In this chapter, we will take a look at one of the methods of reducing our cyber security risks – sharing information about threats and vulnerabilities.

It’s worth bearing in mind that knowledge of vulnerabilities may lead an attacker to be able to mount a successful attack, but it’s only by careful sharing of information that security can be improved. This dichotomy can lead to tensions in the cyber security world, and the occasional holding back of information regarding some vulnerabilities.

The organisations described throughout this chapter all have excellent websites, so rather than repeating their content, a brief description of their activities has been provided with links to the appropriate web pages.

The most important aspects of information sharing are:

• The whole concept of information sharing is based on trust.¹ This can exist at a personal level, with one individual trusting another, or can be between groups of people within organisations who share a common interest in the subject.
• Information to be shared requires some form of information classification system or mechanism. Many information sharing initiatives now make use of the Traffic Light Protocol (TLP)² for classifying how information that is to be shared must be handled.
• The information must be accurate. It is pointless sharing information that has not been verified since it can consume time and resources unnecessarily.
• Advice to others must be timely. There is no value in keeping information back from those who would make good use of it, since an attacker may also become aware of it and take advantage of the time lag to initiate a successful attack.
• Sharing must be done with care. The circle of interested parties with whom the information is shared must be trusted to handle it in an agreed manner, and not to allow it to fall into the wrong hands. There should be mechanisms built into the process to prevent onward distribution to people or organisations outside the sharing group.
• It should be possible to anonymise the source of the information. On occasions, revealing the identity of the organisation that raised the issue could prove detrimental, and a means of passing on the information without attribution is essential.
• It should be possible to share information with other commercial or critical infrastructure sectors. Frequently in cyber security, there are issues that will affect many, if not all, commercial or critical infrastructure sectors, and a means of passing information between them in a controlled manner is essential.

TRUST

Trust between members of an information sharing community is an absolute pre-requisite. But what do we mean by ‘trust’? The Oxford dictionary definition is that trust is ‘the firm belief in the reliability, truth or ability of someone or something’. In the context of cyber security, the implication of this is that we must trust not only the information we receive, but that in order to do so we must first and foremost trust the source of the information, whether this be an individual or an organisation, and also the person(s) or organisation(s) with whom we subsequently share it.

Where information is shared on a face-to-face basis, it is often conducted under the Chatham House Rule,³ named after the Royal Institute of International Affairs at Chatham House in London, which states:

When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

A note adds:

The world-famous Chatham House Rule may be invoked at meetings to encourage discretionary openness and the sharing of information.

As far as the classification of information to be shared is concerned, trust works on two levels. First, the originator must ensure that the information has been correctly classified and must be confident that the recipients will handle the information in line with that classification. Second, recipients must have sufficient trust in the integrity of the originator so that they can have the same level of confidence in the accuracy and reliability of the information.

One final aspect of trust is the ability to have an independent party, trusted by all members of an information sharing community, who can act as a moderator, and can also perform the role of go-between in certain situations, as we shall see later. This individual is sometimes known as the Trust Master.

INFORMATION CLASSIFICATION

If it is in any way sensitive, information to be shared should be classified according to its level of sensitivity, and whatever method is used, it must be possible for it to be understood by both public and private sectors without the need to cross-reference their information classification schemes.

In the UK government, there is the Government Security Classifications.⁴

In the EU, there is a very similar scheme.⁵

A similar (but somewhat older) scheme also exists in the USA.⁶

As mentioned previously, the Traffic Light Protocol is used by many information sharing initiatives and classifies information as one of four colours:

• RED – Personal, for named recipients only – in the context of a face-to-face meeting, for example, distribution of RED information is limited to those present at the meeting, and in most circumstances will be passed verbally or in person.
• AMBER – Limited distribution – recipients may share AMBER information with others within their organisation, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.
• GREEN – Community-wide – information in this category can be circulated widely within a particular community or organisation. However, the information may not be published or posted on the internet, nor released outside the community.
• WHITE – Unlimited – subject to standard copyright rules, WHITE information may be distributed freely and without restriction.

This method of information classification is widely used in information sharing communities around the world since it is very simple to understand and implement, and additionally can be readily understood in other sectors or countries.

Most of the time, the originator of the information to be shared will determine its classification colour, but on occasion Trust Masters may decide to raise it if they feel that it is set too low.

PROTECTION OF SHARED INFORMATION

When information is being shared, the originator may consider it necessary to restrict its onward distribution, or to ensure that the information can be revoked or deleted in situations where it is no longer valid, or upgraded or downgraded when its level of sensitivity has changed.

