Point/counterpoint: Breach response and information sharing

2 years ago
Eric Vanderburg

Some breaches require notification such as those involving patient data or customer information, but sharing is optional. Of course, notification is just one form of information sharing. For example, February’s executive order encourages private sector companies to share information on cybersecurity threats.

There are advantages and disadvantages of sharing information with others, and here to talk about it are two information security influencers and Eric Vanderburg and Bev Robb. Vanderburg will be arguing for information sharing and Robb will discuss potential sharing woes that may arise from government and private-sector collaboration.

Eric Vanderburg

Vanderburg: Attackers seek to maximize their return on the development or purchase of new exploits by targeting as many companies as possible. Additionally, just like crimes outside of cyberspace, cyber-criminals have established habits and proven methods that they rely upon to steal data or take over or destroy systems.

The resources of any individual company or person are limited. It takes coordination in order to combat today’s threats. It is essential to protect your company against data breaches but prevention alone does not stop attackers from trying again. The information shared can help track down and catch the bad guys.

I could argue the benefits all day but the main decision point is whether the benefits outweigh the threats so let’s look at some.

Robb: Many information-sharing initiatives proposed by the U.S. government make it slick for the private sector to share information with the government, but not vice versa. You scratch my back and I’ll scratch yours may not apply.

Though I am not completely against information sharing between government and companies in the private sector, some concerns are:

  •         The federal government’s track record in the realm of government data breaches and their ability to safeguard data.
  •         Private sector companies that have reported crimes to the government that rarely receive timely intelligence back (regarding threat actors).

Though it does take coordination and information sharing within the information security community to combat the current threat landscape there is still much room for improvement.

Information overload

Security professionals reading this may be feeling overwhelmed already by the information on vulnerabilities and threats they receive each day. So why should we burden them with even more information?

Vanderburg: It is actually for that very reason that they need this information. There are too many threats out there, and organizations need to know which threats are credible and which vulnerabilities are more likely to be exploited. Information sharing can provide a filter to the vast amount of information out there so that security practitioners can properly prioritize.

Robb: The government is not a knight in shining armor and is already steeped with so much data and myriad software programs that it would be difficult to analyze threat data without the use of “commonly shared tools” to aggregate and analyze all this threat data.

Who decides which threats are credible and which vulnerabilities are more likely to be exploited? If it is the government that makes this decision, what is the ETA before the private sector is notified? My crystal ball tells me that the private sector will get the short end of the stick again while daydreaming for actionable intelligence to arrive.

Damage to reputation

Vanderburg: An organization’s reputation can also be damaged by what it withholds. We see this especially when an incident occurs that later turns out to be much larger in scope than originally thought. At this point, the damage is much greater and public opinion is set against the company because they took so long to identify the threat and act on it. However, if the information on the incident had been shared, similar incidents could have offered more insight into which systems should be analyzed and related threats that might require investigation. This could potentially reveal and resolve other threats sooner, both minimizing the damage to the company and its customers but also preserving its reputation.

Robb: We’ve all learned over time, that government often takes an exceptionally long time to identify their own security threats and to act upon them. With most government data breaches shrouded in secrecy there is often minuscule acknowledgment of any accountability for weak security practices.

Information to attackers

Vanderburg: Sharing information publicizes the successful attack vectors used in an attack. If this information is shared before the vulnerability has been remediated, other attackers could exploit the same weakness. However, attackers already share information on successful attacks with others. It is likely other attackers will find this information not through security information sharing networks but rather through their own communities. As a general rule, security through obscurity (something is secure because it is unknown) is not a viable strategy because such things generally stay unknown for a short amount of time.

Robb: Deep web hacking communities and forums abound with information on exploits, hacking tutorials, intelligence on business websites (many that are vulnerable to SQL injection), and the like. Hackers are frequently applauded and esteemed when they share knowledge of data breaches they participated (or are currently targeting). They do not need to pay attention to “breach information sharing” because most of these bad boys just want to quickly monetize their hacks. You can bet your bottom line that they will find the means to infiltrate their target(s) with or without any knowledge of “collaborative threat intel”.

—————————–

Though there is the sharing of threat intelligence within industry-specific sectors such as the Cyber Threat Alliance, ES-ISAC (Electricity Sector Information Sharing and Analysis Center) and NERC (North American Electric Reliability Corporation) – sharing threat intelligence is still in its infancy.

When you locate a data breach, what steps do you take to report it? Who do you go to? How do you tell a company that they’ve been breached if they are unaware? Curious? Be sure to check back next month for another Vanderburg-Robb data breach conversation.