President Obama wants private sector companies to share information about cybersecurity threats  with each other – and the government.  That sounds like a novel idea – and some industries already are doing this among themselves.

However, the federal government doesn’t share their experiences with us (“National Security!”), but presumably they do share with each other. The big question then is – should the private sector share a one-way flow of information with the government?  That would be extremely altruistic, wouldn’t it?

The truth is that not everyone in the private sector has a choice in the matter.  Healthcare for example, must report breaches to the Office for Civil Rights (OCR) – or face penalties.

Overall, the playing field is really quite bumpy and uneven.   Government doesn’t share with us; we optionally share with each other (but often are too timid or embarrassed to do so); and some industries share with the government.

The private sector should share information – as long as it can be done without mandated punitive retaliation.

Go beyond cybersecurity threats, for example and look at one specific type, cyber-warfare. When examined closely, cyber-warfare is similar to analog warfare.  Threats affect assets.  If I saw terrorist activity on the street or my building was attacked, I would tell the authorities in the hope that the attack would be curtailed and others would not suffer the same fate.

Furthermore, the authorities might even be able to help me prevent such attacks or provide me with a response plan because they had seen this before and have a response already worked out (send in a S.W.A.T. team perhaps).  I would have readily shared my information with the government and it could potentially help me.

The difference might be that in the above scenario there is a sense that it is the government’s duty to help its citizens.  However, I get no feeling that this is the case for cyber warfare or cyber security threats in general.

Back to the earlier point on altruism – really, what’s in it for me?   Sharing cybersecurity information increases my risks of further attack if shared with the bad guys — otherwise it is potentially beneficial.   Though it would be beneficial overall if we did share cybersecurity threats with each other and the government as a security professional I am naturally paranoid, so I’m still  not 100% sure.

The post My Parents Taught Me to Share, So What’s the Big Deal? appeared first on Security Current.

A company I know was audited some years ago. One of the findings was that there were no Unix server logs. Over the next year server logging was enabled.

The following audit noted that nobody was reviewing the logs.  So the company invested in a SIEM solution and reviewed the alerts.  (Of course, no one actually told this company to act on those alerts – but that’s another story.)

The company is a global concern, and the audit was isolated to the Americas only.  So then of course a similar audit followed in the other regions, and of course,  the same findings emerged.  Not only that, it took yet another audit for them to be told to apply the same controls for their Windows environment.

It didn’t take a genius to see that coming.  And unfortunately, that was a true story.

I don’t know what was worse – the auditors simply checking boxes, or the client reacting to the letter of the audit and not the spirit or intent of the audit.

Are these sort of technical audits effective?  Is there a better solution out there?

I think they could be effective if the clients of those audits were honest with themselves and were committed to improvement.   The nature of an independent entity that can speak to the Board if necessary is powerful.  It carries weight. But the client must listen to not only the narrow findings,  they must see the bigger picture.

The post Audited and Jaded appeared first on Security Current.