Bringing Security Issues Out of the Closet

If vendors can agree to share security vulnerability information, why can't corporations do the same?

Well, it's good to see that big business hangs on my every word. A few issues back, I suggested that competing companies should cooperate on sharing information relating to IT security problems. After all, a closed-mouth response to a security breach simply gives the perpetrators a cloak of secrecy that they can exploit to repeat the same attack on your corporate neighbors.

1pixclear.gif
1pixclear.gif
1pixclear.gif

This Week's Links

Symantec Corp.'s Web site includes information on Norton AntiVirus software.

The Information Technology Association of America's home page carries a full story on the IT ISAC initiative.

The CERT Coordination Center disseminates information on security threats. Part of Carnegie Mellon University in Pittsburgh, CERT was started by the Defense Advanced Research Projects Agency, which is part of the U.S. Department of Defense, in 1988 after the now-famous Internet Worm incident.

BugTraq is a security vulnerability database that users can access via this Web site or e-mail newsletters. The site is run by SecurityFocus.com, a commercial security information services firm in San Mateo, Calif.

The financial services ISAC Web site gathers and disseminates information on security threats and vulnerabilities in the financial services industry, but much of the information is useful for any security manager.
1pixclear.gif

Well, it appears now that 19 companies - including Microsoft Corp., AT&T Corp., Cisco Systems Inc., IBM, Intel Corp., KPMG International, Nortel Networks Corp., Oracle Corp. and Internet Security Systems Inc. - have announced that they're joining with the U.S. government to "share sensitive information about cyberattacks and vulnerabilities in their software and hardware products," according to an announcement I received. Of course, they're all vendors - I was talking about user organizations forming an alliance - but this is a good start. Even the Arlington, Va.-based Information Technology Association of America has joined the alliance.

How did this happen? I can see it now - Bill Gates sitting around at home scanning Computerworld in his copious free time, when he suddenly comes across my column. He reads it, a light dawns, he instantly sees how right I am, he rings up his team of executives and says, "Make it so." Cynics among you might say that this is all in response to the directive to improve infrastructure protection that former President Clinton issued three years ago, but hey, I like a good conspiracy theory as much as anyone else.

The alliance says it hopes to accomplish its goals by creating Information Sharing and Analysis Centers (ISAC) that establish lines of communication between government agencies and these vendors. The program, called IT ISAC, is basically just a private mailing list. Sure, there's a bit more to it than that if you want to get into the details, but at heart, it's just a closed group of people who can discuss their security problems in private.

At the moment, when hardware or software vulnerabilities are discovered, they tend to get posted to public forums on the Web like the CERT Coordination Center or BugTraq, and there's a long-standing ethical debate about when and how these forums should publish details of vulnerabilities. Should they delay publication to allow the vendors time to respond, or should they publish immediately on the grounds that system administrators everywhere have a right to know?

That argument has been raging for years, at least since the Internet Worm in 1988, which affected 10% of all systems on the Internet. The Internet Worm was a precursor of the recent Melissa and "Love Letter" worms that brought the young Internet to its knees for a few days long before most people had even heard of the Internet.

Most accounts of the incident mention the different responses of institutions. Some organizations immediately disconnected their local systems from the Internet to stop the problem from recurring; some stayed online and shared information on the worm and how to stop it. Each strategy worked well for some institutions and not so well for others.

Now, I have no idea which of these two camps are right. I'm not even sure which is better for me. Sure, publication gives us a short-term risk, but in the long term, it probably makes us more secure. The idea of trying to guard against risks by trying to keep their very existence secret - otherwise known as "security through obscurity" - worries me. As Alcoholics Anonymous will tell you, the first step toward dealing with a problem is admitting that you have a problem.

I know which way our antivirus software vendor, Tokyo-based Trend Micro Inc., thinks. In fact, the company immediately alerted us to a vulnerability we had via BugTraq. Trend Micro seems to be taking the view that publication is unavoidable, so it needs to publicize a defense that is equally as strong. That gives me some respect for the vendor and makes me think that it's serious about facing up to its problems.

A Matter of Culture

The IT ISAC isn't even that new. It's based on the already existing financial services (FC) ISAC. The FS ISAC gathers and disseminates information on security threats and vulnerabilities but focuses on the financial services industry. In fact, it has been operating for more than a year now and guards details of its membership and services quite jealously, by all accounts. However, the very fact that the IT ISAC is starting up, and with such prominent names supporting it, is a good indication that the FS ISAC is at least perceived to do a good job.

The question is, would my employer join something like this? I'm quite prepared to turn evangelist again and preach the case for joining to everyone who needs to know, but I'm going to face some cultural problems.

In fact, I'm already a member of a group similar to the IT ISAC, though it's much less formal and almost certainly much less efficient at sharing information than the IT ISAC. I've found that while my colleagues tend to be willing to discuss their security problems face-to-face, there's a marked unwillingness to put anything down on paper.

That's the attitude I'm likely to face if I propose membership to the IT ISAC: While we're reasonably happy to cooperate and share information with our peers, putting things on paper or storing records in a database can come back to bite us long after they were written - just ask Oliver North. No matter how much use you get out of cooperation, the perceived risk is often far greater than is really justifiable. We'll see.

Now, back to more pressing issues. One thing I've moaned about at great length in this column is the level of support we've been getting from our antivirus vendor, Cupertino, Calif.-based Symantec Corp. for our Norton antivirus software. I'm glad to say things seem to be changing. We let Symantec know just how unhappy we were with the level of service from their customer support line in Europe, and they assigned us an account manager to look into it. Since then, we've had no problems, and the service level seems to be improving. In fact, we put the company to a (perhaps a bit unfair) test the other day - we rang its support line with a rather confused report of a new virus and asked if it was a real problem. Despite telling the support representative the wrong name (we called it the Dalai Lama, when it was actually called Davinia), the representative identified exactly which virus we meant, gave us the information we needed and corrected our naming tactfully.

That's far from being an accurate test of service level, of course, but it's certainly a start. It will still take some time to rebuild staff confidence, but if Symantec can continue to give us support at that level, then they'll have pulled off quite a turnaround. And hopefully, I'll be able to focus more of my time on new projects this year.

• This journal is written by a real security manager, "Jude Thaddeus," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com and at www.sans.org to help you and your security manager better solve security problems. Contact him at jude.t@lycos.com or head to the forums. (Note: Registration required to post message; anyone may read messages. To register for our forums, click here).

Related:

Copyright © 2001 IDG Communications, Inc.

  
Shop Tech Products at Amazon