Friday, February 3, 2012

How much sharing is too much?

We always hear calls for more information sharing in InfoSec, but is it really needed or helpful?  What is the point of me telling you I was compromised by spear phishing, SQL injection, cross site scripting, cross site request forgery, default credentials, or anything else we’ve know about for years?  If you are ignoring all of the well-known risks, it is a waste of my time preparing the data and sharing it, and it is a waste of your time reading it.  This isn’t as disturbing as some of the oversharing we see on the internet, but it may be more distracting. 


Maybe you should just do what you already know needs to be done.  Don’t give me that look, you know exactly what I mean.  We need to talk about security sometimes, but more often we need to shut up and DO security.

On the other hand, if you are taking things seriously and are at least making a good faith effort- then knowing the specifics of what attacks are in the wild, who they are targeting, and details of the compromise timeline could be very valuable in prioritizing your defenses and focusing your monitoring.  The New School folks are much more eloquent in explaining the value of information sharing done properly, so I’ll refer you to them for more on that.

Oh, and if you do choose to share information, the more RAW DATA you share, the better.  Add context and color, share observations, theories, and maybe even a conclusion or two- but give us the data whenever possible.  And go easy on the images, a good infographic is a thing of beauty (probably because of their scarcity), but overthought and underdelivered graphics seem to be the norm. Don’t do that.