Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/17/2012
08:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Victim Businesses Teaming Up To Fight Cybercriminals

Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details

Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive.

The goal of sharing attack information and intelligence among victim organizations and other organizations that also could become targets was part of a new set of recommendations issued today by security executives from major global firms including ABN Amro, ADP, BP, Coca-Cola, eBay, Genzyme, HSBC Holdings, Johnson & Johnson, JPMorgan Chase, Nokia, Northrop Grumman, SAP, T-Mobile, and RSA parent company EMC. Their recommendations were included in a report published under the auspices of the Security for Business Innovation Council (SBIC) and facilitated by RSA.

But getting business rivals as well as federal agencies and the private industry to join hands and share their attack experiences, logs, and artifacts is not so simple. Aside from competitiveness, privacy, and technical issues, there are legal ramifications that typically limit or altogether prevent businesses from helping one another.

Even so, experts say it’s time for organizations to come out of the shadows and team up against the common enemy of cybercrime and cyberespionage. That’s the only way to get a leg up on the bad guys, they say.

But so far the sharing has been either industry-specific or very much ad-hoc: The Defense Security Information Exchange is an online portal for Defense contractors to swap attack information, and some local organizations, such as the Bay Area CSO Council, which includes chief security officers from Adobe, eBay, Gap, eTrade, Symantec, SAIC, Lawrence Livermore Laboratory, PayPal, Cisco-WebEx, Yahoo, and Intel, confidentially share their attack information.

There’s also InfraGuard, the FBI-led association of local businesses, academic institutions, and state and local law enforcement agencies that meet regionally to share attack and threat information.

Lately, there have been more signs of cooperation: Key financial institutions, including Morgan Stanley and Goldman Sachs, earlier this month took some of the first steps toward possibly establishing a central site to gather and analyze attack trends for the financial services industry. They met with researchers at the Polytechnic Institute of New York University to noodle about the possibility of such a center, while the Bank of America has also been holding informal meetings with banks on coming up with solutions to deter the latest threats.

Meanwhile, Congress is currently floating multiple pieces of legislation that call for information-sharing with and among the feds, including a bill that would set up a national information-sharing organization as a way to protect critical infrastructure.

But there’s still no official go-to place for sharing this type of information, and experts say it’s unclear if there ever will be.

[Banks and financial institutions are looking at ways to share security information in order to improve their defenses. See Financial Companies Sharing Information About Security.]

Art Coviello, executive chairman of RSA Security, says a hierarchical model for victim organizations to share their threat information isn’t likely to emerge. “It’s never going to be a top-down thing,” he says.

“I foresee a future where there are networks of networks, until from the grassroots up we develop more of an online information-sharing facility -- this whole idea of a neighborhood watched, expanded on a worldwide basis,” Coviello says.

Both the legal and overall scope of such a model have thus far been some of the biggest hurdles. It’s the smaller, more focused models like that of the Bay Area CSO Council that have found success.

“The [Bay Area CSO] Council worked because it was formed with a prerequisite trust in the network. It was small enough, and the value and benefit was very clear,” says Jacques Francoeur, former executive director of the Bay Area CSO Council and founder of the Union of Concerned Cybersecurity Leaders.

The SBIC report says information-sharing among organizations requires the investment of manpower and technologies.

“If something happens at your organization, the first question you’ll ask is, ‘Is it just me or is everybody else getting hit with this attack?’” said Renee Guttmann, chief information security officer for The Coca-Cola Company, a member of the SBIC in a statement. “You can't answer that for yourself. And it takes too long to call 20 of your closest friends. You’ve got to be part of a larger gene pool to get an immediate answer to that question.”

And other companies need to be willing to do the same, SBIC members say. "As cyber attacks continue to threaten enterprises and governments, more organizations will likely be motivated to invest in information sharing. An important factor paving the way is that organizations have the people, processes, and technologies in place to effectively participate in intelligence exchange," the report says.

RSA’s Coviello says he has previously tried to pull together service providers, telcos, and security organizations to see how to construct such an entity. "We can’t get past the lawyers," Coviello says.

It's the legal downsides that overshadow some of the possible benefits of getting an inside track on a new targeted attack campaign out of China, or a look at the latest malware variant going after corporate user accounts. "At the end of the day, there are a lot of legal downsides and not a lot of perceived upsides," the Union of Concerned Cybersecurity Leaders’ Francoeur says.

CSOs get frustrated when they share attack intelligence with the FBI, for example, and never hear back. Or they only get intelligence that's expired or they can’t take action on, Francoeur says.

And in many cases, when the general counsel is brought in, it’s game over for any information-sharing about a breach. Even if new legislation legalizes the liability issues that block this sharing, there’s no guarantee organizations will suddenly clamor to spill their guts about breaches.

RSA's Coviello says the current ad-hoc groups may just eventually coalesce into something bigger. "I am really encouraged by ... the ISACS and industry groups taking it on themselves," he says. They could eventually start connecting among one another, he says, and expand into a network of networks from there, for example.

But once you get the green light to share your breach data with others, then what?

"Sharing information is not the end state. The end state is to get actionable information that will help improve corporations’ and governments' cyber-security posture and continually raise the bar," said William Pelgrin, who is president and CEO for the Center for Internet Security, chair of the Multi-State Information Sharing and Analysis Center, and chair of the National Council of ISACs, in a statement.

At the heart of the SBIC’s recommendations is what it calls an "intelligence-driven information security" approach, where businesses gather reliable security information from government, industry, and internal sources to get a full picture of the threat and their exposures to it, and a process for analyzing it and taking action.

"An intelligence-driven approach to information security can deliver comprehensive situational awareness, enabling organizations to more effectively detect and mitigate cyber attacks. Developing a cyber-risk intelligence capability will take investments in people, process, and technology. It will challenge the information-security team to grow beyond the current skill set and to commit to a change in mind-set. And it will require not only the steadfast efforts of the security team but also broad organizational support," the SBIC report says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...