Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Connect Directly
E-Mail vvv

Clear & Present Danger: Data Hoarding Undermines Better Security

Facebook and Google can identify patterns of attack within their own data, but smaller businesses rarely see enough traffic to successfully identify an attack or warn users.

As one of his first actions, President Joe Biden hired a team of cybersecurity experts to help the US defend against cybersecurity threats.

Experts are one approach to defense, but there might be a simpler answer: End-user organizations need to share their data to keep themselves, and their customers, safer.

Data is critical to defending against cybercrime and can be used to identify new forms of malware as they spread across the Internet. Data about people's usual behavior — where they typically log in from, whether they usually sign in on their phone or from a computer — can be used to protect user accounts.

Related Content:

Strengthening Secure Information Sharing Through Technology & Standards

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: What You Need to Know -- or Remember -- About Web Shells

Yet cybercrime data has long been hoarded by security vendors that feel their competitive advantage relies on their ability to protect themselves and their users better than their competitors.

This data hoarding leaves users at risk.

Companies like Facebook, Google, Microsoft, Disney, and Twitter use their data to identify when a login from your account seems suspicious and alert you to protect your account. It is common to receive an email from one of these entities warning, "Someone suspicious is trying to log in to your account. Is this you?"

Yet few of us receive comparable emails from the small business through which we buy children's toys, play games, or handle our personal finances. That's because these smaller companies don't have enough data to know which of their customers' logins are suspicious and which are not.

Large tech companies with billions of users can identify patterns of attack within their own data, but smaller businesses rarely see enough traffic to successfully identify an emerging attack.

Companies sharing cybersecurity data — for example, typical user behavior patterns that can be used to identify suspicious logins — is one way to solve this problem.  

Sharing cybersecurity data is one way to solve this problem. This data can be attack reports, for example, what code a company used to defend against an attack, or a dataset of typical user behavior patterns, such as how often they mistype their passwords.

Some initiatives have tried to get companies to share cybersecurity data so that companies of every size can protect themselves and their users.

For instance, Facebook (disclosure, a company I've consulted for) runs the ThreatExchange program, which allows companies to conveniently and easily share threat data about malware and distributed denial-of-service attacks against their corporate infrastructure, among other kinds of information.

Even new cybersecurity laws have focused on data sharing aimed at corporate-wide threats. The Cybersecurity Information Sharing Act (CISA) was signed into law in 2015 to protect private companies from liability when sharing information about cybersecurity threats — and defenses against them — with the government. 

While a step in the right direction, these initiatives tend to focus on large-scale attacks against a company — hacks like SolarWinds — not attacks against individual users, like when someone tries to log in to a personal account by guessing the password.

Even though there is overlap between the users of big companies' services and the customers of small businesses, the big companies aren't sharing their data. As a result, customers who use smaller businesses are left to fend for themselves.

A few companies are trying to change that. Deduce (disclosure, another company I've consulted for) created a data collective through which companies can share information about user's security-related behavior and logins.

In exchange for sharing data with the platform, companies get access to Deduce's repository of identity data from over 150,000 websites. They can use this shared data to better detect suspicious activity and alert their users, just like Microsoft and Google do using their own data.

In a different approach to helping businesses identify suspicious users, LexisNexis created unique identifiers for their clients' customers. Using these identifiers, their clients can share trust scores that indicate if a particular user is suspicious. If a suspicious user attempts to log in to a website, the site can block that user to keep themselves and their legitimate users safer.

This is a good start. The lack of cybersecurity data means that security experts lack confidence in their ability to protect Internet users, and even Caleb Barlow, IBM's former vice president of security, says the industry needs to change. More data is needed, and it needs to be shared.

For cybersecurity data sharing initiatives to succeed, we need to shift our mindset. End-user facing companies, both small and large, already share advertising data with each other, because they realize the value of shared data to generate insight into their customer's preferences is greater than the value of keeping the insights from their customer's data to themselves. We need to view cybersecurity data like advertising data: more valuable shared than hoarded.

Clear empirical evidence on the value of cybersecurity data sharing may be able to convince a majority of companies to share their data. Evidence might include measured increases in the number of threats detected using shared data or increases in brand sentiment from security features built using shared data.

While some of this evidence already exists — for example, my research shows significant increases in brand trust when users receive login notifications — more is needed to inspire a paradigm shift in our collective attitude toward cybersecurity data sharing. Perhaps then 2021 will be year without a repeat of the level of cybercrimes seen in 2020.

Dr. Elissa M. Redmiles is a faculty member and research group leader of the Safety & Society group at the Max Planck Institute for Software Systems. She is also the CEO of Human Computing Associates, a research consulting firm, and has served as a consultant and researcher at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.