New service must overcome companies' unwillingness to share even anonymous data
Earlier this month, a series of worms--the first of which was named Zotob--took down a significant number of Windows 2000 PCs around the world. Microsoft issued a patch and said there was no threat to Windows XP systems unless the attacker had valid log-on credentials. About two weeks later, Microsoft discovered that wasn't the case, and said the same vulnerability that Zotob used to victimize Windows 2000 systems also existed on some Windows XP systems.
It's enough to make any IT department go mad. So several Philadelphia-area businesses and organizations are testing out a new model called the Cyber Incident Detection & Data Analysis Center, which lets private-sector entities anonymously share cyberthreat and attack data with their peers. CIDDAC's plan is to help keep members up to date about the latest threats and provide them with trend-analysis information about specific intrusion activity that they can use to assess risks to their own networks. It also expects to link the service with government agencies such as the Homeland Security Department and the FBI, providing them with anonymous information that could be used in the fight against cybercrime.
Similar programs exist, but they haven't solved the problem of companies being reluctant to report security breaches (see box). The service most closely resembles the SANS Institute's Internet Storm Center, although that service has no direct link with federal law enforcement. There's also the Software Engineering Institute's CERT Coordination Center, a federally funded research and development center operated by Carnegie Mellon University.
But CIDDAC arose out of shortcomings in the existing organizations, says Brad Rawling, a CIDDAC board member. Unlike government-sponsored services that are fair game for Freedom Of Information Act requests (which means companies worry about disclosure of anonymous information about a security breach), CIDDAC is a private-sector endeavor.
MUM'S THE WORD
Many cyberattacks go unreported
46% of organizations don't belong to any information-sharing
20% of cyberattacks are reported to law enforcement
16% of companies are unaware of law enforcement's interest in security breaches 12% of cyberattacks are reported to legal counsel
Data: FBI's Computer Security Institute's annual security
survey of 700 computer security practitioners in U.S. companies and
CIDDAC also is automating collection of cyberattack information. The SANS Institute's Internet Storm Center relies on freeware, called DShield, to anonymously collect data from users' intrusion-detection logs and disseminate this information to other users, but companies must submit their firewall logs to the center. CIDDAC is using software from AdminForce Remote LLC; members embed AdminForce's sensors into their company network and if an intruder attempts to penetrate the system, the intrusion-monitoring sensor sends a message to law enforcement and to other CIDDAC participants while protecting the identity of the reporting entity.
There is, however, one big downside. CIDDAC isn't free, like the other services. Membership will cost $10,000 per year, which pays for one sensor, a year of monitoring service, and access to CIDDAC reports. Since its April debut, the effort has been funded with about $100,000 from members, as well as $200,000 from the Homeland Security Department's Science and Technology Directorate. CIDDAC is searching for an additional $400,000 to move it beyond a pilot.
CIDDAC is expected to be fully functional by year's end. It's testing its sensor technology and reporting system in Philadelphia, New Jersey, and North Carolina. The next phase of testing, as CIDDAC receives production models of its sensors in the next month and a half, will include as many as 10 companies and institutions.
Whether CIDDAC succeeds remains to be seen. But no doubt weary IT departments on constant guard are looking for all the help they can get. (For more on information security, see story, The Threats Get Nastier).
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.