2004-11-16

Comprehensive Information Security Clearinghouse

One thing I've noticed in my time as an analyst is the lack of a leading, authoritative source for the most up-to-the-minute information on threats to confidentiality, integrity, and availability of systems. Anti-virus sites are very timely, but are far from comprehensive and tend to differ on analyses, leaving too much ambiguity. SANS does a very good job for the technically-minded, but they aren't always the most timely group, and the topics covered are at the discretion of one single person for each given day. CERT has a wonderful, long history of being authoritative and quite comprehensive, but due to their insistence on accuracy, tend to lag behind threats by a number of days and don't always provide very complete data. Beyond this, the analyst is left with mailing lists, which require far too much time & attention for one person to get good information and still have time to perform all the other duties that may be assigned to him/her. Finding security-specific, industry news is easier, but often found in yet another location separate from vulnerabilites, malware, etc.

What is needed is a government-funded clearinghouse for threats and vulnerabilities, announcements, etc., covering every aspect of information security. I say "government funded," because this organization needs to be free from a profit-making model. The risk of businessmen sacrificing deliverables to expand profit margins must be eliminated from the equation, but making the solution government-run will immerse it in a quagmire of red-tape, delays, bureaucracy, and most importantly stagnation of fresh thoughts and ideas. Providing funding for an outside group is the best answer.

This shouldn't be a re-invention of the wheel. A lot of good work is being done out there, and should not be neglected. Linking information in CERT with vulnerability data from Bugtraq and exploit data from leading anti-virus firms would be a powerful tool in the right hands, and it's easy to see how this can be applied to other knowledge domains, from policy & procedures to security program management, VPN's, encryption, etc.

Such a group would hold enormous influential power in the industry (another reason it shouldn't be profit-driven), and as such could aid in the resolution of high-impact conflicts or problems, like the malware nomenclature conundrum mentioned in my previous entry. With more money and attention, the DHS is well-positioned within the pool of US Agencies for championing this effort. As it exists today, however, this won't happen. After turning out three leaders in as many years, it's obvious that a systemic problem exists in that agency with regards to InfoSec. Even though the agency's task would only be oversight, without proper care & feeding this would only be another fruitless money pit for taxpayers.

3 comments:

Anonymous said...

A governemnt clearing house is a pretty tall order. I doubt one will be formed - possibly? The NSA does some security related stuff, and posts information about how to harden systems - potential expansion of that is hopeful?

I think it would be more likely that a University forms a large scale malware studying initiative, and then as a part of that sets up a nice clearing house for this kind of information. Although the idea that it would behave any different from CERT or SANS is probably not that good. Sounds like what you really want is just better modereated mailinglists to operate as up front filters before CERT and SANS catch up.

-Kevin

Michael Cloppert said...

It's a tall order, but a necessary one. The problem here extends beyond just malware. In late 2002, a distributed Denial-of-Service was launched against what was then all 13 root servers. This was a major attack on a key cog in the internet's infrastructure, but covering the details of this attack was well out of scope for many security sites. As an analyst at a large corporation at the time, knowing what type of bots were being used would have helped me analyze my network for signs that I'm part of the problem, for example.

What is needed is a group that pulls together security information that's already available, and provides research where information is needed but not available. In such a position, it could make recommendations on dispute resolution and provide proposals to standards boards.

You mention the NSA. A lot of good guidance has come out of the NSA's research, but the problem here is obvious: so much of their work involves classified information that much of it isn't shared. And it's precisely the sharing of information in an efficient and effective manner that I'm speaking to.

Michael Cloppert said...

Kevin,

Re-reading your post, I think I missed your point. At the moment, I agree that creating such a clearing-house is highly unlikely. For my part, the intention here was to simply highlight the need for one, and present some rough arguments to support that point.

Mike