Internet Security: The Draconian Solution

ILoveYou, Slammer, Code Red, and Conflicker -- a rogues gallery in some ways equivalent to John Dillinger, Bonny and Clyde, Al Capone, and Pretty Boy Floyd. It's not a pretty picture and perhaps it's time for draconian measures to safeguard internet users from hackers releasing these things into the wild.

The Basics

Worms are arguable the worst of the lot in terms of criminal behavior. They are self replicating programs needing no user intervention to utilize nodes and spread over a network or through the internet. Their payloads differ but the method of transmission is the same and that's where intervention becomes possible and potentially draconian.

One piece of worm programming initiates a scan of peers (other computers) from an infected computer over a network or internet connection seeking out vulnerable targets. When one is detected, another piece of worm programming replicates the worm from the infected machine to the vulnerable one and the process begins again with the new "convert." This infection process can occur very rapidly -- MyDoom holds the current record for fastest spread.

One of the most common payloads is called a "back door" which creates an interface exploiting a vulnerability -- usually within the operating system -- allowing some level of control over the infected machine by a third party. A machine with such a back door is called a "zombie" and networks of infected machines are referred to as "botnets." The most common use of botnets is for sending spam and for initiating denial of service (DoS) attacks.

Prevention

It's easy to say that software vendors "should" create totally secure programs and that fixes the problem. The "problem" with that, of course, is that it isn't just about software, it's about people -- "the bad guys." We haven't been able to build a bank, jewelery store, or ATM that people can easily use and, at the same time, isn't vulnerable to someone with "a plan" either. Perfectly invulnerable software probably isn't the real answer.

In the absence of invulnerable software, three things are critical.

1. Patches and updates provided by vendors installed immediately on every computer, everywhere
2. Anti-virus and anti-spyware programs on every computer, everywhere
3. Firewalls on every computer, everywhere

The obvious problem is that not everyone installs or keeps these things current on their computers. Nor is everyone or every computer likely to in the future. This is where the subject turns draconian.

Draconian Intervention

One method of intervention relies on detecting the "scanning" done by an infected machine. Those scans can be monitored and detected on each computer within a network. When the number of scans reaches a specified threshold, the computer can be shut down and checked for viruses. Systems or Network Administrators may be doing this now on business and government networks. It was outlined in the April-June 2008 edition of IEEE Transactions on Dependable and Secure Computing.

When this type of intervention occurs in an organizational setting, no one really objects. What if all (or most) ISPs did the same thing?

ISPs have potentially the same control over monitoring and detecting scans from every computer on their network -- that is every computer connecting to the internet through the ISP. They also have the same capability to shut down, or remove a potentially infected machine from their network. In other words, if any computer currently connected through the ISP exhibits characteristics common to a worm executing scans, the computer is disconnected.

Various estimates or predictions indicate that if 30% - 35% of ISPs engaged in this type of monitor and control activity, the impact from worms could be negated. Of course getting the ISPs to play is a different story -- at this time the business model for ISPs is connecting, not disconnecting customers.

This scenario could be taken a step further as well. ISPs could detect if a computer has the most recent patches and security updates. Running anti-virus programs and firewalls are detectable also. Suppose ISPs refused access to any computer that didn't "pass the test?" This is a little like requiring an inspection sticker on automobiles before they're allowed on the road.

Wrap This Up

Given the fact that the "perfect" software or operating system (invulnerable to attack) isn't in the cards and given the fact that not everyone with an internet connected machine installs all updates, runs anti-virus or anti-malware programs, or has a firewall installed, then viruses, worms, trojans, and variants continue to proliferate. We continue to hand the bad guys, including terrorists, criminals, and anyone with a grudge, the keys to our kingdom on a silver platter.

The security community knows the threat, and the greatest vulnerability, lies in the millions of connected internet user machines without adequate protection. As long as that army of vulnerable machines is available to the bad guys, we are all at risk... including governmental, public safety, and emergency systems. Since we (the internet community) are incapable of self regulating in this regard, then someone -- probably at the ISP level -- is going to do it for us.

Draconian but, in all likelihood, inevitable.