Information Sharing and data breaches

Written by Davide Andreoletti, SUPSI

In this post we discuss the issue of data breaches inside companies, and, based on the analysed literature, we show that a well-orchestrated information sharing system is a possible solution to mitigate the problem.

 

Information sharing infrastructure: a viable mitigation solution to data breaches

Fredrik Bergstör, consultant at Tieto, declared that “Data is the new gold”, implying their incredible value in an increasingly digitalized world. In fact, according to Ponemon the average lost for a breach of 1000 records of data within a company is estimated to be between $52000 and $870000[1].

As a consequence, the cyber black market has grown to exploit this appealing source of revenue. As stated in[2], the black market is characterized by a clear structure with defined entities and roles. It is also well-known that, once a vulnerability is detected, the news spreads at a very rapid pace. Therefore, at the offensive side, there is an implicit form of cooperation that clearly enhances the power of attackers. A well-defined defender counterpart is still missing. To be more precise, a widespread infrastructure for sharing information about data breaches among companies has not been realized yet, also due to legal issues. In fact, the traditional approach consists in taking security-related data to be analysed only inside the company itself. The main reason is that, differently from what happens for attackers, companies may not be encouraged to expose information about suffered attacks, as this implies a reputation damage.   

This post is based on the assumption that the sharing of information could significantly lower the likelihood to be victim of a data breach. The assumption is based on experiments explained in the paper1, and also corroborated by[3], in which it is argued that a proper information sharing process guarantees a prevention that allows to reach the same level of data protection at a lower cost.

Therefore, we discuss the main characteristics that an information-sharing architecture should have, following the approach proposed in [4].  Going more into the details, such an architecture should include 1) analysis and 2) dissemination of data. The former aims at making sense of the data obtained in nearly-real time, so that the exchanged data are as valuable as possible (e.g., to mitigate zero-day attacks); for instance, new attack patterns should be discovered as soon as possible. Notice that this a specular approach with respect to that adopted by attackers. The latter concerns the divulging of the gathered information, and should be performed in a privacy-friendly fashion. In fact, the main risk associated to this phase is that precious market information might be disclosed to unauthorized parties (e.g., a competitor).

The architecture could be centralized or distributed. As the number of entities involved in the cooperation is a key factor for its success (i.e., the higher, the better), scalability issues must be expected in case the centralized solution is adopted. On the other hand, a pure distributed approach requires all the companies to be equipped with an analysis engine, which may mean increase operational and infrastructural costs.  

The adoption of this approach, if correctly implemented, will benefit both the potentially-target companies and those institutions designated to guarantee the safety of a county (e.g., intelligence agencies), which will take advantage of a broader view of events occurring in the cyber space.  

We believe that this system is not limited to the prevention of software-level attacks, but also and foremost applies to Social Engineering. It is intuitive that similar companies (e.g., in structure, position in the market, products, etc…) are more easily subject to similar patterns of attacks. As an example, think of an attacker that crafts phishing e-mails to conduct a large-scale attack, e.g., against companies producing the same type of product. If several of these companies discover that attack, it is easier to allow all the others (i.e., those belonging to the information-sharing community) to effectively react.

 

[1] Maasberg, Michele, and Charles Liu. "Network Effects and Data Breaches: Investigating the Impact of Information Sharing and the Cyber Black Market." (2015).

[2] Ablon, Lillian, Martin C. Libicki, and Andrea A. Golay. Markets for cybercrime tools and stolen data: Hackers' bazaar. Rand Corporation, 2014.

[3] Gordon, Lawrence A., Martin P. Loeb, and William Lucyshyn. "Sharing information on computer systems security: An economic analysis." Journal of Accounting and Public Policy 22.6 (2003): 461-485.

[4] Zrahia, Aviram. "A Multidisciplinary Analysis of Cyber Information Sharing."

 

by Davide Andreoletti (SUPSI)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618