Recent reports says huge numbers of home PCs connected to the Internet are infested with malware. What strategies should we be using to deal with this situation? Some technology CEOs and other leaders imply that we need to move on ...
In an interesting interview with SC Magazine UK back in May, Shlomo Kramer - CEO of the Year, one of the founders of Checkpoint and the current CEO of Imperva, said some very interesting things on this topic. Much of his wisdom was conventional, but how about this quote from the article:
He (Kramer) reveals that he is an investor in a company called Trusteer, which turns accepted anti-malware practice on its head. Instead of trying to clean up your computer from viruses and malware you just don't bother. "There are simply too many of them, it's unmanageable. You're just piling additional negative logic onto negative logic; it's not going anywhere," he states. "So, there's a new approach that says: 'we'll assume your computer is contaminated, it has bad stuff on it and, even though it does, we will enable you to do secure transactions using that computer.' This then is the positive logic that ensures you work securely."
When questioned on whether this is throwing in the towel and admitting defeat, Kramer jumped back in with this, "But this is a secure channel, it's almost like SSL, somebody can try to tap the network and eavesdrop, but I have a secure channel that is encrypted and nobody can penetrate that. So I've got this secure channel between me and my online banking application, so even if there is malware on the computer it can't penetrate that channel," he says.
This debate is not just about one company's solutions. Fellow CSO blogger Jeff Bardin debated Dan Geer on the sentence: "Online providers should assume that customer PCs are already compromised" in the July issue of SC Magazine US. (Jeff argued against the statement.)
Dan Geer stated that our answer is to "insulate and isolate your client-side code, whatever yours is, from the client side operating system." Geer equates this to "fighting fire with fire," or "mimicking the methods of the attackers."
I'm not there (yet), which I guess puts me with Bardin on this issue. But as more botnets and malware spread freely - and my neighbors don't seem to even know about it much less care about malware at home - I'm starting to be won over to new ideas and approaches.
What are your thoughts?
I agree with a previous post that a secure channel in of itself is not going to solve anything. Attackers and malware will still control the O/S and will break the secure channel eventually. Additionally, if the system is full of malware, it won't run very efficiently, if at all.
The main reasons that malware is so effective are social engineering and the minimal cost to propogate it. And I am not sure we can do much about the social engineering aspect, as the tactics continually change. So until the expense of propogating malware becomes too great to justify the return, we will always have this problem.
Sorry, SSL or even a VPN does not stop the compromised endpoint user from harm. The information can be stolen and then used at a later time to empty your bank account. It certainly can be used to steal your identity.
Why is it that legal groups haven't been lining up filing class action suits against the vendors of insecure products?
Yes, all code will have bugs BUT when it is clear that basic security precautions are being ignored by vendors intentionally and misrepresentations are being made regarding suitability for business transactions there is no excuse. For Microsoft to have default open shares and RPC enabled on consumer OS's is inexcusable and the root cause of most of the network based attacks. There is also the issue of Active-X and other technologies that by design make browsers into ready to exploit holes that bypass OS security.
Let's also talk about the nerve of PCI. Yes, good computer administration is requred to keep a company secure, expecially with the junk OS's etc., but who are they to levy fines and be self-appointed judge and jury? They issue produt approvals that ignore vendors who use unencrypted mag-swipe readers and ignore applications with underlying OS holes but want US corporations to foot the bill for millions to secure credit data which is insecure because of lax credit industry authentication practices. Or how about the fact that other countries don't have to comply with their requirements and it is putting us at a competitive disadvantage.
Enough is enough, computer security is not a technical issue it is a legal one. No car manufacturer could ever be immune to wheels falling off of new cars, the computer industry has had a free ride for too long.
Years ago a concept was pushed into the IT security community that we should design our information environments as if the network were inherently hostile with little or no endemic controls or monitoring. Unfortunately, for some of us may have interpreted this as a green light to remove all network enforcement and filtering from our infrastructure. However, at the center of this idea was not a suggestion that we eliminate infrastructure access and detective controls, but that we improve end-point hardening, relieving a single component (the network) of sole security responsibility, while also improving the defense depth and resilience of the overall architecture.
I believe Mr. Kramer's comments should be viewed within a similar context: We should not eliminate a given control out-of-hand, but should have a more mature and holistic approach which relies less on a single strategy (e.g. malware management), and more on a comprehensive, muti-faceted information assurance strategy (e.g. hardened applications and systems, effective gateway filtering, intrusion detection/management, etc.).
As information security leaders and practitioners we must be vigilant to vet and validate all such suggestions (e.g. the uncontrolled network, the malware-ignorant approach, etc.). These suggestions and strategies must still pass muster with time-tested principles like defense in depth, least privilege, etc. More to-the-point, I do not believe Mr. Kramer’s thesis pass muster here: the elimination of a relatively cost-effective control, and a lessening of the overall depth of a security management methodology, when a single malware incident can easily cost an organization far more than the cost of a management solution.
Finally, I place Mr. Kramer’s comment on the level with the past-parroted phrase: “IDS [intrusion detection system] is dead” – more of a marketing, attention-getting ploy than empirical science. Like IDS, malware management is very much alive – except in the minds of the most gullible. Or, in the case of Mr. Kramer, the occasionally misguided – a club of which I am also a member.
Hello Friends,
I've been in the network security industry for as long as I don't even want to say these days. The topic of network security has grown up and out, meaning I have seen hacking go from well educated college level individuals to grade level students. Hacking tools and 'lessons' are now posted on the internet. I don't think there is a single network out there that can claim it to be 100% secure.
The comment in this blog of allowing Malware and Virus to reside on your systems and be 'healthy' or not cause harm is faulty. There are over 400,00 variants of Malware today and growing at a crazy rate. Malware comes in many forms, some silently steal your data, files, keystrokes, etc. Malware has an ability to replicate itself and find other computers on your network. First, as malware festers on your computer, you are going to pay the price in PC performance and you are most likely to be 'sharing' your information with a criminal. By all means do whatever you can to get the right level of protection in your PC to cleanse your system and providing ongoing protection. Keep in mind that your PC can infect other PC owners around you. Don't bring harm to your fellow worker or friends PC because you didn't take due care of your system. Someday we might see state or federal laws that will fine pc users that have caused a financial hardship to a company or an individual because of lack of security.
The other comment regarding "I am running an SSL channel so my data is safe" is faulty also. SSL provides encrypted traffic from the point it leaves your desktop to its destination. Remember, if someone has a keylogger and is capturing your keystrokes, files, etc, SSL is not going to protect you. This is a false sense of data protection.
Be smart. If you are not a security expert you should bring someone into your firm to advise you of the vulnerabilities in your network. I would never say a single technology is the way to go. You need various security technologies from multiple vendors.
Take Care and Be Safe!
Ken Pappas
Security Strategist
Top Layer Security
at first glance this sounds like a good idea - but on further in-depth analysis of the concept it doesn't take genius to realize that the "secure channel" will eventually become the target of attack in and of itself. Once you submit your machine to the control of malware authors, and those identify theft type malware applications come back empty handed, just how long before they attempt to proxy the secure channel and insert themselve between you and the "secure channel" application - ie, they'll setup camp and intercept, decipher - store and then re-cipher and pass on the information... Every sane security professional understands that a multi-layered security model is the best approach - simply giving up and accepting that you have malware is a retarded approach that leaves one single point of failure.