Carpe Breachum: How the HBGary breach can make us stronger

If we all know everyone's a target, why pretend otherwise?

By Nick Selby

March 04, 2011 — CSO —

Companies have long sought to balance what information about their vulnerabilities they must keep secret, and what information it would benefit them to share. The names of companies leaked in internal emails from HBGary, which were made public after the attacks last month by Anonymous, may change the calculus used to determine just how much we share.

Nothing in the emails changes anything about the attacks discussed - everyone who needed to know about those attacks already did, from a standpoint of incident response. However, when the activities of a cyber-security company are the target of memorable jokes on the Colbert Report, and the names of customers and hack targets become mainstream news, we have reached a unique opportunity in how companies share intelligence.

To Share, Or Not To Share

Sharing information with those in the industry - competitors, those in unrelated or even overlapping verticals - arguably acts as a force-multiplier of their own internal security resources. Simply put, if you're speaking with those who face similar threats to you, you're more likely to detect patterns of organized attacks such as those from those advanced, persistent adversaries we're all getting marketed about.

On the other hand, announcing your vulnerabilities allows enemies to infer or outright understand elements of your infrastructure which can be described as "core" or "competitive".

And who on earth wants to irritate shareholders and alarm customers with the news that you've been attacked? Who wants to take on bad press - or, conversely, have to spend boatloads of dosh to proactively create new marketing strategies that "pre-act" and react to the now-public information that you have been Pwn3d?

Striking the balance, then, of what to share, is a constant evaluation of these elements. What advantage do you get from sharing, and does that outweigh the damage sharing will cause?

Changing Calculus

From an information security standpoint, the former reason not to share - that enemies and competitors can suss out what's what in your infrastructure - may be most compelling, but to executives, it's the CNN Moment that causes the most angst. And here's where the breach of HBG email may provide some help that ultimately strengthens us all.

Also read CSO Publisher Bob Bragdon's Information sharing: Connecting the dots

Let's go back to the innocent days of yesteryear, when credit card and Social Security number breaches made front page news. The populace was in a state of panic about identity theft, and CEO after CEO did the walk of shame, explaining to CNN how they'd lost data on hundreds of thousands or millions of their customers' credit cards.

• Print