Analysis: Digital Warfare - Combating malware & virus attack :: PublicTechnology.net :: e-Government & public sector IT news + job vacancies:

Article by security specialist mi2g:

How is an hourly update regime tenable in an organisation with thousands of computers (even with automated deployment of patches and virus definitions)? As a result of the malware tsunami in the last four days, a new and dangerous point has been reached in the global digital eco-system.

New malware variants are released and proliferate ever faster and as a result, there is a lag before they are added to virus definition records, during which they cannot be recognised by anti-virus systems. The majority of anti-virus solutions currently on offer are therefore no longer viable in countering malware tsunamis.

Causes of malware tsunamis

Malware tsunamis are not proliferating automatically. People receiving malware in encrypted ZIP files are even going so far as to type in passwords contained in the email to open them.

In any complex technology-dependent system - whether it is air-traffic, car-traffic or network-traffic - extraordinary accidents happen because human beings either operate the system incorrectly or extend the system's usability beyond the boundaries originally intended.

The human factor is proving to be the weakest link in the development of recent global malware epidemics, whether it is the naive user who opens attachments or malware writers who compete with each other to produce ever more virulent and fast-spreading forms of code in protracted turf wars. In less than a week, MyDoom, Netsky and Bagle malware have had fifteen new variants between them. Additionally, Netsky seeks to remove traces of Bagle and MyDoom variants, in a bid to gain market share of infected machines.

Malware is becoming increasingly multi-functional and socially aware as it gains the ability to perpetrate Distributed Denial of Service (DDoS) attacks, create zombies and send spam without being detected easily. Malware epidemics are also being fuelled by organised crime.

Trans-national malware tsunamis and protracted hacker attacks show that the sovereignty of the individual in cyberspace supersedes the sovereignty of the nation state. A force for common good - the internet - welcomed by all a decade ago, has now begun to show a consistent dark side.

It is just beginning to dawn on Government policy makers and Chief Executives of organisations that the global nature of the internet and the rise of the resultant networking power, creates entirely new and unfamiliar problems of governance and relations between nation states, businesses and computer-empowered individuals, who may have their own agendas.

Solutions

With correct set up, administration and defence procedures, it is possible to protect a Linux, Windows or BSD server from hacker and malware attack. However, this requires a very high level of training and expertise as well as a substantial technology investment. In most cases, it is not the Operating System (OS) alone that lets the system down: inappropriate configuration management, incapacity to prepare for the impact of third party application exploits as well as the maintenance of default configurations with unnecessary processes running are all partially responsible for the high level of attacks against a particular OS.

The mi2g Intelligence Unit examines a selection of near and long term solutions that address the fundamental problems contributing to the malware tsunami, which defeats computer hierarchies and adversely impacts the digital eco-system:

1. Migration to Upstream Data Cleansing and Vaulting

In the downstream cleansing approach, prevalent at present, the client computers have full responsibility for prevention of contamination, clean up and recovery. End-users can allow any function from their computers to be performed, including inadvertent DDoS attacks.

When computers are damaged or rendered useless, users bemoan the loss of their data, not the loss of their machines. It will become increasingly necessary to offer upstream safekeeping of data with the attendant intrusion detection, anti-virus, firewall and other counter-measures, which individual users may not necessarily have the time or expertise to address.

Migrating complex security functionality upstream away from the desktop allows the comparative advantage of more sophisticated resources and computing capability at a much lower cost and with improved security, safety and reliability.

The Internet Service Provider (ISP) of the future will offer all safety, security and data assurance services as part of the internet access charge to individuals, small to medium size businesses as well as larger organisations.

Upstream cleansing prescriptively maintains a managed security infrastructure at the ISP level or higher. The anticipated resistance at the home or individual user level will have to be overcome somehow in the light of the little effect that education on safety and security has had in preventing malware tsunamis.

As computing power migrates upstream it should both reduce the number of points of fallibility and solve the twin problems of loss and theft of personal data, the most valuable digital asset in the 21st century. This approach may not be popular to begin with, especially amongst those who are attached to the independence they have within the current computing paradigm. As the malware tsunamis gain momentum the objecting voices may be left with no alternative but to make some concessions.

