Every week we speak to various experts in cybersecurity here at HackSurfer, and irregardless of the topic or industry being discussed one word gets thrown around perhaps more than any other: sharing. You hear it from President Barack Obama. You hear it from congressional leaders. You hear it from vendors. You hear it from those on Wall Street, in healthcare, in energy. You hear it so much it almost loses its meaning.
An interesting thought emerged from those discussions though. In many ways the cybersecurity industry and hacking culture are opposites. One side often seems closed — hiding the details of breaches, panicking at the the thought of shareholders hearing negative news, not wanting to share the things that give them a competitive edge. The other side, despite being cloaked in anonymity, often appears open — shouting and echoing even the most minor of hacks (or made up ones) from the rooftops, working together as a unified collective, and — here’s that word we keep hearing — sharing.
So we asked those experts we spoke to their thoughts on the hacking culture, sharing in cybersecurity, and if there is anything to be learned from hackers. Here are some of their responses.
Information is Vital: “It’s absolutely vital because the threats are changing dramatically, and there are dynamic threats each and every day. One of our clients that we work with on a 24 hour period we saw 17 different versions of the same phishing attack. They were clearly testing what was going to be working. They were clearly taking experiences of attacking a different financial institution three weeks prior and implementing them on the next brand. The value of having information is totally important.” -Ken Takahashi, general manager of anti-phishing solutions at Return Path
Sharing is Vital for Good Research: “I’ve actually found, surprisingly, a lot of companies do open up details about their vulnerabilities after the fact. Once it’s been found, once it’s been fixed, companies tend to bear on the side of, you know what, let’s say that we had this problem and that we fixed it. I’m actually one of those people who reads the change log every time Adobe Reader updates, and they actually provide a significant amount of detail there. In fact, I actually use some of that material in my exams. And if you go into places like the open source world … they will embargo their vulnerabilities for the period of time that they’ve been found and they’re trying to find a fix for it. It’s usually just a few days, and then they release that data open for all the world for all of time.
I’ve gone back and studied vulnerabilities that occurred ten years ago. I have the code. I have the history of the code. I can see when the vulnerability was introduced. I can see when it was fixed. I can see 50 times that they worked on the code and they missed it. So from a research point of view, the sharing that’s been going on has been enormously helpful.” -Andy Meneely, assistant professor of software engineering at Rochester Institute of Technology
It’s Only One Aspect: “Cybersecurity’s a really complicated problem that’s going to have lots of aspects of solutions, and, if you will, the hacking culture and identifying and sending off attacks or vulnerabilities is an important part of that culture, but it’s not the only part. If you look over the major breaches for the past five years, you know, the really big ones – a million records or more – in almost every single one of them there was a human failure element: somebody didn’t follow a policy, they hadn’t updated their anti-virus software, they fell for a phishing message. So we can have all the hackers in the world working for us, and we’re still going to have those problems. So it’s not enough to just sharpen your technological edge. You’ve got to get people to use the technology and use them correctly.” -Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law and director of the Indiana University Center for Applied Cybersecurity Research
They Have No Choice: “Your successes gives you an edge in the marketplace. Your vulnerabilities, on the other hand, open you up to problems and get somebody else an edge in the marketplace, so you really don’t want to broadcast either one of those things when it comes to cybersecurity. But we find out about them because a really good hacker, they just love telling the world, ‘Hey, I got into the DOD system and changed something.’ …
What we have found is that our IT professionals responsible for security at the university systems – and believe me the universities can have some pretty expensive systems for both computing and security – while they’re very closed-mouth about what they do and how they do it, what they do say is they talk all the time. They talk all the time to other cybersecurity people in a variety of number of businesses and industries because it really is becoming a cooperative venue to develop systems to protect — the world I guess is the best way to put it – to protect the world of business or the world of academia or the world of government agencies. They have no choice but to communicate with each other.” -Dr. James Phelps, assistant professor of criminal justice at Angelo State University
Hacking Communities are Good: “The word hacker is pretty much tainted and publicized to create that adventure, but in reality if you’re doing it properly, hacking in general and those communities in general are – it’s about doing good. It’s about offensive security and vulnerability assessment, and it’s about working on projects that actually can help organizations, so we’re very pro, in support, of hacking communities and organization around the United States and the world – as long as they’re doing it for the right thing.” -David Fernandez, director, PLXsert (Prolexic, Security Engineering and Response Team)