Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/17/2012
08:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Victim Businesses Teaming Up To Fight Cybercriminals

Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details

Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive.

The goal of sharing attack information and intelligence among victim organizations and other organizations that also could become targets was part of a new set of recommendations issued today by security executives from major global firms including ABN Amro, ADP, BP, Coca-Cola, eBay, Genzyme, HSBC Holdings, Johnson & Johnson, JPMorgan Chase, Nokia, Northrop Grumman, SAP, T-Mobile, and RSA parent company EMC. Their recommendations were included in a report published under the auspices of the Security for Business Innovation Council (SBIC) and facilitated by RSA.

But getting business rivals as well as federal agencies and the private industry to join hands and share their attack experiences, logs, and artifacts is not so simple. Aside from competitiveness, privacy, and technical issues, there are legal ramifications that typically limit or altogether prevent businesses from helping one another.

Even so, experts say it’s time for organizations to come out of the shadows and team up against the common enemy of cybercrime and cyberespionage. That’s the only way to get a leg up on the bad guys, they say.

But so far the sharing has been either industry-specific or very much ad-hoc: The Defense Security Information Exchange is an online portal for Defense contractors to swap attack information, and some local organizations, such as the Bay Area CSO Council, which includes chief security officers from Adobe, eBay, Gap, eTrade, Symantec, SAIC, Lawrence Livermore Laboratory, PayPal, Cisco-WebEx, Yahoo, and Intel, confidentially share their attack information.

There’s also InfraGuard, the FBI-led association of local businesses, academic institutions, and state and local law enforcement agencies that meet regionally to share attack and threat information.

Lately, there have been more signs of cooperation: Key financial institutions, including Morgan Stanley and Goldman Sachs, earlier this month took some of the first steps toward possibly establishing a central site to gather and analyze attack trends for the financial services industry. They met with researchers at the Polytechnic Institute of New York University to noodle about the possibility of such a center, while the Bank of America has also been holding informal meetings with banks on coming up with solutions to deter the latest threats.

Meanwhile, Congress is currently floating multiple pieces of legislation that call for information-sharing with and among the feds, including a bill that would set up a national information-sharing organization as a way to protect critical infrastructure.

But there’s still no official go-to place for sharing this type of information, and experts say it’s unclear if there ever will be.

[Banks and financial institutions are looking at ways to share security information in order to improve their defenses. See Financial Companies Sharing Information About Security.]

Art Coviello, executive chairman of RSA Security, says a hierarchical model for victim organizations to share their threat information isn’t likely to emerge. “It’s never going to be a top-down thing,” he says.

“I foresee a future where there are networks of networks, until from the grassroots up we develop more of an online information-sharing facility -- this whole idea of a neighborhood watched, expanded on a worldwide basis,” Coviello says.

Both the legal and overall scope of such a model have thus far been some of the biggest hurdles. It’s the smaller, more focused models like that of the Bay Area CSO Council that have found success.

“The [Bay Area CSO] Council worked because it was formed with a prerequisite trust in the network. It was small enough, and the value and benefit was very clear,” says Jacques Francoeur, former executive director of the Bay Area CSO Council and founder of the Union of Concerned Cybersecurity Leaders.

The SBIC report says information-sharing among organizations requires the investment of manpower and technologies.

“If something happens at your organization, the first question you’ll ask is, ‘Is it just me or is everybody else getting hit with this attack?’” said Renee Guttmann, chief information security officer for The Coca-Cola Company, a member of the SBIC in a statement. “You can't answer that for yourself. And it takes too long to call 20 of your closest friends. You’ve got to be part of a larger gene pool to get an immediate answer to that question.”

And other companies need to be willing to do the same, SBIC members say. "As cyber attacks continue to threaten enterprises and governments, more organizations will likely be motivated to invest in information sharing. An important factor paving the way is that organizations have the people, processes, and technologies in place to effectively participate in intelligence exchange," the report says.

RSA’s Coviello says he has previously tried to pull together service providers, telcos, and security organizations to see how to construct such an entity. "We can’t get past the lawyers," Coviello says.

It's the legal downsides that overshadow some of the possible benefits of getting an inside track on a new targeted attack campaign out of China, or a look at the latest malware variant going after corporate user accounts. "At the end of the day, there are a lot of legal downsides and not a lot of perceived upsides," the Union of Concerned Cybersecurity Leaders’ Francoeur says.

CSOs get frustrated when they share attack intelligence with the FBI, for example, and never hear back. Or they only get intelligence that's expired or they can’t take action on, Francoeur says.

And in many cases, when the general counsel is brought in, it’s game over for any information-sharing about a breach. Even if new legislation legalizes the liability issues that block this sharing, there’s no guarantee organizations will suddenly clamor to spill their guts about breaches.

RSA's Coviello says the current ad-hoc groups may just eventually coalesce into something bigger. "I am really encouraged by ... the ISACS and industry groups taking it on themselves," he says. They could eventually start connecting among one another, he says, and expand into a network of networks from there, for example.

But once you get the green light to share your breach data with others, then what?

"Sharing information is not the end state. The end state is to get actionable information that will help improve corporations’ and governments' cyber-security posture and continually raise the bar," said William Pelgrin, who is president and CEO for the Center for Internet Security, chair of the Multi-State Information Sharing and Analysis Center, and chair of the National Council of ISACs, in a statement.

At the heart of the SBIC’s recommendations is what it calls an "intelligence-driven information security" approach, where businesses gather reliable security information from government, industry, and internal sources to get a full picture of the threat and their exposures to it, and a process for analyzing it and taking action.

"An intelligence-driven approach to information security can deliver comprehensive situational awareness, enabling organizations to more effectively detect and mitigate cyber attacks. Developing a cyber-risk intelligence capability will take investments in people, process, and technology. It will challenge the information-security team to grow beyond the current skill set and to commit to a change in mind-set. And it will require not only the steadfast efforts of the security team but also broad organizational support," the SBIC report says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7759
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
CVE-2020-7760
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...