Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/8/2012
05:21 AM
Wendy Nather
Wendy Nather
Commentary
50%
50%

When Monitoring Becomes A Liability

The combination of 'bigger data' and 'more intelligence' could lead down a path that creates problems for the enterprise

Organizations generally want to keep breaches under wraps, or at the very least to control the release of any news about them. When you have mandatory reporting laws in place, it can simply motivate you either to monitor less -- what you don’t know, you can’t report -- or to take longer to decide that it’s really a compromise that needs to be reported.

Here’s an example: If you discover that some Social Security numbers were theoretically accessible on an Internet-facing Web server, but you have no logs to figure out whether they were ever accessed, then what do you do? Is it a breach, or isn’t it? Does it matter whether they were there for an hour, or a day, or a month? If something confidential is accidentally published and the mistake is caught right away, then most organizations are simply going to go, "Oops," take it down, and say no more about it. (If you think this is shocking and scandalous, you don’t understand your business.)

But there’s a growing problem: Not all the indications of a security issue are under the control of the enterprise itself, and not all of them are subject to interpretation. One practice that is very common is the externally mandated audit or vulnerability assessment: where an external authority is empowered to examine and report on your security controls, or even pen test you, and publish some form of report. While you may argue that allowing SSL 1.0 doesn’t represent any kind of significant security risk, it’s not going to convince the auditor to drop it from the checklist. And in publicly available audit reports (such as the ones in the public sector), descriptions of findings are kept intentionally vague so as not to give clues to would-be attackers.

But this can also mean that "there is a weakness in transaction security" actually translates to "still allows a few remaining ancient browsers to use SSL 1.0." And the organization in question probably won’t be able to explain the real story.

Debating the seriousness of a given vulnerability is one thing; after all, having that vulnerability doesn’t necessarily mean it’s being exploited. But more unambiguous indicators are out there for anyone to find, such as membership in a botnet. If something in your IP address range is talking to a known command-and-control center, then at least at one level you’ve been 0wn3d, and you can’t explain it away with a +5 Wand of Pragmatism.

Not only is botnet membership publicly available for anyone who cares to look -- a lot more are caring to look now. Threat intelligence is growing at a steady pace, and the data is coming not just from a vendor’s product logs, but from honeypots and sensors deployed across the Internet. Several companies will now offer to tell you if you’ve been compromised by searching through their very large stores of data for your IP addresses; others can also monitor Pastebin, IRC, and other areas for any data related to your company.

For right now, at least, this sort of threat intelligence is governed by a gentlemen’s agreement that any indications of a breach will be supplied to only the affected party. But how long will it stay that way? We already have regulating authorities that would probably be very interested in knowing whether a financial institution, government agency, or healthcare provider actually has compromised machines -- and they might have the legal right to know. There is nothing to stop an unaffiliated party from gathering its own botnet membership information and publishing it (except, perhaps, the threat of lawsuits). Is the release of publicly available information illegal?

We’re not there yet, but the Wikileaks-style data exposure trend may well extend to general breach disclosure that organizations will have no way to stop. Naming and shaming could become a lot more widespread: "The National Bank of Freedonia has had at least four systems in a botnet every day for the past six months." And it could become shorthand for indicating how secure an enterprise is -- a breach index, if you will.

The more security intelligence data grows, and the more we can do with it, the greater the chances become that it could be a double-edged sword. Sometimes it’s possible to know too much.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...