Chey Cobb web site

 

Index for Chey Cobb
Articles and books by Chey Cobb
Hobbies of Chey Cobb's
Pictures from Chey Cobb
Contact for Chey Cobb

   
 
Chey Cobb
  
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Newsscan Computer Security Column
Stephen and Chey Cobb, CISSP

Who You Gonna Call For Help?

Welcome to the first of what we hope will be many columns on computer security, written for Newsscan by the husband and wife team of Stephen and Chey Cobb. Seasoned computer industry veterans, Stephen and Chey are both Certified Information System Security Professionals and published experts. They plan to use this column address both the basics of computer security and the background to recent security news.

Whom Are You Going To Call?
A formal rendition of the haunting refrain from the theme to “Ghostbusters” nicely summarizes one of the most pressing security dilemmas facing today’s highly-connected enterprises: When your organization experiences a security incident, do you tell anyone about it? And if so, whom?

Earlier this year a survey of 8,100 technology and security professionals by InformationWeek revealed that 40 percent of businesses that experienced a serious security breach told nobody. Only about a quarter of that 40 percent informed a government authority or CERT/CC, the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University (www.cert.org). It was also disclosed this week that some businesses have even been paying blackmail to hackers in order to keep the news of hacks against their organizations secret.

More worrying still, for businesses in general, is that 85 percent of businesses that suffered a security breach neglected to inform their business partners of the problem. Without being cynical, one can speculate that many of the partners would have found out anyway, given the highly interconnected nature of today’s business relationships. Regardless of speculation, the implication is pretty clear: if a security incident occurs at a company with whom you do business, they probably won’t inform you, if they can avoid doing so.

Why worry about this? Because however well you protect your own systems, they are bound to connect, at some point, with other systems, the security of which is not under your control. If you have been diligent, you will have obtained assurances from the entities with whom your systems connect as to their security polices and procedures. But how do you know they are living up to those assurances? Some companies are now including, or rather, attempting to include, security audit rights in business contracts. Of course, most companies will, if their bargaining position allows, object to such clauses.

Whether or not you are able to obtain the right to audit a business partner’s security assurances will depend on a variety of factors, but in any event you should definitely push for the next best thing: an assurance that you will be informed if there is a security incident.

So why is telling others about a security incident so important? After all, there would appear to be numerous downsides to revealing that your defenses have been breached: embarrassment, loss of partner and customer confidence, and liability. Below are our five reasons why you should at least let law enforcement and CERT/CC know about your security problems:

1. They may know more than you do. Even if your organization has devoted a lot of resources to security, you are unlikely to have the full picture in terms of current attack activity levels, techniques, and targets. For example, if an individual is attempted to extort money from your organization over a security issue, you may not be alone. Local or national law enforcement may be aware of this scheme and may already be investigating.

2. They can help you. Compared to just a few years ago, you will find a lot more sophistication with respect to computer security incident handling in your local FBI office and local law enforcement agencies. They can usually direct you to additional resources for assistance.

3. You can help them. The folks who are fighting to defend computer systems are in dire need of more data about the problems they are trying to solve. The small bit of data you give them may just be the bit that they need to be able to determine a new trend or to put them on the track of the perpetrators.

4. They’ll find out anyway. Many questions about liability arising from security breaches remain unanswered, but one thing seems fairly certain, keeping the lid on incidents is increasingly difficult to do. A clear lesson from history is that you can get into more trouble from trying to cover something up than from the thing itself.

5. There may be more gain than shame. Organizations that are upfront about their security problems may well garner both respect and sympathy. This is especially true if you have been doing a good job securing your systems but fall victim to a new and unusual attack.

And, remember … Information is everyone's best defense. The more we share that information, the stronger we all become.

Chey Cobb, the author of Network Security for Dummies, is an independent consultant who served for several years as a senior technical security advisor to the NRO. She can be reached at chey@patriot.net

Stephen Cobb, the author of Privacy for Business: Web Sites and Email, is Senior VP of Research and Education for ePrivacy Group. He can be reached at scobb@cobb.com.

  


©2003 Chey Cobb. All rights reserved.
chey@patriot.net
FAQs Contact Us