RealTime IT News

Groups: Pay Us for a Heads-up on Security Threats

It pays to be secure. Literally. Especially where the Computer Emergency Response Team Coordination Center (CERT/CC) is concerned.

An invaluable group to the government because it tips them off to security threats before they can mete out damage, CERT Thursday said it will open up its advisories about viruses, hacks, and other pesky nuisances to others, so long as groups are willing to open up their coffers.

For varying fees, the organization, in conjunction with the Electronics Industries Alliance (EIA) and the Carnegie Mellon University's Software Engineering Institute (SEI), would offer early warnings to international corporations about threats, offer security advice and establish a program to certify the security of companies' computer networks, according to statement issued by SEI. Companies joining the program would pay $2,500 to $70,000 per year, depending on their revenue, for warnings about the latest Internet threats 45 days before anyone else.

That 45-day rule spans back to October 2000 when the company announced its policy revision and further stated that not all security threats would be disclosed because there may be "threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule."

In linking arms as the leaders of the new alliance, CERT, SEI and EIA would operate under the moniker of Internet Security Alliance, or ISA. The groups sounded off Wednesday in a joint statement, saying that their goal was to "respond to the urgent economic security challenge posed by a growing dependence on e-commerce."

Basically, the newly-formed unit hopes to combat the surge in viruses, holes and hackers that compromise the security of government, businesses and consumers. A multi-billion dollar industry that has yet to mature, e-commerce may very well be at the forefront of the group's mind.

The new ISA also wants the U.S. to boost computer protection and would use portions of its incurred fees toward that end. Thus far, such powerful organizations as NASDAQ, AIG and Mellon Financial Corp. have signed on to join the alliance.

Rooted in the late '80s, CERT was once concentrated on protecting the government. The group habitually waited about 45 days after it became aware of Internet threats to warn consumers -- all to give software companies the jump to fix problems. However, CERT researchers give detailed warnings to U.S. government agencies, which pump $3.5 million into CERT every year.

This perhaps worked fine enough in the early years of the Web, but as attacks became more frequent and severe, so did the costs of combating them. Groups have since pressured CERT to go commercial to cover the escalating costs of reporting threats.

The ISA, then, is promising to continue its policy of early reports to the government, but would also provide early alerts to those who join the alliance.

Waltham, Mass.'s Guardent Inc., a security firm, joined the group and voiced its support for ISA in a press statement Thursday.

"The ISA provides the necessary industry cooperation that Guardent believes is required for the Internet to continue to be a valuable commerce environment," said Jerry Brady, Guardent's vice president of research & development. "Above and beyond other information-sharing venues, Guardent believes that ISA will provide the necessary cross-industry view of the shared risk space the Internet represents."

Some critics charge CERT is not all that it is cracked up to be and, accordingly, such an alliance is no big deal. Brian Martin, one of the operators of the Attrition.org hacking information site, blasted CERT.

"CERT has consistently been so far behind the curve it isn't funny," Martin told InternetNews Radio via e-mail Thursday. "And it isn't just that they get the information in advance and are slow to release. CERT often learns about new threats the same time the rest of the masses do -- via bugtraq or other public forums. In the past, I've had some vulnerabilities that CERT didn't release advisories on until a year later. There is no way they were sitting on the information or biding their time. They simply didn't know about it."

Moreover, Martin said CERT advisories typically do not help administrators fix problems unless they happen to cross reference a vendor advisory or include patch information.

"Looking at the patch notes, THEN the administrator can figure out what the bug/vulnerability was. CERT releasing "There is a bug in Solaris" is not a help," Martin wrote.

"CERT is not perfect by any means," Guardent's Brady told InternetNews.com upon hearing Martin's comments. "They do a good job of collecting information and disseminating it and, in a volatile industry such as this, that is a tough thing for anyone to do, and they have been doing it for 12 years. They're not going to please everybody, all of the security hobbyists, especially some of the nouveau security organizations who seek full disclosure and fixes, like Attrition.org. There can never be enough places for vendors to go and they do a good job of coordinating them. They work initially on a very discretionary basis and are kind of the Switzerland of the security industry."

While ISA is certainly new, the notion of a security alliAnce that incurs fees may not be a first. In February 2001, the Internet Software Consortium (ISC), which crafts software for the Internet's domain-name service, created an information exchange to keep companies and software makers that use its product aware of any security holes.

Akin to what the ISA is gunning for, the ISC charges fees for membership in its new information service. That play came after a report of four security flaws in the BIND (Berkeley Internet Name Domain) software that could allow attackers to crash or gain control of any DNS servers running the software.

Ideally, security alerts would be available to all parties, but that utopia has proven elusive. Jim Magdych, security research manager of PGP Security, has long advocated for wide disclosure of security threats. Public discussion of the flaws and threats leads to better security, Magdych has said.

InternetNews Radio Host Brian McWilliams contributed to this story.