SAN MATEO (05/15/2000) - If you spend too much time bantering in security circles, you're bound to hear the dogma: Technology won't solve your security problems anytime soon, so stick to the basics, such as policy, risk mitigation, vigilant monitoring, disaster preparedness, and -- most important -- keeping informed on the latest attack information. As disheartening as it may be, it is true.
So why are there still so many information-security-clueless companies, vendors, and end-users? Is it because security is so difficult? We don't think so. Rather, it's because definitive information on what the underground is doing to breach security is still kept rather hush-hush. The reasons range from victims trying to keep a low public relations profile on potentially embarrassing lapses to vendors trying to keep a competitive edge in an ever-expanding security product and services market. Whatever the reasons, they lack any hearty justification.
How to break this vicious circle of silence? In the past we've pushed for a public database of attack information. Security practitioners could anonymously contribute valuable information about security attacks; it could be supported by a minimal subscription. Would it work?
Many vendors have attempted to collect such data in various forms. For example, Internet Security Systems has demonstrated good citizenship by publishing its X-Force database of vulnerabilities over the years. A new initiative is underfoot called Common Vulnerabilities and Exposures (CVE), at www.cve.mitre.org, that is attempting to bring order to the madness that ravages the Internet every day.
We also enjoy reading many of the full-disclosure-oriented mailing lists such as those at securityfocus.com, sans.org, and ntsecurity.net. Two recent examples: Securityfocus' Incidents list recounts the "I Love You" worm's inner workings, and a highly interesting post appears on ntsecurity.net's Win2KsecAdvice list about a Windows NT and Windows 2000 Registry setting called MaxClientRequestBuffer.
One of the most frequently cited annual surveys on information security breaches is sponsored by the Computer Security Institute (CSI), at www.gocsi.com. The CSI essentially polls 500 security personnel and acts as a weather vane, but count us among those who yearn for more granular tracking of what's going on.
Another potential source of information is the new crop of managed monitoring services. For example, way back in the spring of 1998, we wrote a Test Center Comparison of intrusion-detection products. That article included IBM Corp.'s Emergency Response Service (ERS), one component of which was the installation of Wheel Group's (now Cisco Systems Inc.'s) NetRanger network monitoring device on client sites and remote collection of attack data. At the time, an IBM employee intimated that the company was building an interesting meta data set of attack information from dozens of clients around the world. We wonder what ever became of this database. Is IBM going to publish this pot of gold?
Cryptography guru Bruce Schneier recently put his company, Counterpane Internet Security Inc. (www.counterpane.com), behind a Managed Security Monitoring service, which will collect security data to be parsed by software filters, and even human expertise, in Counterpane's data centers.
We talked recently with Schneier, and he sounded confident that Counterpane would make its data publicly available, at least to the extent that it isn't injurious to client confidentiality concerns. "As far as I know, there isn't any real data on the incidence or frequency or type of attacks in the real world," Schneier said. "This will be a very valuable research result." If no one will listen to us, maybe Schneier can get them to take notice.
Is your organization regularly reviewing firewall logs and tracking potential threats, trying to understand what'll happen next? If you're anything like the companies we see day in and day out, the answer is no. It's about time we let someone else do it for us. Contribute to our database of e-mail attacks at firstname.lastname@example.org.
Stuart McClure is president/CTO and Joel Scambray is a managing principal at security consultant Foundstone Inc. (www.foundstone.com), formerly Rampart Security Group.