Sharing Our Way to Information Security

In my previous blog post, Specializing and Generalizing in the World of InfoSec, I mentioned the BSidesLV opening address by Adam Shostack, “Beyond Good and Evil: Toward Effective Security.” I’d like to pick up on his theme of information sharing as the ultimate act of self-preservation.

Take the auto industry as a case in point. Imagine you own a large car company and have learned that a lot of your cars have been involved in fatal accidents due to brake failure. You discover that the cause of the failure is the manufacturing process used by the company that supplies brake assemblies to other major car companies. You’d like to get together and talk with these other car companies to see if they’re seeing these same fatalities, but you don’t dare for fear of what will happen to shareholder profits if word gets out. So you keep quiet.

Thankfully, there are no fatalities involved in data breaches. However, the harm they can cause countless individuals is real. Yet it’s the exceptional company that’s willing to share information when they’ve been hacked—even though at some level most businesses understand that it is exactly—and only—through information sharing that data can be made safer.

To Adam Shostack, the problem with data breaches is a problem of science—specifically, the lack of it. Shostack is a principal program manager at Microsoft. He is also a technologist, entrepreneur, game designer, and member of the BlackHat Review Board. He helped found the Common Vulnerabilities & Exposures (CVE) system, and he has written a number of books on InfoSec, including “Threat Modeling: Designing for Security. Shostack co-authored “The New School of Information Security," and was co-designer of "Control-Alt-Hack."

Shostack duly noted in his keynote that whenever a company of any size gets hacked, it rolls out the usual reasons for withholding any significant information about the event: negative effect on share prices, competitive disadvantage, corporate security. But when you examine what actually happens after a breach, he says, these reasons don’t hold up. To whit:

  • TJX: Way back in 2007, hackers stole at least 45.6 million card numbers from TJX. Predictably, stock prices fell… for a time. But as Shostack notes (and as reviewed this year by the AP, the hit was minimal.
  • Bit9: This breach got a lot of press since Bit9 bills itself as a “leader in endpoint threat prevention, detection and response”—dedicated to defending other companies. According to Shostack, Bit9 market penetration actually increased after the breach.
  • The Onion: Last May this satirical news outlet reported that its Twitter account had been hacked by a group called the Syrian Electronic Army. After briefly underplaying and then satirizing the group’s tweets, The Onion released detailed information about how the hack was done. More than one commentator (mashable and arstechnica, for example) took the opportunity to use the information to educate and advise others how to avoid this particular kind of attack. The Onion is still in business with no apparent damage to its business or its reputation.

You could say the same thing about post-breach Target. Has it suffered from the breach? Not really. As far as I can tell, people are still shopping there in the usual droves. They may stay away for a week or two, and then convenience wins out and back they go.

Shostack reiterated what has now become a familiar call for companies to stop sweeping information about data breaches under the rug and start publishing it.

What caught my attention was when he said that it was up to us as security professionals to make it happen.  Who else, he suggested, can know what kind of information needs to be released for our colleagues at other companies to figure out how to stop an attack on their data? Who but security professionals are in a better position to convince our respective C-level execs that it is in their best interests to share this information?

The Onion, for example, might have been content to reveal no more than that the hack took the form of a phishing attack. But as security professionals, we need to know more—much more. Was the segmentation bad? If so, why? Were there no controls in place? Were employees ever educated about phishing attacks? If not, why not? If so, what was it about this attack that fooled them? How can we better educate employees in the future?
To stop or reduce this madness, we as security professionals need the juicy details. According to Shostack, it is up to us to move the business community to a place where release of this information is not the exception but the rule.

NOTE: At the end of his presentation, Shostack asked those in the audience to stand if they pledge to disclose breach information in the future.  A few people stood, then a few more, until most—but not everyone—was on his or her feet.  Some were probably just too lazy to get up. Others might not be ready to take what they may rightfully perceive as a career risk.