Written by Kent Woodruff, Chief Secuirty Officer at Cradlepoint
Post Heartbleed, those of us involved in network security could take a lesson from the CDC. One of the biggest barriers to stopping the repeated threats of an Avian Flu pandemic is the resistance on the part of many nations to share information when the flu takes hold in their country. We saw this in May 2013 when China refused to release English-language versions of relevant statistics and facts about an outbreak in their country of a new bird flu called H7N9.
Similarly, when the Heartbleed bug and other incursions strike, there is great reluctance on the part of affected companies to share information about their own internal pandemics. You can speculate on why they don’t want to share this crucial information (and there are still significant barriers to privacy and intellectual property protection that understandably causes companies pause to engage in security collaboration). The net effect, however, is to slow down or prevent other efforts to find a “cure.”
In the wake of the Target breach, for example, none of the exposed companies have released their “relevant facts and statistics.” We’ve heard rumors and conjectures. IT security luminaries, forensics experts, and even the FBI have tried to cobble together known facts into a plausible narrative. But it is all speculation—if very educated speculation.
What we need are hard facts: Did the breach go through vendor credentials? Was it through some misconfigured device? How did the attackers get into the core network—or was it just wide open? Do we all need to rush out and check our routers to make sure the ACLs are configured properly?