I was just reading about a Yahoo Mail exploit that is for sale for $700 – this one makes it easy for people to steal cookies and hijack accounts. This is pretty common in the world of cybercrime. This one is a “for fee” offering, but you can find a ton of free exploits, toolkits, and examples on the internet.
The bad guys’ willingness to share this kind of information is one of the reasons they continue to beat us in information security.
So why don’t we see the same thing from the good guys? There has been a lot of talk about information sharing, but the good guys still seem to be at an asymmetric advantage when it comes to sharing information about threats (particularly how to mitigate these threats).
You and the law
One set of problems is legal. For example, if you disclose information about threats and you are wrong, or you accidentally disclose too much (information about companies or individuals, for example) you may not have legal protection. There aren’t enough things like a “cyber good samaritan law” to ensure your protection.
Roles and responsibilities – and protections – still aren’t clear even where laws exist. What information “qualifies” for exemption from public disclosure, and is that information at risk if the policy changes later?
Criminals don’t have these worries.
Another set of problems relates to competition and paranoia. We often seem to have a “scarcity mentality” when it comes to information sharing. What I mean is that we want to hold on to our secrets so we can maintain a competitive advantage. In contrast, it seems like the criminals have a “plentiful mentality” in that they believe there are more than enough targets to go around, so they might as well let other people in on their methods (not to mention wanting to garner more bragging rights).
Other times, we are afraid to talk about how we are dealing with a specific threat because we think it may reveal information that could be used by the bad guys to alter their approach enough to attack us in a slightly different way. This is a legitimate concern. I don’t have a silver bullet solution, but I hope we can find a way to safely share some of our playbook.
Glimmers of hope
One place I’ve actually seen effective information and practice sharing is through Information Sharing and Analysis Centers, or ISACs. These tend to be industry- or domain-specific groups that get together and share information about common concerns, challenges, and opportunities.
These have been around a while and provide a good model. For example, in the past I’ve interacted with the FS-ISAC (Financial Services ISAC) and have found them to be very effective in sharing information about information security within their industry – even with competitors. The fact that they are all in the same business, facing the same kinds of attacks, dealing with the same regulatory restrictions, etc. it is easier to find common ground..
If your industry has an ISAC, I strongly encourage you to get involved. You can find a lot of information about ISACs in the US via the National Council of ISACs. In Europe, start with the ISAC Foundation. If you don’t have an industry-specific ISAC, you might be interested in the IT-ISAC, which deals with Information Technology generally.
In short, I think ISACs provide a means for us to begin to erode the asymmetric advantage of the attackers and I encourage you to get involved if you can.
Also, if you’ve found other useful ways of safely sharing information with the good guys, I’d love to hear from you.