Shostack + Friends Blog Archive

We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing to engage in this debate. A number of people have argued privately with me, and I suspect Ken is being cheered on by a lot of people who feel as he does. At the same time, I’d like to think that the smart people in our industry, including Ken, can be swayed by the arguments and logic.

So, quoting Ken:

But security operations are a different ball game. Perhaps my using the term competitive advantage was not correct. What I mean is that it’s more along the line of disclosing sensitive operational information. As security professions we are adverse to leak any information pertaining to operations and I view breach disclosure in the same way. There was a point when security professionals were afraid that posting technical job requirements for new positions on monster.com would leak information about the internal systems used in a corporate environment and give the attacker information.

So I understand and agree that we’re averse as a profession, and I believe that to be dysfunctional. To the particulars of leaking information via job postings–did you check to see if that information was already available via search engine? When I have done so, I found employees participating in mailing lists about products from their work accounts. So the information is out there, we just don’t know it. If that’s the case (and I don’t know if my experience generalizes), then you’re making HR’s life harder for no payback.

More broadly, I think we need to get beyond fear (to coin a phrase) and be looking for data.

The first lesson of 1386 should be that the sky doesn’t always fall when we expect it to fall.

Just as we have an understanding of responsible disclosure now for technical information security vulnerabilities, we need the same for breach disclosure.

I don’t think these are the same thing. Disclosing information about vulnerabilities creates clear future risk on a broad scale. Disclosing information about what’s gone wrong in the past may expose no data that’s not already available on a search engine. More importantly, it allows us to evaluate our practices and replace fear with data.

If not through a centralized (not necessarily government) body Adam, what do you propose that would allow for better, more accurate and confidential disclosure that does not leak sensitive information?

I’m not proposing any such thing. I’m proposing widely shared data. We have a set of organizations that have attempted to slice the Gordian knot with confidentiality. There’s CERT, FIRST, and the ISACs. CERT collects data, but their sampling has minimal statistical validity, because it’s self-selected reporters. FIRST has all sorts of hoops to jump through, but their members don’t share data. Ditto ISAC (from why my sources tell me.) If I’m wrong, Dan Geer would like a month of your anonymized firewall logs to do some correlation analysis.

So I think that what you’ve suggested has been tried, and hasn’t worked. I think that I’ve provided a number of reasons it hasn’t worked (regulatory capture, lack of competition) and don’t expect those reasons to be overcome by yet another data sharing club.

My point is that sharing data has lots of possible upside, and the downsides are being shown to be less painful than we expect. However, there’s a way we’ve done things, and it has worked in some ways, and so we fear change.

I am challenging everyone to face those fears, and work to overcome them. I believe that there’s tremendous value waiting to be unlocked.

Originally published by adam on 5 Apr 2007
Last modified on 5 Apr 2007
Categories:   breach analysis   Uncategorized