The semantic issue here is critical to the post - this isn't necessarily an article about infection but really about infestation of connected computing devices by what can only be described, collectively, as malware. Malware in this definition is essentially the collection of traditional viruses, trojan horses, worms, ad-ware, scare-ware, crime-ware, ransom-ware and everything else ... did I miss a catchy buzzword?
Anyway, the rate at which a connected computing device gets over-run by malicious software is incredible. Recent statistics I've heard peg the average compromise time of a non-protected workstation on the open Internet at around 8 minutes. This was 2+ years ago that this metric was measured ... I'm confident it's even less time now. These types of studies in time to compromise are interesting because it serves to illustrate the sheer volume of evil circulating the Internet. I've thought about the vectors for compromise (or over-run if you like) and have classified them into 5 categories:
- Self-Inflicted-Accidental
- Self-Inflicted-Ignorant
- Unattended-Circumstancial
- Targeted
- Delivered
- Self-Inflicted-Accidental
The problem here with this group is that they are too trusting. They're like your grandparents, who trust the maid who's "so nice" but is cleaning them out of every piece of valuable in the house. They will be shocked when they find out they've been infested; then they will become educated (and some become jaded) and their outlook changes and they fall out of the group.
Impact: sadly, when these folks get hit, it's epic
Remedy: Either more education, or simply let them get whacked
- Self-Inflicted-Ignorant
I've met many threat-ignorant people in my years in IT and I'm certain you have too. In fact, many of you chuckle as you read this because it's either your manager, your CEO, your parent, spouse or in-laws that drop into this category. I'm sorry in advance for saying it but ... these folks should have their Internet-usage ability revoked.
I just don't understand how people can be so ignorant and keep at it. Maybe it's our fault (I say our and mean collectively the business & IT world) for allowing them to be this way. Maybe we're not giving them enough responsibility for their own actions (or non-actions)? I mean, look ... if you have a gun you have to be licensed to use it right? ...and you're responsible if you cause yourself or someone else harm? I know Internet access doesn't require a license or certification but maybe it should? Maybe you should have to take a "basic certification" to get an IPV6 IP address (if that ever happens...) I don't quite have the logistics worked out but there absolutely MUST be some accountability here ... we as an industry group must find a way to educate and drive out ignorance from the connected masses.
Impact: Epic fail ... made worse by the coddling currently coming from financial services industry
Remedy: Education and accountability ...or something!
- Unattended-Circumstantial
Look around, I am willing to bet you can name at least 5 connected devices within arms' reach right where you are this minute. Whether it's a refrigerator, a video gaming console, your mobile phone, laptop, DVR or even television everything is becoming connected and too often there is no thought given to answering the "what if this thing gets infested?" question.
What would you do if you woke up tomorrow morning only to find that your Internet-connected DVR has suddenly been taken over? The warranty may or may not cover this problem because technically it's not a manufacturer's defect right? There is no broken hardware, no smoking hard disk or sparking internals - only a malicious piece of software now embedded inside the device that randomly deletes your favorite non-watched hows, and orders adult material when you're not around. What do you do!?
Impact: Everything from mischief to malice to catastrophic failure. If your refrigerator becomes infested with malware and malfunctions, that's one thing, but if your car's on-board computer suddenly shuts down your car in the center lane on your way home at 65mph - that's an entirely different issue. It could happen, soon.
Remedy: I honestly don't have an answer to this. Better SDL-integrated security is the only answer here that even makes sense as many of these devices and infestations are outside the realm of reasonable responsibility of not only the owners but even the operators!
- Targeted
My main take on this specific segment of the problem is this - if you're worrying about this infestation type that to me means you've solved the other 3 previous ones (above) and I want to know how you did it.
Impact: What ever the bad-guys want. Generally the impact isn't "catastrophic failure" ... and the less you notice the impact, the better for the bad guys.
Remedy: Stop worrying about this one, you're not going to solve this problem.
- Delivered
Again, just as in the previous example, there are very few things you can to do avoid being infested here in this situation. You can't review every application you use manually, and it's unrealistic to think that you're not going to load up any 3rd party tools or software on your computing devices. Again ...welcome to screwed-ville. Take a number, get a seat and wait to be re-imaged.
Impact: As with targeted infestation ... this can be anything from annoyance to identity theft and digital impersonation!
Remedy: ... hrmm.... I'll let you know if I figure this one out. I'm open to suggestions!
---
There you have it, infestation by malware is ugly. Sometimes you can prevent it, many times you can't. The results are incredibly diverse and range from your search results being compromised and "swapped out" for someone else's targeted results, to identity theft and impersonation, to catastrophic failure. Problem is ... out of these 5 types we're only realistically able to do something about 2 or so of them.
What do you think?
2 comments:
I like it and it makes it easy to categorize. Would the recent card-processor/restaurant POS one fall under Unattended-Circumstantial? http://bit.ly/8cIT98 (My answer is yes)
As far as financial institutions reimbursing customers, well, unfortunately that is a business decision. The cost of losing customers is more than what they're paying out, so they keep paying it out. Is it the right call? Maybe not. But until the balance flips, it will be hard to convince them to handle it in another manner.
I think these categories are generally pretty solid, but now my question is - where can we use these categories in order to improve security?
@Nickhacks -I think there is an opportunity here. Most anti-malware (because it's inappropriate to call them anti-virus anymore) software is written or designed to protect only one of those groups, and sold to everyone. That's not only wrong but also irresponsible because we know the others are out there... obviously.
What's next? How do we make use of this piece for the betterment of human-kind? I'm going to start to try and see if any of the anti-malware vendors would be willing to work with me to do some fundamental re-design of their tools around this idea I present. While I'm not holding my breath it would be cool, and I feel an advancement.
Post a Comment