This can be achieved by the use of a technique sometimes known as ‘information rights management’, which works by encrypting the information – for example, a text document – and allowing it to be opened by the recipients provided they can properly authenticate themselves to the central sharing resource.

Further, the document can be provided with additional protection choices so that it, or parts of it, can never be copied – which prevents it being pasted into an unprotected document – or printed, preventing its onward distribution in physical or scanned form.

If the document is able to be forwarded to another recipient, it will be necessary for them in turn to have access rights on the central sharing resource, and if the originator decides to remove the original document, any remaining copies will not be able to be opened since the original document’s metadata that enables decryption will also be deleted.

As with information classification, originators must ensure that the information has been appropriately protected, and again, recipients must have sufficient trust in the integrity of the originator so that they can have the same level of confidence in the accuracy and reliability of the information.

It makes good business sense in organisations that have a requirement for very strict confidentiality to run all incoming or outgoing emails through a scanning system that is able to detect and isolate any message containing particular words or phrases, or which can direct encrypted messages to a central verification point prior to their release.

ANONYMISATION OF SHARED INFORMATION

Situations will inevitably arise when a participating organisation does not wish to be identified as having been the victim of an attack (possibly even more so for a successful attack) or another cyber security situation in which they have become embroiled. The reasons for this are generally connected with commercial interests, and organisations may be reluctant for a competitor who is part of the same information sharing community to know who the incident affected, since this might place that organisation at a competitive disadvantage or have a negative effect on their share price or public reputation. At the same time, however, they might still wish details of the exploit to be made available to the wider community.

In face-to-face situations, such an organisation might well approach the Trust Master and request that they raise the matter without identifying the originator. The Trust Master will take great pains to ensure that this request for anonymity is respected, ensuring that even having omitted the originator’s identity the information passed on contains no clues or additional metadata that might reveal, infer, suggest or identify the originator in any way.

In the context of a centralised information sharing system, the Trust Master’s role must be performed by the system itself in conjunction with the originator of the information being shared. There are two general courses of action:

• The originator can select an ‘anonymise’ option on the system’s preferences when setting up the specific information to be shared. This will remove any reference as to who originally submitted the information. However, should the information include other documents, for example word-processed documents, spreadsheets or presentations, the originator will be responsible for completely anonymising these.
• The originator can select an ‘anonymise via the Trust Master’ option instead. In this situation, the originator openly sends the information to the Trust Master, who then submits it to the community as if it had come from the Trust Master alone.

Here, the application of trust works slightly differently. Originators must again ensure that nothing in the information being shared can reveal their identity, nor could their identity be inferred from the content detail. They must also have trust in both the information sharing system and the Trust Master that their identity will not be revealed. No additional trust is required here by the recipient.

Organisations, or groups of communities, who wish to provide their own centralised systems for information sharing may later wish to interconnect these so that they can widen the scope of their operations, since some cyber security situational submissions will inevitably be of significant interest to other sectors and sharing information with them would be highly beneficial, if not essential, and this can often avoid possible duplication of effort.

Contact – and therefore trust – may already have been established between these different groups, communities or sectors, in which case information might be freely shared between them, following the same rules as those for sharing within a sector.

Alternatively, if no previous contact has been established and therefore no degree of trust exists, the Trust Masters in those sectors wishing to share information can act as intermediaries and initiate a limited degree of information sharing – possibly one-way only in the first instance – and subsequently encourage bilateral information sharing as an increasing level of trust develops.

Finally, once trust is fully established between the sectors, the Trust Masters may set preferences in the information sharing system that allow individual sector users to share information – either on a one-to-one basis with a peer in another sector, or more widely to a whole sector.

Originators of information should have the same degree of trust in users within a different sector as they do for users within their own sector. The information should be classified, protected and anonymised in exactly the same way.

From the recipient’s point of view, the only thing that matters is that they have trust in the originators of the information and therefore in the information itself.

ROUTES TO INFORMATION SHARING

There are four major routes to sharing information regarding cyber security issues, each of which has its own unique characteristics:

• warning, advice and reporting points;⁸
• the Cyber Security Information Sharing Partnership;
• computer emergency response teams and computer security incident response teams;
• security information exchanges and information sharing and analysis centres.

