Carpe Breachum: How the HBGary breach can make us stronger

If we all know everyone's a target, why pretend otherwise?

Companies have long sought to balance what information about their vulnerabilities they must keep secret, and what information it would benefit them to share. The names of companies leaked in internal emails from HBGary, which were made public after the attacks last month by Anonymous, may change the calculus used to determine just how much we share.

Nothing in the emails changes anything about the attacks discussed - everyone who needed to know about those attacks already did, from a standpoint of incident response. However, when the activities of a cyber-security company are the target of memorable jokes on the Colbert Report, and the names of customers and hack targets become mainstream news, we have reached a unique opportunity in how companies share intelligence.

To Share, Or Not To Share

Sharing information with those in the industry - competitors, those in unrelated or even overlapping verticals - arguably acts as a force-multiplier of their own internal security resources. Simply put, if you're speaking with those who face similar threats to you, you're more likely to detect patterns of organized attacks such as those from those advanced, persistent adversaries we're all getting marketed about.

On the other hand, announcing your vulnerabilities allows enemies to infer or outright understand elements of your infrastructure which can be described as "core" or "competitive".

And who on earth wants to irritate shareholders and alarm customers with the news that you've been attacked? Who wants to take on bad press - or, conversely, have to spend boatloads of dosh to proactively create new marketing strategies that "pre-act" and react to the now-public information that you have been Pwn3d?

Striking the balance, then, of what to share, is a constant evaluation of these elements. What advantage do you get from sharing, and does that outweigh the damage sharing will cause?

Changing Calculus

From an information security standpoint, the former reason not to share - that enemies and competitors can suss out what's what in your infrastructure - may be most compelling, but to executives, it's the CNN Moment that causes the most angst. And here's where the breach of HBG email may provide some help that ultimately strengthens us all.

Also readCSO Publisher Bob Bragdon's Information sharing: Connecting the dots

Let's go back to the innocent days of yesteryear, when credit card and Social Security number breaches made front page news. The populace was in a state of panic about identity theft, and CEO after CEO did the walk of shame, explaining to CNN how they'd lost data on hundreds of thousands or millions of their customers' credit cards.

Throughout 2006 and 2007 this happened so frequently that the news moved from the front page to, if we're lucky, a mention on page D27 near the Junior Jumble.

This dynamic was exploited by some diabolically keen-minded marketing folks at Google, when they managed to turn an organized information-stealing attack into a public relations bonanza. "We've been attacked," they said smoothly, "Let's discuss just how, so that more can defend against this kind of thing." Brilliant marketing. But in the process they also managed to de-stigmatize in the public's mind the idea that a trusted supplier has been attacked.

Now lookie here at the HBG emails. When specific names of companies which have been the targets of successful attacks are mentioned in such a widely publicized fashion, those targets naturally get embarrassed. But have a closer look and you see discussion of these targets as victims, trying to do something. This is the stuff of which excellent counter-marketing programs are built.

It also demonstrates in a highly public way what is obvious to anyone in the security industry: everyone is a target. As Jeremiah Grossman recently said, even targets of opportunity can now suddenly find themselves targets of choice - case in point, HBGary.

Carpe Breachum

This has the salubrious effect of making it, well, okay to have been the target of an attack as a company. If everyone's a target, then everyone has a stake in defense. This, I submit, should be considered by CISOs and other C-Level types when considering how they share information about vulnerabilities, breaches and other security incidents - how they share it with competitors, with researchers, with law enforcement.

I have long championed greater transparency and information sharing among security professionals for the purpose of developing intelligence that sees across stovepipes. I understand that few single incidents are sufficient to, forgive me, change paradigms. And I am not saying that the HBG breach is one of them.

What I am saying is that we as security professionals should sieze any moment that makes it safer for companies to share. In this case, I submit that public airing helps reduced the stigma of admitting weaknesses we all suffer. Let's ask the folks over at NetWitness or Solera or Niksun or ArcSight or Mandiant or Loggly how many of their customers had no evidence of successful attacks on their networks. Let's look at the excellent and growing Verizon Breach Investigations Report [PDF link] and VERIS project. That there is a need for them stands as testament to the fact that, if you're breached, you're not alone.

A famous security researcher once answered my question about how he avoids being hacked, "Hell, Nick, I get hacked all the time". He said it as if I were asking a really stupid question, because in fact, I was.

Admitting that we are all targets; admitting that we've all been hacked; admitting that we all face the same issues, means that we can move from psychological and marketing objections, and look instead to solving or at least addressing the logistical and pragmatic barriers to information and intelligence sharing.

That's time better spent.

Nick Selby is a cyber-crime consultant and a police officer. His new blog and podcast, Police-Led Intelligence, launches later this month.

Tags securitydata breach

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nick Selby

CSO (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?