Posted by & filed under /dev/random.

RSnake has a nice writeup on the effect of snake oil security. When discussing two hypothetical banks where one of them are running snake oil security, he writes:

This goes back to the bear in the woods analogy that I personally hate. The story goes that you don’t have to run faster than the bear, you just have to run faster than the guy next to you. While that’s a funny story, that only works if there are two people and you only encounter one bear. In a true ecosystem you have many many people in the same business, and you have many attackers. If you leave your competitor(s) out to dry that may seem good for you in the short term, but in reality you’re feeding your attacker(s). Ultimately you are allowing the attacker ecosystem to thrive by not reducing the total amount of fraud globally. Yes, this means if you really care about fixing your own problem you have to help your competitors.

This reminded me of the book The New School of Information Security that I read a couple of years ago. While it was a quick read, it made a convincing point about why people within information security should share [statistics of] their incidents and hacker attacks. This resonates well with the reasoning of RSnake above; in a hostile environment, the best thing to reduce the hostility is to cooperate, if not, you’re feeding the troll.

However, my personal experience indicates that little or few information security incidents are publicly reported. Sure enough, a couple of days later RSnake posted this post, confirming my suspicion. How can the total number of incidents go down when everybody in the infosec community reports the opposite?

I think IT and information security people should be more eager to share information about breaches and far less concerned about their company’s good name and “zero incidents reputation”. If we were more focused on sharing data about the incidents, malware attacks and fraud attempts we’re experiencing, that would truly make a difference. That way we could actually gather some real-time statistics on what businesses really are facing, both externally and internally. By sharing this information with everyone, one would potentially reduce the hostility of the surrounding environment, or at least make it difficult for the bad guys out there to survive.

After all, this is proven theory in other scientific (?) fields, like in economics. Anyone remember the Nash Equilibrium?

Lots of parts of the community already feel that openness is essential to security. I think willing to share real-time information on internal and external security trends will be vital in the future.


  1.  Unknown Unknowns | Break & Enter
  2.  5 non-technical books every hacker should read | Break & Enter
  3.  Break & Enter

Leave a Reply

  • (will not be published)