2. Utility Model

The utility model is a computing model which was prevalent in the 1960s, in which there would be no local capability at the individual level beyond browsing and other simple tasks, with all other functionality transferred to central computing facilities or mainframes. This model was deployed because of the prohibitive expense associated with computing power and storage at the user level.

The utility model could be introduced as the extreme version of the upstream data cleansing model, ie, users consume computing power and data storage from a large pool of processors running generic software, which remain under highly sophisticated security management 24/7.

As it is now clear, individuals are not capable of distinguishing friendly attachments from malware-laden attachments. Upstream processing which includes mail and data cleansing takes responsibility away from naive individuals and home users whilst restricting functionality. However, the home computer is an entertainment and life-style machine, which synchronises with mobile phones, PDAs and digital entertainment portals.

These require computer peripherals and software applications. Every home computer will need some dedicated processing power and therefore a restricted services "not-so-thin" client will need to be deployed.

3. Total Information Awareness Systems (TIAS)

The other approach would be that of Total Information Awareness Systems (TIAS) with a specific function to contain malware tsunamis and swift growth in a digital crime wave. Within a large organisation with thousands of employees and other stakeholders, it is necessary to go beyond defining external boundaries and implementing counter-measures just between the external and internal interfaces.

A security architecture needs to be deployed where every node on a network is recognised as a potential threat and TIAS can be employed to look for anomalous behaviour at the human, computer and communications level.

TIAS make use of the safety model of a warship, where certain critical individual compartments are left in closed mode whereas others remain in a "ready to be closed" mode. For example, when going into a port, there is a heightened state of readiness.

If flooded, affected compartments are immediately closed off to prevent the problem from spreading. TIAS based networks can be blocked off from the rest of the world following an outbreak as soon as a malware epidemic or other anomalous behaviour is detected at an operational level within a department, corporation, metropolitan area or nation state. TIAS also help to train organisations as mistakes are made, recording the ill-judged actions that precipitated the problem.

TIAS are a plausible solution for any form of network but they are ineffective at preventing large scale digital risk events from occurring across the globe, they simply contain the outbreak for the organisation that has invested in them.

4. Bio-Diversity

Desktops are dominated by the Microsoft OS and application software. At the server level, Windows, Linux and BSD all play a significant part. In the near term, it is possible to mitigate the infection rate across an organisation during a malware epidemic by reducing dependency on computers belonging to the targeted operating system.

However, it is important to note that malware authors at present have no incentive for developing malicious code that targets the less popular non-Windows platforms. Migrating to a non-Windows system for the sake of preventing malware infections only takes advantage of security by obscurity in the near term and this approach is not viable in the long term.

If there is a known vulnerability and a commercial incentive exists, any operating system including Linux, BSD or a third party application can have malware or hacker activated code custom designed to target it.

5. Law enforcement, Legislation and Government Intervention

There is a lack of coherent strategy at the nation state level to contain digital risk. The internet is unique in comparison to other media in that there are no borders and the sovereignty of an individual extends worldwide. An individual in his home country can carry out a digital crime in a foreign land without the authorities in the home land being able to prosecute or vice-versa in many instances.

There is scope for international agreements being made to control malware tsunamis. Millions of computers are being turned into zombies by malware worldwide. What would happen if a globally spawned cyber-catastrophe leads to a major economy being crippled for a few days? Adequate international law enforcement is an essential deterrent to prevent such attacks.

Law enforcement agencies from all countries should be better equipped, both from a logistical standpoint as well as a regulatory standpoint to deal with the perpetrators and facilitators of digital crime.

Given the potential for carrying out large scale digital crimes unbeknownst to their owners, computers ought to be subject to periodic checks, although this resembles a transport license model which could be hard to enforce or gain support for. Would it be reasonable to require a license to be held in order to operate the computer of tomorrow, even when it is likely that the difference between a computer, a mobile phone and other devices is becoming increasingly diffuse?

"The current situation of malware tsunamis, phishing fraud and spam campaigns has to force user improvements in the digital eco-system. We are being inspired to innovate: before the end of this decade we aim to offer the convenience and guaranteed security of one stop utility computing which will include data cleansing and data vaulting," said DK Matai, Executive Chairman, mi2g.

"This next generation of utility computing - which we call D2-Banking - will be second nature to its users as they enjoy the ability to store and access data and finances from anywhere at anytime without fear of being hacked or plagued by malicious software."