Recently, Ellen Messmer wrote a story on a Cyber Security early warning system in the state of Washington, USA. One of the most promising pieces of this system is the process and information sharing that’s being folded into it. Washington University, Starbucks, City of Seattle, Amazon.com, Port of Tacoma, and other groups are setting up an information sharing system that will help one learn from the other. For example, if Amazon.com experiences a botnet attack, it will share that profile and info about that attack with the city of Seattle so it can learn, prepare, and hopefully defend itself against a similar (or the very same) attack. The system, called PRISEM (Public Regional Information Security Event Management) is designed to offer an online early warning to all it members. This system has several security analogies in place today:
- The tsunami early warning system put in place after the disastrous Indian Ocean tsunami in December 2004
- The Las Vegas cheater profiling system which shares behavior, personal, and photographic info of known scammers amongst numerous casinos
- The information sharing strategy of ODNI (Office of the Director of National Intelligence) in America, which began operations in April, 2005 after the need to share information between the intel communities became painfully clear in the aftermath of the 9/11 attacks.
So praises all around for PRISEM and the Washington organizations committed to sharing security information. Unfortunately, the system they’re putting in place will not detect or prevent the most nasty and common attacks that occur – those at the software application layer. PRISEM talks about the importance of protecting SCADA system and other critical infrastructure; I couldn’t agree more. However, standing up a Security Information Event Monitoring (SIEM) and information sharing system isn’t enough. The majority of application layer attacks will still be successful … and this will be the case until those software systems are either updated to modern secure coding standards, or protected with application layer defenses (similar to web application firewalls for web apps.) As an industry, we’ve still got some innovation to create in the form of self-defending application system. The concepts are in place and this approach would be a lot less expensive than re-architecting and re-coding the thousands of legacy applications that support our critical infrastructure.
We’ll get there… one step at a time.