The time for responsible reporting has come
The beginning of the year is when budgets for the forthcoming year are made available, when many new projects are teed off, and the security conference season starts. It is also the time of year when many vendors issue reports on the latest and greatest threats their researchers have uncovered. They do it to provide us with insight into the evolution of the threats jeopardizing our systems, and to advise those tasked with defending corporate assets on how to alter their defensive posture to deal with those threats.
Many who know me can attest that I am a firm supporter of information sharing. I believe that without effective and efficient information sharing we are fighting our foe at a distinct disadvantage. If we know who may be attacking our systems, what they are targeting, and how they strive to compromise those targets, we can adjust our security controls accordingly.
I have no problem with security vendors and service providers using their research to help promote the products and services they sell. We depend on vendors to develop robust security products and services we can use to defend our networks. As a result of some reports, various vendors have been catapulted into the limelight, which in turn resulted in a huge influx of new customers or those companies being acquired by other security vendors.
However, I am a seeing a worrying trend in how some vendors are reporting on new threats or are issuing analysis on the latest major security breaches. My concern is that the information being published in these reports may do more harm than good and may not help those defending their networks. In some cases, the details in the report could undermine criminal investigations, alert criminals that their methods have been discovered, or wrongly accuse or implicate innocent parties.
The recent Target breach is a good example for what I’m trying to point out. As a result of this breach, over 40 million credit cards were compromised by the attackers. As the details of the breach trickled out, many people began speculating as to how the attack could have been executed and who could be behind it. In the days and weeks following the official announcement of the breach we saw reports from various vendors implicating different systems as the weak link that made the attack possible.
We also saw some vendors release technical details of the malware and support infrastructure suspected to have been used. Most worrying of all, we saw some vendors name individuals as suspected of being involved in the breach. In one report, a 17-year-old was accused of being the author of the malware, which he denied and was subsequently found not to be involved.
We have also recently witnessed some vendors issue reports on the latest malware campaigns that they have uncovered. These releases range from announcements telling us that they have discovered the latest destructive piece of malware but will not release the information until they present it at a conference, to sensationalized reports with statistics of potential infection sources which are not backed up by data others can verify.
My concern is that in their pursuit of grabbing headlines, ensuring their researchers are asked to be keynote speakers at major conferences, creating a name for themselves in the marketplace, or making themselves attractive acquisition targets to larger companies, these vendors are putting us more at risk than protecting us.
If sensitive details relating to an ongoing security breach are released prematurely, they could potentially undermine a criminal investigation. So while the vendor may get their headlines, the criminals behind the attacks are more likely to get away with the crime and to continue to victimize other companies in the future. Similarly, when vendors look to capitalize on the information they have by sensationalizing it, they are potentially creating more harm than good.
It’s time for vendors to ensure that the information they have is released in a responsible fashion, in ways that will ensure innocent people’s reputation is not tarnished, criminal investigations are not jeopardized, and that overhyped threats do not distract us from the core threats we face on a daily basis. Should vendors, or indeed reporters, have information that may be useful in dealing with active threats, they should make it public in a responsible way. Approach the appropriate authorities and see if the information will be of use to them or whether its publishing could jeopardize their investigations. Alternatively, the same information could be shared with CERT teams, via the FIRST or TF-CSIRT groups. There are also many industry information-sharing groups that can ensure the information is acted upon responsibly.
The security community has argued, and continues to argue, how security vulnerabilities should be disclosed in as responsible a way as possible. It is time to look at how information is shared. Information is power, and with great power comes great responsibility.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.