The invention relates to a method and system of creating and maintaining a database for providing authenticated and anonymous sharing of information associated with threats to industry assets, and available resolutions or solutions to such threats on industry and national information infrastructures.
With the expansion of the global computer network known as the Internet, and an increase in business, commonly known as electronic business, conducted on the global computer network, security risks to such businesses and the related information infrastructure have become much more common in recent years. Specific risks involve potential liability related to invasion of privacy, copyright and trademark infringement, as well as attacks, implantation or spread of a computer virus, programming errors, information theft, fraud, security breaches, and other perils associated with electronic data.
The global computer network known as the Internet has opened extensive opportunities for financial services firms to connect critical business systems and create virtual businesses online. However, as noted, with the evolution of these businesses, there is an increased risk.
Not only are computer viruses a problem, but direct attacks on web sites have also become more common. Specifically, it has become common for hackers or unauthorized users to change the content of a web page and/or make other more damaging changes to such web pages.
Accordingly, there has been a need to provide a trusted yet anonymous method for sharing information about security incidents and vulnerabilities in such systems. A problem with such sharing of information, however, is that people are unwilling to report information about vulnerabilities for, among other reasons, fear of publicity that casts them in a negative light. As a result, there has to date not been available a good comprehensive database of data, and method and system of accessing data, concerning threats and evolutions of threats used to exploit vulnerabilities in the systems.
In accordance with the system and method of the invention, the problems of the absence of such a method and system are avoided by providing a trusted and anonymous system and method for sharing information about security incidents and vulnerabilities.
More specifically, in accordance with the invention, there is provided a system and method for anonymously sharing information about security incidents and vulnerability in corporate and national information infrastructures. Specifically, the method and system provide a means for submitting information and categorizing the corresponding data in a secure manner in which the submitting party""s anonymity is ensured.
In one aspect, the invention broadly involves a method for allowing sharing of information associated with threats to industry assets. By xe2x80x9cthreatsxe2x80x9d to industry assets is meant such things as: (1) anything that breaches the security of a company and its computer systems such as new viruses, xe2x80x9cspoofing,xe2x80x9d xe2x80x9cbreak-insxe2x80x9d, defacements, etc. (xe2x80x9cIncident Dataxe2x80x9d); (2) known technical vulnerabilities in products, systems or software (xe2x80x9cVulnerability Dataxe2x80x9d); (3) known information about groups or individuals who are actively posing an electronic threat to systems (xe2x80x9cThreat Activity Dataxe2x80x9d); and (4) data made up of controlled early notification from vendors of discovered xe2x80x9choles,xe2x80x9d problems, vulnerabilities and the downloaded or downloadable xe2x80x9cfixes,xe2x80x9d if available (xe2x80x9cVendor Dataxe2x80x9d). As it relates to the identified xe2x80x9cthreats,xe2x80x9d xe2x80x9cIncident Resolution Dataxe2x80x9d shall mean known fixes or processes that correct the problems submitted. Of course, as will be readily apparent to those of ordinary skill in the art, other xe2x80x9cthreatsxe2x80x9d can eventually arise and be included among the specific threats enumerated, and dealt with within the method and system described.
The method thus will involve establishing a secured database which is made up of threat data, preferably in specifically classified form. Predetermined entities will be allowed access to the database to uncover information about threats. The database is augmented over time with additional threat data received from at least one of a plurality of sources. After the database is augmented, at least some of the predetermined entities are notified of additional threat data received which has been augmented to the database, whereby the predetermined entities will know to access the database if it is desired to learn more about the additional threat data.
From a system perspective, a data center is established which includes a secured database containing threat data stored thereon. A communications interface serves to allow predetermined entities access to the database, and a temporary database, separate or as part of and segmented from the secured database, is established for storing additional threat data received from at least one of a plurality of sources to allow review and classification of the additional threat data. The secured database is connected to the temporary database, either as a segmented part thereof, or as a separate database, for allowing the additional threat data to be stored on the secured database once it has been reviewed and classified. An electronic notification system serves to notify at least some of the predetermined entities about additional threat data stored on the secured database so that the predetermined entities will know to access the secured database if the additional threat data stored thereon is of interest.
More specifically, a secure facility, i.e., a data center, is established that provides for authenticated and, where appropriate, anonymous input and sharing of information associated with threats to industry assets and the available resolutions or solutions. The information may be shared securely through, for example, the World Wide Web, between authorized organizations who are oftentimes competitors, in an open and anonymous form. The database may be augmented by information provided by government and vendor sources.
Enrolled participants are provided the capability of anonymously submitting information to the database. Information then becomes available through secure, encrypted web-based connections. A team of analysts and security professionals assess each submittal regardless of the seriousness of the vulnerability or attack to identify patterns. As appropriate, end users/participants are then notified by electronic page and/or e-mail, or other means, that an urgent or crisis situation exists, and are advised how to obtain additional information. Optionally, a user profile allows filtering of notifications so those participants receive notification only when a relevant issue arises.