Industry Should Share Data Loss Information

By Danny Lieberman, Security Expert and Founder of Software Associates

In a previous article, I suggested that fragmentation of knowledge is a root cause of security breaches.

I was thinking about the problem of sharing data loss information this past week and I realized that we are overwhelmed with solutions, technologies, policies, security frameworks and security standards – COBIT, ISO27001 etc..

The German physicist Helmholtz identified three stages of creativity: saturation, incubation and illumination.

We appear to be in the saturation stage right now.

Henri Poincaré identified a fourth step that follows the other three: Verification is putting a solution into concrete form and checking it for errors or usefulness.

In the early 1960s, the American psychologist Jacob Getzels proposed that a preliminary stage of creativity involves formulating a problem.So let’s start with formulating the problem of security information sharing.

People and their employers are unwilling to discuss the details of security events that happened, their security vulnerabilities,  the damage in dollars was actually caused, how the events were discovered, how the threats that exploited the vulnerabilities were mitigated and most importantly – how well their current security products perform.

In our threat analysis work, we run into these problems daily.

We offer an excellent free threat modeling tool from our colleagues at PTA Technologies called PTA – Practical Threat Analysis.

I think we have over 15,000 downloads. Users sometimes have questions that require taking a closer look at their threat model but it almost never happens because of the fear of disclosure.

On one occasion – a user shared his threat model after obfuscating the data (you can download the software here – free risk assessment software.)

Here is a possible solution to the problem we just formulated:

• Define a language for describing a security event -  having a canonical language to describe things is a basic requirement for sharing information between people.
• Build models of attackers, vulnerabilities, assets under attack and security countermeasures in order to describe loss events using the common language.
• Enable people to build, maintain and share models anonymously. What is important is not the identity of the company who had the loss event, but the details of the model.
• Use the models to measure the loss impact and the effectiveness of their security countermeasures in dollars. This provides a security metric that will enable people to look at models and compare ‘apples’ to ‘apples’ without involving marketing factors such as product features and distribution channels.

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Danny’s data security business, Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 -  he is always looking for interesting projects and ideas.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Breach, D&O Liability, Danny Lieberman, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Sarbanes-Oxley, Software Associates, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy 

Comments

• ISR Headline Index

  • Perplexities of Enterprise Privacy Policies
  • Sorting Out Social CRM Options for Business
  • Police Make Arrests In ATM Skimming Ring
  • Insurance Industry Fights Liability Claims
  • More Talks with Anti-Jihadi Hacker The Jester
  • Avoiding Enterprise Software Vendor Lock-In
  • The FCPA Role In International Acquisitions
  • Vigilante Hackers as Heroes, but at What Cost?
  • China: Internet Freedom Is Culturally Relative
  • Advantages of Data-Focused Risk Assessments
  • WireHead Security Partners With NCICU
  • FaaS: The Emergence of Fraud as a Service
  • Pet Lovers are Target of Latest Online Scams
  • Behavioral Based Email Security Systems
  • Web Security From A New Perspective

• Recent Comments

  • James C. Roberts III on The FCPA Role In International Acquisitions
  • LH on Q & A With Anti-Jihadi Hacker The Jester
  • Some Sun Tzu quotes… | D90 Tools & Techniques on Sun Tzu: PCI-DSS and Situational Awareness
  • JT on More Talks with Anti-Jihadi Hacker The Jester
  • j35t3r on Q & A With Anti-Jihadi Hacker The Jester
  • Albert Lea Tribune | Military News | Military Fitness Wisdom on Sun Tzu: PCI-DSS and Situational Awareness
  • ravenwaver on Q & A With Anti-Jihadi Hacker The Jester
  • badgamon on Q & A With Anti-Jihadi Hacker The Jester
  • How th3j35t3r And Other Hackers Are Using Their Skills To Bring Real World Bad Guys To Book on Q & A With Anti-Jihadi Hacker The Jester
  • “We want heroes” – at what cost? « jpskaar on Patriot Hacker Hits Jihad With DDoS Attacks
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (28)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (22)
  • Breach (492)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (24)
  • Class Action Lawsuit (109)
  • Cloud computing (68)
  • Coby Royer (5)
  • CTO Forum (8)
  • D&O Liability (541)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (6)
  • due diligence (251)
  • Fame Foundry (1)
  • FEATURE ARTICLE (398)
  • Financial (526)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (334)
  • Greg George (3)
  • H1N1 (15)
  • hackers (481)
  • healthcare (94)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (478)
  • IDExperts (16)
  • Ike Z. Devji (1)
  • Insider Threat (435)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (40)
  • ISR News (315)
  • Jacqueline Herships (1)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (1)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (22)
  • Laton McCartney (6)
  • Laura Wilson (14)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (446)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (2)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • Mike Duncan (3)
  • Mike Meikle (3)
  • Mike Spinney (1)
  • Military (174)
  • national security (402)
  • PCI (268)
  • PCI Security Standards Council (30)
  • Physical Security (11)
  • privacy (496)
  • Rachel James (10)
  • Rebecca Herold (16)
  • Richard Stiennon (27)
  • Robert Siciliano (30)
  • Sarbanes-Oxley (443)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (4)
  • The Privacy Professor (16)
  • Thomas R. Fox (4)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (6)
  • Tripwire (18)
  • Uncategorized (579)
  • virtualization (57)
  • Webcast (31)