Good guys finish last
Information sharing is the key to fighting security intruders
By Andrew Valentine
One of the first lessons any computer security professional learns is that, when it comes to cooperation, you’ll always be “behind the curve”. In the uniquely fluid technology industry, the good guys are continually adapting to meet the challenges presented by malicious intruders – data thieves backed by multi-national organised crime groups.
With each new case, investigators discover both subtle and radical progressions in the techniques intruders use to breach security and compromise data. In practice, the operational chronology of computer crime is such that the good guys always remain behind the curve, responding to attacks, determining how they were performed, remedying relative vulnerabilities and adopting newly pertinent investigative techniques.
The fact that security professionals continually operate behind the curve is a widely accepted facet of the industry. Computer security is reactive in nature; even preventative measures can only be taken after gaining a firm understanding of the intrusion techniques an organisation is attempting to circumvent. This “action/reaction” scenario has been core to the fundamental computer-security model since its inception.
Still, though security professionals can never truly operate wholly “ahead of the curve”, there remains significant room for improvement, and the gap can be tightened even further.
In terms of communication and information sharing, the criminal underground operates at peak efficiency, always. Where we security professionals may sometimes approach the curve in terms of technical knowledge and ability, with regard to information sharing, we aren’t even close. Not by a long shot. The “open sources” sharing mentality maintained in the underground facilitates the rapid transfer of knowledge about newly discovered vulnerabilities and associated attack techniques.
What’s worse, in the underground, information about known vulnerable targets is spread just as rapidly. If one bad guy, jacked into the hacker network, knows that a particular organisation is vulnerable, they all do. This is why, in the lion’s share of intrusion cases, there is often evidence of attack from multiple locations: Turkey, Vietnam, Russia, the US.
This communications network is streamlined, efficient, accurate and global. For a myriad of reasons, information sharing by the home team isn’t nearly as timely, coordinated or direct: it’s why there’s no such thing as “script kiddies” on our side.
It’s also why, now, in 2007, there are still organisations suffering security breaches and data compromises due to SQL injection attacks. Systems administrators either don’t understand the threat or don’t understand the seriousness of it.
In contrast, in the hacker underground, criminal intruders operate with a truly communal shared-knowledge base. For a bad guy, the pool from which to derive and contribute information is virtually limitless. For security professionals, attempts to derive or share information in a similar fashion are often met with proprietary stonewalling, departmental hesitation or, worse, plain ego.
Bottom line: they play more like a team than we do, and it puts us way behind.
Even more to our disadvantage, they know it. Black hat hacker conferences such as Def Con (Las Vegas, Nevada) and RuxCon (Sydney, Australia) are famous for having law enforcement personnel attend. But the notion that a malicious hacker would attend a local Infragard or ISAC (information sharing and analysis centre) meeting is simply unheard of. There is, essentially, no information that a criminal hacker could glean from a “good guy” conference that they wouldn’t already know. With regard to information exchange and transfer, they’ve got the upper hand, and aren’t afraid to flaunt it.
However, there are a number of public–private partnerships diligently working to tighten the gap in the communication curve. AusCERT, for instance, provides a trusted Australian contact in a worldwide network of computer security professionals sharing information about computer-incident prevention, response and mitigation strategies. In North America, similar groups such as Infragard and US-CERT provide many of the same functions. Ostensibly, these groups facilitate partnerships between individual citizens, private businesses, academia, law enforcement and government entities. Such partnerships are integral in the effort to streamline the flow of critical information to the security professional that can use it best. The majority of these groups offer varying reporting services, which can notify subscribers of emerging security threats and associated countermeasures, as they occur.
Certainly, the organisational backbone exists for a truly effective and mechanical international communication and information-sharing structure. However, shortcomings around the cooperation curve are not organisational at all – they are cultural. It might be posited that, as computer security professionals, we are trained to withhold and protect information – or perhaps there exists a fear that sharing information might reveal shortcomings in an organisation’s information systems infrastructure. Whatever the reason, we are largely unwilling to share information as freely, openly and rapidly as the criminal hacker underground, much to our detriment.
Just as criminal hacker networks have implemented an efficient communication and information-sharing model, industry and security professionals should be able to build a similar, just as robust, communication network. Clearly, communication and information sharing about computer security is still in its infancy and, just as any other facet of IT and data security, the practice is continually changing and evolving. The criminal underground has been able to take technological evolution in its stride, incorporating changes to the way it shares information internally. As protectors of digital information, we have to take the decidedly ironic position of moving away from the culturally antiquated information-sharing model, where cooperation is hampered more than it is encouraged, and create a fully realised international model, where information is distributed just as effectively as it is in the underground.
Andrew Valentine is a security consultant within Cybertrust’s Incident Response Unit.
Copyright 2007 © Foresight Publishing, All Rights Reserved. Web site design by ireckon.com
View Current Issue : In Every Issue : Subscribe : Archives : BLOG : Sponsor : About Us : Contact Us : Home : Privacy : Terms of Use
RBR's hot topics
A monthly summary of OBR's hot topics.
Forums
The Banking Review Blog
Our banking experts share their minds.
Events Diary
Find out when and where your important events are.
Sponsors
