Disclosures: How Much Sharing is Too Much?

Wednesday, February 15, 2012

Jack Daniel


We always hear calls for more information sharing in Infosec, but is it really needed or helpful? 

What is the point of me telling you I was compromised by spear phishing, SQL injection, cross site scripting, cross site request forgery, default credentials, or anything else we’ve know about for years? 

If you are ignoring all of the well-known risks, it is a waste of my time preparing the data and sharing it, and it is a waste of your time reading it.  This isn’t as disturbing as some of the oversharing we see on the internet, but it may be more distracting. 

Maybe you should just do what you already know needs to be done.  Don’t give me that look, you know exactly what I mean.  We need to talk about security sometimes, but more often we need to shut up and DO security.

On the other hand, if you are taking things seriously and are at least making a good faith effort- then knowing the specifics of what attacks are in the wild, who they are targeting, and details of the compromise timeline could be very valuable in prioritizing your defenses and focusing your monitoring. 

The New School folks are much more eloquent in explaining the value of information sharing done properly, so I’ll refer you to them for more on that.

Oh, and if you do choose to share information, the more RAW DATA you share, the better.  Add context and color, share observations, theories, and maybe even a conclusion or two- but give us the data whenever possible. 

And go easy on the images, a good infographic is a thing of beauty (probably because of their scarcity), but overthought and underdelivered graphics seem to be the norm. Don’t do that.

A Side Note...

I’ll be moderating a panel at RSA on Monday, Feb 27 between 12:30 and 1:40, session PROF-001.  The topic is a continuation of the work we have done in the past year on Stress and Burnout in the Information Security Community. 

Although the ongoing “attitudes in infosec careers” survey covers a much broader range of topics than stress and burnout, some of the relevant data collected from that survey will be discussed in the panel. 

A reminder: the Career Attitudes in InfoSec survey is open for another week, please see this blog post for details and I would appreciate it if you consider taking the survey.  And thanks to everyone who took the survey and helped to spread the word about it.

I’ll also be leading a peer-to-peer session on “What works in log analysis”.  The session is P2P-205C on Wednesday Feb. 29, from 2:10 to 3:00.  I really want this to be a peer-to-peer discussion and exchange of ideas, so if you are interested please come ready to share your thoughts and experiences. 

We gather a lot of information in logs, but we don’t always gather the right information, or use it wisely.  The Verizon DBIRs show that log analysis hasn’t led to incident detection in the cases they have worked, but that over 60% of the time there was relevant information in the logs. 

Does that mean we aren’t using the data properly (or at all)?  Or does that mean that the folks who do log management and analysis properly don’t end up having to call Verizon for incident response services?  Hmm.

The rest of the week you can find me at BSides San Francisco, wandering the floor and talks at RSA, at the Tenable booth at RSA, and of course, at the Tonga Room (and probably Jack’s Cannery Bar).

Cross-posted from Uncommon Sense Security

Possibly Related Articles:
Information Security
SQl Injection RSA breaches Full Disclosure Attacks Security Cross Site Scripting hackers spear-phishing Infosec Policies and Procedures Jack Daniel BSidesSF
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.