Groups: Pay Us for a Heads-up on Security Threats

It pays to be secure. Literally. Especially where the Computer Emergency
Response Team Coordination Center (CERT/CC) is concerned.

An invaluable group to the government because it tips them off to security
threats before they can mete out damage, CERT Thursday said it will open up
its advisories about viruses, hacks, and other pesky nuisances to others, so
long as groups are willing to open up their coffers.

For varying fees, the organization, in conjunction with the Electronics
Industries Alliance (EIA) and the Carnegie
Mellon University’s Software Engineering Institute (SEI), would offer early
warnings to international corporations about threats, offer security advice
and establish a program to certify the security of companies’ computer
networks, according to statement issued by SEI. Companies joining the
program would pay $2,500 to $70,000 per year, depending on their revenue,
for warnings about the latest Internet threats 45 days before anyone else.

That 45-day rule spans back to October 2000 when the company announced its policy revision and further stated that not all security threats would be disclosed because there may be “threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule.”

In linking arms as the leaders of the new alliance, CERT, SEI and EIA would
operate under the moniker of Internet Security Alliance, or ISA. The groups
sounded off Wednesday in a joint statement, saying that their goal was to
“respond to the urgent economic security challenge posed by a growing
dependence on e-commerce.”

Basically, the newly-formed unit hopes to combat the surge in viruses, holes
and hackers that compromise the security of government, businesses and
consumers. A multi-billion dollar industry that has yet to mature,
e-commerce may very well be at the forefront of the group’s mind.

The new ISA also wants the U.S. to boost computer protection
and would use portions of its incurred fees toward that end. Thus far, such
powerful organizations as NASDAQ, AIG and Mellon Financial Corp. have signed
on to join the alliance.

Rooted in the late ’80s, CERT was once concentrated on protecting the government. The group habitually
waited about 45 days after it became aware of Internet
threats to warn consumers — all to give software companies the jump to fix
problems. However, CERT researchers give detailed warnings to U.S.
government agencies, which pump $3.5 million into CERT every year.

This perhaps worked fine enough in the early years of the Web, but as
attacks became more frequent and severe, so did the costs of combating them.
Groups have since pressured CERT to go commercial to cover the escalating
costs of reporting threats.

The ISA, then, is promising to continue its policy of early reports to the
government, but would also provide early alerts to those who join the

Waltham, Mass.’s Guardent Inc., a security firm, joined the group and
voiced its support for ISA in a press statement Thursday.

“The ISA provides the necessary industry cooperation that Guardent believes
is required for the Internet to continue to be a valuable commerce
environment,” said Jerry Brady, Guardent’s vice president of research &
development. “Above and beyond other information-sharing venues, Guardent
believes that ISA will provide the necessary cross-industry view of the
shared risk space the Internet represents.”

Some critics charge CERT is not all that it is cracked up to be and, accordingly, such an alliance is no big deal. Brian Martin, one of the operators of the hacking information site, blasted CERT.

“CERT has consistently been so far behind the curve it isn’t funny,” Martin
told InternetNews Radio via e-mail Thursday. “And it isn’t just that they
get the information in advance and are slow to release. CERT often learns
about new threats the same time the rest of the masses do — via bugtraq or
other public forums. In the past, I’ve had some vulnerabilities that CERT
didn’t release advisories on until a year later. There is no way they were
sitting on the information or biding their time. They simply didn’t know
about it.”

Moreover, Martin said CERT advisories typically do not help administrators
fix problems unless they happen to cross reference a vendor advisory or
include patch information.

“Looking at the patch notes, THEN the administrator can figure out what the
bug/vulnerability was. CERT releasing “There is a bug in Solaris” is not a
help,” Martin wrote.

“CERT is not perfect by any means,” Guardent’s Brady told
upon hearing Martin’s comments. “They do a good job of collecting
information and disseminating it and, in a volatile industry such as this,
that is a tough thing for anyone to do, and they have been doing it for 12
years. They’re not going to please everybody, all of the security hobbyists,
especially some of the nouveau security organizations who seek full
disclosure and fixes, like There can never be enough places
for vendors to go and they do a good job of coordinating them. They work
initially on a very discretionary basis and are kind of the Switzerland of
the security industry.”

While ISA is certainly new, the notion of a security alliAnce that incurs fees may not be a first. In February 2001, the Internet Software Consortium (ISC), which crafts software for the Internet’s
domain-name service, created an information exchange to keep companies and
software makers that use its product aware of any security holes.

Akin to what the ISA is gunning for, the ISC charges fees for membership in
its new information service. That play came after a report of four security flaws in the BIND (Berkeley Internet Name Domain) software that could allow
attackers to crash or gain control of any DNS servers running the software.

Ideally, security alerts would be available to all parties, but that utopia
has proven elusive. Jim Magdych, security research manager of PGP Security, has long advocated for wide disclosure of security threats. Public discussion of the flaws and threats leads to better
security, Magdych has said.

InternetNews Radio Host Brian McWilliams contributed to this story.

News Around the Web