Many who know me can attest that I am a firm supporter of information sharing. I believe that without effective and efficient information sharing we are fighting our foe at a distinct disadvantage. If we know who may be attacking our systems, what they are targeting, and how they strive to compromise those targets, we can adjust our security controls accordingly.
I have no problem with security vendors and service providers using their research to help promote the products and services they sell. We depend on vendors to develop robust security products and services we can use to defend our networks. As a result of some reports, various vendors have been catapulted into the limelight, which in turn resulted in a huge influx of new customers or those companies being acquired by other security vendors.
However, I am a seeing a worrying trend in how some vendors are reporting on new threats or are issuing analysis on the latest major security breaches. My concern is that the information being published in these reports may do more harm than good and may not help those defending their networks. In some cases, the details in the report could undermine criminal investigations, alert criminals that their methods have been discovered, or wrongly accuse or implicate innocent parties.
The recent Target breach is a good example for what I’m trying to point out. As a result of this breach, over 40 million credit cards were compromised by the attackers. As the details of the breach trickled out, many people began speculating as to how the attack could have been executed and who could be behind it. In the days and weeks following the official announcement of the breach we saw reports from various vendors implicating different systems as the weak link that made the attack possible.
We also saw some vendors release technical details of the malware and support infrastructure suspected to have been used. Most worrying of all, we saw some vendors name individuals as suspected of being involved in the breach. In one report, a 17-year-old was accused of being the author of the malware, which he denied and was subsequently found not to be involved.
We have also recently witnessed some vendors issue reports on the latest malware campaigns that they have uncovered. These releases range from announcements telling us that they have discovered the latest destructive piece of malware but will not release the information until they present it at a conference, to sensationalized reports with statistics of potential infection sources which are not backed up by data others can verify.
My concern is that in their pursuit of grabbing headlines, ensuring their researchers are asked to be keynote speakers at major conferences, creating a name for themselves in the marketplace, or making themselves attractive acquisition targets to larger companies, these vendors are putting us more at risk than protecting us.