Solutionary Inc.,
a security vendor based in Omaha, Neb. "What they need is incident
data, and the problem there is that it generally requires a person to
recognize the attack and make the decision to share the information.
It could be set up in an automated way, but the government would have
to fund it, and the political question is the level of the
government's involvement. What will they do with this data?"

And that is what concerns enterprises most. Security specialists and
CIOs worry that sharing sensitive data with anyone, especially the
government, will expose them to embarrassment and potential lawsuits
from customers.

"How about sharing the technical details of successful intrusions in a
more public way, via an organization that would be perceived as
neutral? Perhaps an additional role for CERT [Coordination Center],
SANS [Institute] or even BugTraq—an expansion of the way we now share
reports of vulnerabilities in specific products," said Karl Keller,
president of IS Power Inc., a custom software developer in Thousand
Oaks, Calif. "No new bureaucracy need arise. The victim could remain
anonymous. What is important is the publicity for
infrastructure-specific vulnerabilities and countermeasures. That's an
extension of the present component/vendor-specific vulnerability and
patch reporting we're used to."

The government's hunger for attack data is partially due to the
creation of the Department of Homeland Security, which is scheduled to
be up and running in the next few weeks. Nearly all the federal
information security capabilities will be consolidated in the new
agency, which will be responsible for early warning and analysis.
However, government sources say the consolidation effort has been
disorganized, and many workers who are moving to Homeland Security are
unclear what their duties will be.

"It's kind of a mess right now. No one's said who's going where and
who's doing what," said one government security employee, who asked to
remain anonymous.

A current version of the national strategy making the rounds in
Washington is short on details and recommendations and long on broad
policy pronouncements, according to people with knowledge of the
document. Despite the government's fondness for information sharing,
don't expect to see any mandates along those lines, sources said.

"There will be a lot of rhetoric about it because that's one of the
few things that we can actually do," Rasch said. "It's impossible for
[the government] to set a standard of care in this area because they
don't do it themselves. They talk about leading by example in there,
but that's not happening."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]