Friday, November 5, 2010

Secure Me Mr Internet

During my travels of the last couple of weeks I've been pondering what the future holds for securing the end user/victim. The last couple of decades has focused upon protecting the user by getting them to protect themselves (e.g. install AV/HIDS/DLP/etc. on their own computer) - and that's obviously been failing.

The complexity of protecting these computers is well beyond the average user - so why does the industry proceed with this sham? Maybe there's an air of addiction to the legacy solution. In general though, if a security technology is dependent upon the successful operation and maintenance of the software by the end user, then it's predestined to fail.

What could a future end-user security ecosystem look like? I let my mind wonder a little and posted something up on the Damballa site... "A Future Security Ecosystem".

Cross-posting the blog below...

Earlier this week, while attending a conference in Germany, I was asked to reflect on what would be the “next big thing” for combating organized Internet crime… something that could be achievable 5 years from now. I’ve always been a proponent of doing as much as possible to remove the consumer from being responsible for securing themselves. By that, what I mean is all too often corporations assume that their primary security defense is for their own customers to be secure, and the corporation’s security is conceptually a backup defense – kind of like mopping up the exceptions. The problem here though is that consumers can’t defend themselves, and those “exceptions” are all too rapidly becoming the norm. I once wrote a paper covering the concepts of continuing to do business with malware infected customers – and much of that has been applied successfully to online banking systems. But is there something new we (as an industry) could be doing? Getting back to a 5-year framework, one future threat response ecosystem could revolve around a shared platform of “who’s infected and with what.” The concepts are rather simple. At the network layer, it is increasingly possible to identify computers that have been infected with botnet malware – particularly the criminal tools used to conduct real-time fraud on the victims’ computers. What if it was possible to share that information (live) with the organization that the victim is currently trying to do online transactions with? For example, let’s say that I know that John Doe’s PC is currently infected with a Zeus malware variant under the control of the LonelySharks crime syndicate based in Chile and – in the last 10 minutes – that computer has been in contact with the command-and-control (CnC) servers the criminals are using. As John Doe opens his Web browser and connects to XYZ Bank Inc., the banks web application can query a live database of whether Joe Does computer has been noted as being infected recently. In this case, XYZ Bank Inc. finds out that the computer John is using is infected and that the criminal operators behind the malware typically conduct banking fraud. XYZ Bank Inc. can now undertake a number of additional transaction monitoring processes and change the way that new banking transactions from John Doe’s computer are handled (e.g. he’s never done an online transfer to ABC Electrical supplier before – so perhaps the bank may want to do some homework about this ABC Electrical supplier account now too). They may also want to alert John that they’re doing this and provide advice on how best to remove the threat from his own computer. The net result of all this is the fact that the business can continue to do business with their infected customer – as they know when (and how) to be more vigilant to fraud attempts. Perhaps this doesn’t sound like much of an advance – but you should try speaking with anyone in the financial services field. A little bit of alerting can go a long way in protecting the customer (and organization) from fraud – and can help close down the operations of the criminals much faster. The key to this is being able to identify which computers are infected (in real time), being able to associate the computer to a particular threat, and being able to share this information in a legal and private way. Obviously ISP’s are in a perfect position to help. They are already beginning to implement network-wide passive botnet detection systems and could (if allowed to) make the association between computer and user (or subscriber in this instance). At the moment I doubt they’d be legally allowed to share this information with anyone beyond the victim themselves. But, what if… …what if it was possible for an ISP customer to subscribe to a service where they allow the ISP to identify the threats targeted at them (and the threat that they have become victim to), and to be able to share that information with a list of authorized companies that the user does business with regularly. Assuming that the “check” done by the business is only done at the time the user’s computer is in operation, the prospect of privacy invasion is mute. The technologies to do all this largely exist today. Would the prospect of additional privacy loss (to organizations I’m already dealing with and authenticating myself to) concern me? I don’t believe so. Would I be prepared to pay for this? Sure, if the price is right… But perhaps the model could be even more beneficial for all concerned. If I’m a subscriber to this service, since it’s the banks or businesses that I’m doing transactions with that benefit the most from all this data sharing, perhaps I don’t need to pay for my subscription? Would those organizations pay my ISP to know where I’m infected (or any other of their customers at the same ISP are infected)? Hell yeah. They’re hunting for companies that can supply them with this data. So, if they’re already looking to buy this info, perhaps my ISP doesn’t need to charge me for this service (and all the other great anti-threat stuff they can do for me in the cloud) – instead they can get it directly from the businesses I regularly do online transactions with? If that’s not so palatable to the ISP’s, perhaps the organizations I do online business with will offer me discounts or better rates directly if I opt-in and allow my ISP to share the information? Would it be economically viable for my online shares trading platform provider to reduce my transaction fees a little – since they have more confidence in their fraud detection processes now they know whether my computer is tainted or not? I suspect they probably would. There is of course a long way to go – but this is one of the things I thought would be a valuable security ecosystem for combating much of the fraud now evident. And I think a 5-year goal could be achievable.