Additionally, an excellent Good Practice Guide to Network Security Information Exchanges has been written by the European Union Agency for Network and Information Security (ENISA).⁹

Warning, advice and reporting points (WARPs)

WARPs are a UK initiative that began in 2002 under the auspices of the National Infrastructure Security Coordination Centre (NISCC), which is now known as CPNI. WARPs allow their members to receive and share up-to-date cyber threat information and best practice. WARPs are now provided by CERT-UK’s CiSP.

Members of current WARPs tend to be regional government, emergency services or military organisations.

Cyber Security Information Sharing Partnership (CiSP)

The CiSP¹⁰ is an initiative set up jointly between UK industry and government in order to share cyber security threat and vulnerability information. The objective is to increase situational awareness of cyber threats with a consequent reduction of impact on UK businesses.

CiSP membership can only be given to UK registered companies responsible for the administration of an electronic communications network in the UK, or organisations that are sponsored by either a government department, an existing CiSP member or a trade body or association.

CiSP members are able to exchange cyber threat information in real time, in a secure environment, operating within a framework that protects confidentiality. Information shared includes alerts and advisories, weekly and monthly summaries, and trend analysis reporting.

Computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs)

CERTs have been in existence for some years now – originally begun by the US Carnegie Mellon University, the practice of collecting, analysing and distributing security advisories has been a major influence on all sectors worldwide. CERTs and CSIRTs carry out the same function, and the mnemonics are used interchangeably.

Many countries now operate a CERT/CSIRT, and even some larger multinational organisations whose enterprises cross traditional national and continental boundaries may do likewise.

In the UK, CERT-UK¹¹ has four main responsibilities that flow from the UK’s National Cyber Strategy:

• national cyber security incident management;
• support to critical national infrastructure companies to handle cyber security incidents;
• promoting cyber security situational awareness across industry, academia and the public sector;
• providing the single international point of contact for coordination and collaboration between national CERTs.

Subscription to a CERT or CSIRT is possible for almost any individual or organisation wishing to receive updates. However, sometimes the volume and frequency of these can be overwhelming.

As an example, CERT-UK provides three main workstreams:

• Alerts – In the exceptional event of a critical national cyber security incident, CERT-UK will issue an alert and appropriate guidance.
• Advisories – CERT-UK issues advisories that address cyber security issues being detected across government, industry or academia, or that offer best-practice updates.
• Best-practice guides – Through CiSP, CERT-UK provides regular advice and guidance on a range of cyber issues, with the aims of sharing information and encouraging best practice among its partners.

Security information exchanges (SIEs) and information sharing and analysis centres (ISACs)

Whereas CERTs and CSIRTs concentrate both on information collection and response to incidents, SIEs and ISACs provide solely a means of exchanging information about threats, vulnerabilities and incidents. SIEs tend to provide raw data about incidents, whereas ISACs tend to provide a deeper analysis and suggestions for response.

SIEs and ISACs generally comprise both public and private sector organisations that form part of a critical national infrastructure, together with their lead government department and any other organisation with a legitimate interest in the security aspects of that particular sector, such as the sector regulator.

In the UK, a number of SIEs are managed by CPNI.¹²

In the UK, CPNI considers that there are 13 areas of national infrastructure, which were discussed in greater detail in Chapter 3 of this book. Other countries adopt a similar approach, and in the USA, for example, their ISACs broadly cover the same areas. Their website notes that there are some cross-sector themes such as technology wherein there may be infrastructure that supports the delivery of essential services across a number of sectors.

1. For a detailed view on this topic, please see David Sutton (2015) ‘Trusted information sharing for cyber security situational awareness’. Elektrotechnik und Informationstechnik, 132 (2) 113–116. DOI 10.1007/s00502-015-0288-3.

2. The Traffic Light Protocol was originally developed by the UK CPNI.

3. See https://www.chathamhouse.org/about-us/chatham-house-rule

4. See https://assets.publishing.service.gov.uk/government/uploads/
system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

5. See https://www.consilium.europa.eu/en/general-secretariat/corporate-
policies/classified-information/

6. See https://www.dami.army.pentagon.mil/site/sso/docs/InfoSec/
DoD5200_1ph.pdf

7. See ISO/IEC 27010:2015 – Information technology – Security techniques – Information security management for inter-sector and inter-organisational communications.

8. See https://www.ncsc.gov.uk/information/what-warp

9. See https://www.enisa.europa.eu/publications/good-practice-guide

10. See https://www.ncsc.gov.uk/section/keep-up-to-date/cisp

11. See https://www.certuk.org.uk/

12. See https://www.cpni.gov.uk/