Information sharing has been a much discussed, but traditionally a hit-and-miss affair within the world of information security – after all, one’s information can hardly be said to be secure if you’re bandying it about to anyone who expresses an interest, can it?
…is a Problem Doubled
Let’s try something: How many enterprise-grade switch vendors can you name off the top of your head? (I managed eight, for what it’s worth). Now, of those, what percentage of large deployments do you think the top three vendors represent?
For Q2 2015 it’s just shy of 75%, with the top vendor – Cisco – holding a massive 59.9% market share.
How about operating systems?
In broad strokes, we’re looking at Windows, OS X, and Linux/Unix. Few prizes will be awarded for guessing that Windows is the dominant operating system here (90.5% for what it’s worth), but even breaking it down further there’s a better than even (56.5%) chance that you’re using Windows 7.
Statistically speaking, someone else almost certainly has a lot of the same hardware and software as you. With zero profiling, an attacker can take a reasonable guess at what products you’re using within your network and, therefore, the vulnerabilities to which your organisation (along with countless others) is exposed.
Despite this, many organisations are reticent to even hint at what vendors supply their equipment (be that anything from networking hardware, to mail server software, to sit-stand desks), let alone discuss problems or security challenges they’ve faced with a given piece of equipment, lest it increase their exposure in some way.
…is a Problem Halved
It’s painful – or at least perceived as such – talking publicly about bad things that have happened to your network. Different people in different positions may varyingly feel that it’s embarrassing, symbolic of weakness, or indicative of failure. On the other hand, most people within the security industry view breaches as, at the very best, a ‘when, not if’ situation (and those are the optimists) so the discovery of an attack or vulnerability shouldn’t be taken as quite so shameful. Assuming, that is, that you remediate the situation rather than paper over the cracks…
Despite this, you may well be thinking that your company is just that: a company, not a charity. Why stand up and share insight into what happened to you just so that others can benefit from your misery?
In short: sharing information of this type isn’t an altruistic act. It may not always be true that what goes around comes around, but in this case engaging with the community and sharing tales (albeit tales of woe) will eventually result in someone else’s information letting you lock the stable door before the horse bolts. And isn’t that, at the heart of it, what we’re all trying to do?
If your company hasn’t already done so, consider signing up to an information-sharing platform, such as CiSP in the UK. Alternatively, or in addition, attending conferences (such as those organised by FIRST) can be a great way to share knowledge and make contacts.