Security

Malware is a Disease; Let's Treat it that Way

Botnets and botnet kits are flourishing. They're now a commodity, as are the use of controlled machines. Just about daily, a new and frightening major system crack is revealed, data released, embarrassed IT security people called on the carpet. Were these a human virus, the CDC would be subjecting it to observation, protocols, all while someone was racing to invent (perhaps too many) vaccinations for the world to use. It would be an effort that had procedure, and a plan. The U.S. lacks a cohesive national plan to control malware, and the costs of exposure might be calculable to motivate organization of an authority to deal with the problem.

malware security bots
The "free market" of protection surrounds the operating system vendors, third-party virus malware eradication and protection vendors like Kaspersky, Symantec, McAfee (and many others), and a fleet of integrators and consultants. While these organizations provide control to prevent and mitigate, they aren't financially compelled to stop the problem before it starts. There is no motivation for an ounce of prevention that prevents the hideous pounds and costs of cure.

When an "outbreak" is identified, we don't have organized, national plans for when systems go down. No crucial personnel will be given vaccinations for their computers because of the critical nature of their public service function. Instead, the sequence will look something like this:

1. A few systems will get sick, but the symptoms will be tough to see
2. These systems will rapidly, but almost invisibly infect others as fast as they possibly can
3. The DNA of the virus or malware will be called into motion, remotely, by the bad guys
4. The initial infection detection occurs
5. The extent of the infection becomes known
6. Security researchers identify the DNA of the virus or malware
7. Pundits, many of them well-intentioned but clueless, will prognosticate various disasters, cite history, and wring their hands
8. The great forces of the "free market" security industry kind of randomly decide what to do as fits their business model and clientele
9. The operating system maker downplays the problem, and decides to punt a small fix that might address the situation, while others that are paid bigger money, figure out various rescue methods and queue them for deployment
10. The first fixes become available, and various reports will tell the tale of possible success
11. But the first mutations arrive, thwarting at least a few of the fixes
12. In the interim, various machines are infected, cracks open up, fissures in various firewalls and fortresses occur, and important data is stolen or embarrassingly released by the berserkers that enjoy the lulz factor
13. The initial infection isn't completely stanched and a small percentage of systems that continue to be infected will dutifully infect others
14. Cumulative patches and fixes will fill machines until various vendors simply push them off the "support list" leaving them exposed to new and ugly exploits
15. Rinse. Repeat. For. Each. New. Infection.

In the meantime, commerce is stanched like Amazon in an Internet sales tax state. Users and civilians must deal with credit card exposures and identity theft. Breaches cost organizations thousands, and often millions of dollars. Some don't even survive.

The CDC, however, will perform steps similar to number one to number five. What happens next is somewhat different. The prize, financially, is the contract for THE vaccination. The ecosystem surrounding finding the vaccination is well-known. Researchers, rapid trials-then king-hell distribution of the fix.

Some argue that a monolithic vaccination is itself easily corrupted; more than one methodology employed in the stanching of the problem tends to eradicate the virus or malware and reduce subsequent infections. I'm disinclined to believe this given the fact that malware now targets delivery systems specifically, and with great talent. Acting like the cuckoo, new infections are very deliberate and talented at removing not only other infections, so as to dominate, but to merrily thwart malware detection infrastructure. I won't touch how law enforcement is seemingly completely clueless dealing with the problem. They apparently have other important tasks to perform.

Yes, there'll be some that won't be vaccinated for religious reasons. Their systems need to be partitioned from infecting others. I don't know the mechanism to do this, but Network Admittance Control is a thought. Still, many will get the vaccination, especially those in critical/crucial roles so as to keep the country running. The price paid would be by the cost of the vaccination born partially by the government and partially by the vaccinated. We would learn more about the nature of viruses and infection vectors, and do the best we can to prevent the problem in the future.

But there would be a singular authority, sworn to the Hippocratic Oath, trying to save lives. In a similar way, we need to realign free market resources and ecosystems with the singular goal of throttling viruses and malware, and especially, internationally. And we need an adaptation of the Hippocratic Oath to keep computing machinery cleanly running.

Subscribe to the Security Watch Newsletter

Comments