Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/17/2012
08:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Victim Businesses Teaming Up To Fight Cybercriminals

Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details

Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive.

The goal of sharing attack information and intelligence among victim organizations and other organizations that also could become targets was part of a new set of recommendations issued today by security executives from major global firms including ABN Amro, ADP, BP, Coca-Cola, eBay, Genzyme, HSBC Holdings, Johnson & Johnson, JPMorgan Chase, Nokia, Northrop Grumman, SAP, T-Mobile, and RSA parent company EMC. Their recommendations were included in a report published under the auspices of the Security for Business Innovation Council (SBIC) and facilitated by RSA.

But getting business rivals as well as federal agencies and the private industry to join hands and share their attack experiences, logs, and artifacts is not so simple. Aside from competitiveness, privacy, and technical issues, there are legal ramifications that typically limit or altogether prevent businesses from helping one another.

Even so, experts say it’s time for organizations to come out of the shadows and team up against the common enemy of cybercrime and cyberespionage. That’s the only way to get a leg up on the bad guys, they say.

But so far the sharing has been either industry-specific or very much ad-hoc: The Defense Security Information Exchange is an online portal for Defense contractors to swap attack information, and some local organizations, such as the Bay Area CSO Council, which includes chief security officers from Adobe, eBay, Gap, eTrade, Symantec, SAIC, Lawrence Livermore Laboratory, PayPal, Cisco-WebEx, Yahoo, and Intel, confidentially share their attack information.

There’s also InfraGuard, the FBI-led association of local businesses, academic institutions, and state and local law enforcement agencies that meet regionally to share attack and threat information.

Lately, there have been more signs of cooperation: Key financial institutions, including Morgan Stanley and Goldman Sachs, earlier this month took some of the first steps toward possibly establishing a central site to gather and analyze attack trends for the financial services industry. They met with researchers at the Polytechnic Institute of New York University to noodle about the possibility of such a center, while the Bank of America has also been holding informal meetings with banks on coming up with solutions to deter the latest threats.

Meanwhile, Congress is currently floating multiple pieces of legislation that call for information-sharing with and among the feds, including a bill that would set up a national information-sharing organization as a way to protect critical infrastructure.

But there’s still no official go-to place for sharing this type of information, and experts say it’s unclear if there ever will be.

[Banks and financial institutions are looking at ways to share security information in order to improve their defenses. See Financial Companies Sharing Information About Security.]

Art Coviello, executive chairman of RSA Security, says a hierarchical model for victim organizations to share their threat information isn’t likely to emerge. “It’s never going to be a top-down thing,” he says.

“I foresee a future where there are networks of networks, until from the grassroots up we develop more of an online information-sharing facility -- this whole idea of a neighborhood watched, expanded on a worldwide basis,” Coviello says.

Both the legal and overall scope of such a model have thus far been some of the biggest hurdles. It’s the smaller, more focused models like that of the Bay Area CSO Council that have found success.

“The [Bay Area CSO] Council worked because it was formed with a prerequisite trust in the network. It was small enough, and the value and benefit was very clear,” says Jacques Francoeur, former executive director of the Bay Area CSO Council and founder of the Union of Concerned Cybersecurity Leaders.

The SBIC report says information-sharing among organizations requires the investment of manpower and technologies.

“If something happens at your organization, the first question you’ll ask is, ‘Is it just me or is everybody else getting hit with this attack?’” said Renee Guttmann, chief information security officer for The Coca-Cola Company, a member of the SBIC in a statement. “You can't answer that for yourself. And it takes too long to call 20 of your closest friends. You’ve got to be part of a larger gene pool to get an immediate answer to that question.”

And other companies need to be willing to do the same, SBIC members say. "As cyber attacks continue to threaten enterprises and governments, more organizations will likely be motivated to invest in information sharing. An important factor paving the way is that organizations have the people, processes, and technologies in place to effectively participate in intelligence exchange," the report says.

RSA’s Coviello says he has previously tried to pull together service providers, telcos, and security organizations to see how to construct such an entity. "We can’t get past the lawyers," Coviello says.

It's the legal downsides that overshadow some of the possible benefits of getting an inside track on a new targeted attack campaign out of China, or a look at the latest malware variant going after corporate user accounts. "At the end of the day, there are a lot of legal downsides and not a lot of perceived upsides," the Union of Concerned Cybersecurity Leaders’ Francoeur says.

CSOs get frustrated when they share attack intelligence with the FBI, for example, and never hear back. Or they only get intelligence that's expired or they can’t take action on, Francoeur says.

And in many cases, when the general counsel is brought in, it’s game over for any information-sharing about a breach. Even if new legislation legalizes the liability issues that block this sharing, there’s no guarantee organizations will suddenly clamor to spill their guts about breaches.

RSA's Coviello says the current ad-hoc groups may just eventually coalesce into something bigger. "I am really encouraged by ... the ISACS and industry groups taking it on themselves," he says. They could eventually start connecting among one another, he says, and expand into a network of networks from there, for example.

But once you get the green light to share your breach data with others, then what?

"Sharing information is not the end state. The end state is to get actionable information that will help improve corporations’ and governments' cyber-security posture and continually raise the bar," said William Pelgrin, who is president and CEO for the Center for Internet Security, chair of the Multi-State Information Sharing and Analysis Center, and chair of the National Council of ISACs, in a statement.

At the heart of the SBIC’s recommendations is what it calls an "intelligence-driven information security" approach, where businesses gather reliable security information from government, industry, and internal sources to get a full picture of the threat and their exposures to it, and a process for analyzing it and taking action.

"An intelligence-driven approach to information security can deliver comprehensive situational awareness, enabling organizations to more effectively detect and mitigate cyber attacks. Developing a cyber-risk intelligence capability will take investments in people, process, and technology. It will challenge the information-security team to grow beyond the current skill set and to commit to a change in mind-set. And it will require not only the steadfast efforts of the security team but also broad organizational support," the SBIC report says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13386
PUBLISHED: 2020-05-27
In SmartDraw 2020 27.0.0.0, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
CVE-2019-20806
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.