Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 10: publically sharing vulnerability information between businesses and communities

Posted in business and convergent technologies, social networking and business by Timothy Platt on April 2, 2013

This is my tenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-9.)

I have, up to here in this series, been discussing reactive and proactive approaches to information and cyber-security, and the process of developing security in depth, with a layered security systems approach. As a part of that and in the context of proactive security approaches, I have also raised the issue of social networks as organizing and enabling systems for black hat hacking and malware as a for-profit industry, and how understanding and acting upon those networks as criminal enterprises could cut back on the volume of cyber-threats that have to be identified and addressed (see Part 8: moving towards proactive controls 6.)

• One of my primary goals for this posting is to discuss a need for a more organized business, government and white hat hacker social network, as effectively shared knowledge is essential for making possible any real response to cybercrime and its threat.
• Who would participate in this network? I would argue that participation needs to be open and widespread for it to effectively work, but that certain key players would drive this network, exactly as occurs for black hat hacker and cyber-criminal networks that organize, monetize and develop profit from their activity.

So this posting is, in fact, about developing a more robust “good guy” response to the malware and related social network as it impacts upon individuals everywhere as they go online, and on legitimate businesses and organizations as they seek to connect with marketplaces and consumer communities to conduct business.

I discussed the black hat and cyber-criminal social network as their industry enabler in terms of a basic social networking taxonomy that I have found generally useful (see Social Network Taxonomy and Social Networking Strategy.) This offers a networking systems model based upon social networking strategies that different types of participants employ when deciding who to network with and how fully to do so.

• For black hat social networks, with their business facilitation functions and their for-profit-driven motivations for connecting,
• Major commercial participants such as malware producers and distributors, or aggregators and sellers of individual personal information useful for identity theft, would be expected to be among the most widely connected and actively involved social network participants.
• But any complete listing of most-active social networking participants in this would also include more actively involved buyers and consumers of this industry’s products and services, and facilitators too: individuals and groups who bring people together and in some cases collect what amounts to finders’ fees from bringing buyer and seller together.

Who should be the most active and connected members of a white hat social networking-facilitated counterpart to this? A partial listing here might include, and I add would actively require, committed participation from:

• Private sector organizational participants such as The Open Web Application Security Project (OWASP) and the Poneman Institute that serve as best practices clearing houses and training resources,
• Governmental and non-governmental organization (NGO) participation, and for governmental organizations in particular this would mean sharing highly organized, vetted information in unclassified format and with much prompter and more timely determination as to what can be so released than is currently in place. The more delayed a release of essential information as to new and emerging cyber-threats and related issues, the less beneficial it can be – delayed information is essentially always going to be information that arrives too late to make a positive difference for this.
• For-profit businesses such as security software developers and providers. Once again, timely sharing of information by them is vital. I am not writing here about any antivirus software manufacturer, for example, sharing proprietary algorithms developed to respond to new and emerging computer virus threats. I am writing of the need for all organizations involved to share information on new threats and threat variations as they are found. And I am noting here the very real need for all involved in this network to quickly and fully share information when new threat sources are identified so they can be collectively responded to.
• This would mean reactively responding to what black hat networkers do and to their active ongoing flow of vulnerability exploits attempted. But it would also mean proactively identifying new participants in their business-driving social networks and online commerce systems, who have risen to visibility from their levels and types of activity there.
• And an effective white hat network would also more actively include a self-selecting group of independent cyber-security consultants and others who actively connect in and share insight, and who help facilitate networkers to find each other, and both for reporting new vulnerabilities and threats to them and for sharing best practices for preventing, or at least limiting harm.

As a basic principle, viewing this system from a broader perspective:

• This white hat social network has to be as active, agile and quick as the black hat network that is already in place, and as active and agile as the online cyber-criminal industry that that system enables, is if it is to succeed in significantly impacting on information and cyber-security threats and cut back on the levels of cyber-crime faced.
• And I write this fully aware of the role that natural selection would play in this, with the culling out of the slower and less effective of the black hat and cyber-criminal community while leaving the smarter, more clever and more agile to continue on.
• So I acknowledge that what I propose here would simply ratchet up the pressure driving what is already an evolutionary arms race. But at least the slower and less effective would be reduced in number so the overall level of threat volume faced would drop, leaving more resources available for identifying and focusing on the more serious threats.

I am going to turn in my next series installment to consider the growing role of governments as black hat hackers, and the threat and reality of cyber-warfare. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: