Story continued from Page 1
Many major ISPs have taken the first baby steps. They analyze their DNS logs and automatically cut off subscribers making too many bad requests. They use NetFlow to monitor traffic patterns at their routers, and cut off the worst offenders who are saturating bandwidth. They block incoming TCP ports 25 and 80, in a well-intentioned but fruitless effort to stop spam - without realizing that most Trojans open up their SMTP spam engines on entirely different ports. Some even do network scanning of their customers to cut off or warn those who are already compromised, owned up, or otherwise greatly at risk. But ISP security is spotty at best, it varies from provider-to-provider, and its done purely in their own self-interest and not out of the interest for their customers. Worst of all, the likelihood of cutting off legitimate customers who know what they're doing seems just as high as catching Aunt Margaret's compromised spam gateway machine.
Major companies share the blame
Many large corporations and enterprises are only marginally more secure than the average home user, due largely to their insecure desktop machines. While it's difficult to fault the IT staff of an enterprise when Bob in Accounting clicks on a zip file, puts in the provided password, and unleashes the latest Trojan sent to him, there's enough blame to go around for everyone. Odds are pretty good that the corporation is still standardized on Windows 2000, which is almost at its end-of-life. There's also a good chance of finding many machines in the enterprise still running Windows 98 or 95. Trust me, they're everywhere. Having spent many years in software sales, I can say without a doubt that many organizations are far, far behind the desktop technology curve compared to most home users.
Does Bob in Accounting really need Internet access? Does Jim in Finance really need to surf the Web? The most secure computer is a disconnected one; in light of security, IT managers need to push back on departments and users and limit those business users to just those who really need access to the Internet.
Criminal hackers are to blame
The criminals who create, modify and distribute viruses, Trojans and worms are the source of many of the security problems on the Internet, and they know it. It may have started as a game, but now it's a business that is starting to bring in big profits through phishing, botnets, DDoS threats, extortion, and so on. The criminals would deserve all the blame if it weren't for human nature to want to destroy things that other people have built. They would deserve all the blame if they thought for a minute about the impact their creations might have on millions of people. They would deserve all the blame if it weren't so incredibly easy to just slightly modify a piece of publicly-available virus code and release it to the world, and then be guaranteed that a few hundred thousand people will click on it before the latest A/V signature is even available. They would deserve all the blame if it wasn't so darn easy to convince a user to click on the attached picture: "it's one of Angelina Jolie and she's nude," pretty much guarantees success.
Criminal hackers might deserve most of the blame, but they're also a check and balance to all those insecure systems out there. And they're not going away. The few who get caught may maintain that they're doing a good thing for society, much the way a terrorist or a religious fundamentalist believes he is following a righteous cause... but only a few of these criminals will ever get caught.
We share the blame
At SecurityFocus we provide Bugtraq and the vulnerability database, which is time-sensitive and useful information that is most often used to secure networks. When a reader discovers a newly vulnerable application or system, they must patch it, make it unavailable, or take it down. But any information can be used for nefarious purposes too, and exploit code or information on exploiting new vulnerabilities can be just one step away from a new virus. If we did not provide the forum for vulnerability discussion and management, it would continue to be provided somewhere else.
OS vendors and application providers, well...
The biggest groups who need to share the blame are the OS and application vendors, and you know who they are. They're selling you licenses and maintenance contracts so they always have your business and you always own the newest version of their software - but more often, your organization has a version installed that's two full releases old.
For vendors to share the blame for viruses and worms, there must be an admittance of guilt, an acknowledgement of bloatware, poor programming practices and a general lack of regards for all things secure - they must take ownership of the monsters that they have created, particularly on the desktop. But it will never happen, and they'll never share the blame. While the OpenBSD style of dumbed-down, simplified and secure systems (with a heavily audited code base) that just plain work might be one of the smartest approaches to security, almost every other vendor is progressing in the exact opposite direction. Bigger, better, slower and less secure. And for that, these vendors share the blame but with one important difference: they do so while wearing blindfolds, forced to provide more and better features in newer and more bloated versions, while stumbling forward into the realm of new product sales instead of security.
We all must share the blame for a lack of progress in the security industry. It's great fun to point fingers at each other while the criminals keep their heads down and continue to work. If we continue to point fingers at each other, rest assured we'll get nothing done.