So after attending a training event in which CERT-CC staff said they are always run ragged notifying compromised organizations of a compromise I came up with an idea that quits wasting tons of freaking time. Instead of having every security company on the planet contacting and maintaining lists for POCs, emails, phone numbers of security staff of every organization on the planet in order to notify them that 10000 of their users are now compromised, theft of PII, botnet infiltration, whatever you just do this.
Set up a Industry Security Notification portal where organizations can register and a organizational RSS feed is dynamically created for them. A XML data sharing schema is put in place to represent the details of said compromise. It would have a Organizational tag on it that identified the specific organization. If a security organization obtains information of a compromise of PII from say 10 different companys, they split the data up by company and post directly to the organizations RSS Data feed to which they have previously subscribed when they signed up.
This way Due Diligence of notification has been accomplished, and the CERT.cc or other security firm can wipe its hands of its notification duties, and go about actually doing specialized R&D to solve this mess once and for all instead of spending precious time on bullshit.
Organizations that have not registered with the Portal site, would still have their RSS compromise detailed information published, however it would be an encrypted blob. All that would be shown is the organization name and very high level details of the event. Im sure if published publically personal and professional networking would take over and they would find our really quickly, check the details and resolve the issues.
Once events are resolved, they can be archived off the portal in to the organizations account and taken off of the public dashboard associated with the site.
Lets call this the Web2.0 solution to Incident Response Notification and a better and smarter responsible way for companies to quit doing waste of time work and start doing Real work.
OMG – its so simple….
Now someone just needs to get off their ass and implement it. How about the Big 5 to start. Microsoft, Symantec, McAffee, Trend, Cisco. Start setting an example and respond to a critical industry security need that helps all of us and presents a Gamechanger for Cybersecurity.
Here is an example of data repatriated via a 10 day Rustock/Mebroot/Torpig botnet takeover. The researchers captured the data and then analyzed it and went scratchin their heads as to who to contact about the data, how to notify the victims and the sheer scope and bullshit that would be need to do all the notifications. HERE is an example that justifies the implementation of my idea.
