In some ways, the information security industry is still earning its wings –there are parallels between security and the early attempts of flying. Infosec is, in many ways, analogous to the aviation industry in its infancy — it took a lot of public trial, error and crashes before effective protocols and methodologies took hold.
Trey Ford, the global security strategist at Rapid7, expounded on the importance of public reporting between organizations and greater transparency during a recent industry keynote panel at the SecTor 2015 security conference event in Toronto.
“One hundred years ago, pilots didn’t have much to go on. Pilots were doing things that defy common sense. The way that flight become the way it did today required a long path. Their failures, their lessons learned weren’t kept secret. They were shared.”
Ford proposed the industry as a whole should forget worrying about giving away trade secrets and come together to collaborate and freely share security incidents to develop best practices around handling security threats. Making system images, data packets, IP addresses and related security information “non-identifying” and/or signed a simple NDA would restrict that: “It’s about transparency. As a profession, (the aviation sector) worked together to forward the profession. We need to get back to that.”
In North America, aircraft incidents are handled by government transportation safety agencies, who investigate before providing an exhaustive public report and industry recommendations: “In aviation, if we have an issue with the wheel, tire or landing gear, we want to know where it came from…is it isolated, where it came from, et cetera.”
This aviation model is one that security professionals should be looking at with an eye on boosting IT security best practices. It’s all about a full failure analysis when documenting security threats and attacks.
“We need to be able to discuss openly. We are making this up as we go,” Ford says of the pressures security professionals are under to secure the network. “Companies look at us as professionals to be wise, almost prescient. They want us to be able to foresee and be prepared for things that we can’t imagine. And that our job, we do this everyday.”
Information sharing, according to Ford, is required in order for CSO and CFOs to be ahead of the curve when it comes to dealing with malware and security threats. At the bare minimum, sharing cyber threat information by adopting a security baseline like the VERIS (Vocabulary Event Recording and Incident Sharing) methodology can help publicly define repeatable incidents.
“We need to make their lives harder,” Ford says of the malware community. “Every time we force the attackers to work, buy new exploits, build new tools, change administrators control systems…every action they take raises their visibility, raises their costs and makes it more expensive and dangerous for them to operate.”
Ford concedes many organizations are just not built culturally and institutionally for formal threat information collaboration and a shared risk management arrangement. But in the face of ever adapting attacker threats, tentative steps need to be taken in that direction; the infosec community will only grow and mature — fly — when organizations fully commit to the notion that information sharing and public incidental reporting is a good thing, he added.
“What makes the profession safe is having explored and documented the boundaries, learned those lessons and communicated them back,” says Ford. “(We need) to explain breaches in clear and repeatable ways. You will know what’s working and what’s not.”
Image courtesy of photoexplorer at FreeDigitalPhotos.net