http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009984
By Ira Winkler
February 01, 2007
Computerworld
Even though we have a new Congress, I doubt that much will change with
regard to computer security. While a law related to identity theft will
probably be passed in one form or another, I expect that it will be
trivial and not deal with preventing the theft of individuals' personal
information. Corporate lobbyists have proved themselves to be too adept
at manipulating members of Congress so they don't pass laws requiring
companies to be proactive, especially with regard to security measures.
Identity theft is a symptom of poor computer security. There are two
underlying methods of identity theft: hacks of vendor computers, and
client-side attacks. Vendor hacks are the result of poor security on the
part of the vendor and often lead to the theft of thousands, or
millions, of credit card numbers, at once. The laws passed in this
regard basically state requirements that vendors have to follow once
data is stolen. However, they do not lay out computer security
requirements. The hope is that if vendors have to act if their security
fails, they will try to better protect themselves. All you have to do is
browse Computerworld.com to see how well that's working.
Congress, however, has taken no action to address client-side attacks
targeting the end user. These include phishing, keystroke logging and
virus attacks. The underlying enabler of these attacks are the bot
networks that grow unchecked. Botnets are networks of PCs that have been
compromised by a remote attacker through known vulnerabilities on the
PCs. The attacker then has the compromised PCs do his bidding without
the knowledge of the PCs' owners.
Bots send out billions of spam e-mails and their evil cousins, phishing
messages. Just as important, bots are used for distributed denial of
service attacks. DDOS attacks use thousands of computers to
simultaneously send data packets to a victim's computer to overwhelm the
computer and the supporting network infrastructure. The attackers then
use the DDOS attacks to extort money from owners of various Web sites.
For example, it's common for online gambling sites to be threatened
prior to a major sporting event, where the attacker will say, "Unless
you pay me $50,000, I will take you down for a day before the event." A
successful attack could cost a good-sized gambling site more than $1
million.
Likewise, DDOS attacks have targeted critical elements of the Internet,
such as the root DNS servers. Those attacks have crippled segments of
the Internet for periods of time. It should be expected that similar
attacks will occur in the future and will attempt to do even more
damage. Frankly, I believe that if there is a significant Internet
attack, it will involve bot networks.
So, for Congress to do anything that helps protect consumers and the
critical Internet infrastructure as a whole, it must pass laws that
require proactive processes to protect computers, not that tell people
how to deal with the resulting mess.
Here are more reasons for enacting computer security laws:
* According to reports, the percentage of unsolicited e-mail sent out
via bot networks is in excess of 90%. Messages are also growing in
size. The number and the size of messages will only continue to grow,
so you can assume a very large percentage of Internet traffic is a
result of bots.
* From my personal observations, an unprotected computer will fall
victim to dozens of attacks an hour. This implies that botnet scans
are constant and responsible for a large volume of Internet traffic.
* Botnet-related attacks result in billions of dollars in lost
productivity and added costs annually. ISPs and large organizations
spend billions to increase bandwidth as spam and other botnet-related
attacks take up network volume, and billions more is spent on security
software and the related hardware to prevent botnet-related attacks.
With the above in mind, the following laws are needed to at least begin
to protect businesses, consumers and the Internet itself:
1. Make ISPs (and all organizations providing computer access to more
than 100 people) responsible for filtering scan and attack traffic
across their networks.
ISPs were declared "publishers" by the Child Online Protection Act. The
legal effect of this was that ISPs were found to be not responsible for
the content or intent of the data packets going across their networks.
While it may be reasonable to say that an ISP might have no clue that a
JPEG file going across its network has child pornography, thousands of
ACK packets sent instantaneously are a different story. Attack and scan
traffic is easy for ISPs to detect and block. The more scans that are
blocked, the fewer compromised systems there will be. Any increase in
time to process data packets is easily made up by the overall decrease
in the amount of network traffic.
2. Make ISPs (and all organizations providing computer access to more
than 100 people) responsible for knocking customer PCs off their
network if they become bots.
Any system that is clearly behaving as a bot should be immediately
logged off a network. An end user who starts flooding the network with
tens of thousands of e-mail messages, or who starts to send hundreds of
thousands of DOS packets, is clearly compromised or otherwise abusing
privileges. It is blatant and therefore easy to spot. More important, it
is easier to identify and stop offending traffic at the source than for
a victim under attack to identify and contact the appropriate
administrators to stop the attacks.
3. Make end users liable if losses are incurred because of outdated
security software.
We cannot push all requirements to the ISPs. End users who leave their
computers vulnerable to being controlled by others are also at fault.
All PCs connected to the Internet should have the latest patches
installed, as well as updated firewall, antivirus and antispyware
software. While these tools won't prevent everything, they can decrease
a computer's susceptibility to compromise exponentially. Those who fall
victim to an attack because they don't have the appropriate software and
updates would be financially responsible for their own loss and
potentially the loss they cause others. Just as individuals are legally
required to keep their cars in safe condition to protect others on the
road, they should be required to keep their computers safe to protect
others on the Internet.
4. Write some kind of law concerning efficient security software.
I have been wrestling with how to word this one. A law like this is
especially important if people are required to install and run security
software. People have uninstalled their antivirus and antispyware
software because it brought their systems to a crawl. Security software
vendors must make performance a critical feature of their software.
While there are other laws I could recommend, these are the most
fundamental and easy to implement. I know there may be criticisms. For
example, some smaller, and even larger, ISPs and organizations will say
they can't afford the software and staffing needed to kill end-user
access as required. First, these companies are already spending money to
provide bandwidth for all of the malicious traffic. Second, if they
can't afford to protect their network properly, they shouldn't be in
that business.
That is probably the key point. Can you imagine a trucking company
saying that highway safety laws shouldn't be enacted because that would
be too expensive? Likewise, can you imagine a private citizen saying
that he doesn't want to properly maintain a car's safety? Of course not,
as they would be endangering the safety of others. If people want to
have access to the Internet, or financially profit from it, they should
likewise be required to take precautions so that they don't endanger
others.
All of the current regulatory discussions in Congress and local
legislatures generally involve identity theft and are in reaction to the
current hype. They are also reactionary in their effects in that they
deal with what to do after information is stolen, and not with the fact
that the thefts should have been prevented in the first place. Most
important, they do not fundamentally improve security. We need laws that
are proactive in preventing identity theft and all other likely attacks.
These proposed laws go a long way in doing so.
Ira Winkler is president of the Internet Security Advisors Group. He is
a former National Security Agency analyst and author of Spies Among Us
(Wiley, 2005).
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 22:38:10 PST