Handling an infected computer as an infected human being

Introduction

The RSA Conferences are among of the most important annual security conferences. This year's US conference was held in San Francisco 1 - 5 March.

One of the speakers was Microsoft's Scott Charney, Corporate Vice President Trustworthy Computing. His speech covered several interesting topics, of which we will discuss one: the ability, usefulness and implications of treating infected computers in a similar manner as infected human beings.

The issue

When one observes the enormous number of computers all over the world, it is a fact that millions of those are infected by malicious software. A large number of those are also (unknowingly) participating in various botnets, and may then be used by malicious persons and organizations as attack vehicles against organizations and individuals. We have seen several examples of this during recent years.

As we know, there are several types of protective actions that can be taken in order to minimize the risk of being infected. [It is close to impossible to avoid the risk, but by performing some basic protective means, the risk will be reduced significantly.]. Some of these actions include:

• updating the installed operating system and applications regularly when security patches are issued from the software vendors,
• install and update software to protect against malicious software (antivirus and antispyware programs),
• install firewalls, personal and/or corporate,
• use intrusion detection/prevention systems,
• apply common sense!

Common for all these are the fact that some kind of action is needed from the owner of the computer(s). If no action is performed, and one connects a computer to the Internet, the probability for infection is high.

A main problem is that the consequence of an infected computer does not only affect the owner of that computer. Rather will a large number of other computer owners be at risk, as one infected computer may infect others and/or participate in different type of attacks.

The analogy

The analogy - which seems quite good - that Scott Charney makes, is between infected computers and infected human beings.

A person, who is infected by for example a virus, has a personal responsibility to avoid infecting others. If he does not take this responsibility himself, society may take action and ultimately quarantine him. The recent swine flu pandemic and actions carried out by some authorities in different countries, is a typical example of this. Even though an infected individual himself may want to move freely around, the society will not allow this as the consequences for others are undesirable and potentially lethal.

The restrictions on smoking are another example. Though most countries acknowledge an individual's right to harm herself, restrictions on harming other through being exposed to passive smoking, are increasingly being implemented in different countries. One person's wishes and actions are restricted to protect other.

One may view infected computers in a similar manner - quoting Scott Charney from his RSA speech:

You don't have the right to infect your neighbor. Computers are the same way.

If such an approach is acknowledged as wise, another issue appears: How should an infected computer be stopped from infecting others, who should be responsible for invoking the needed procedures, and finally - why should those able to perform these procedures, comply? 

How to isolate infected computers and by whom

The traditional approach to malware spreading has been to stop the malware at the receiving end - when a computer is attempted infected. However, as we discussed in our security article in November 2008 - Combattere i malware su due fronti - focusing also on the malware distribution may be very efficient.

Technically it is not complicated to isolate an infected computer from accessing other computers. In a network any computer is uniquely identified, and the IT personnel in an organization may quite easily forbid any computer in that organization from accessing the network. In the same way, an Internet Service Provider (ISP) can ban a computer/organization/account from connecting to the network (the Internet) for any reason.

A problem is of course to identify that a computer is infected. Typical tools used to accomplish this are antimalware products and traffic analyzing applications.

Another problem is the motivation for those infected to perform any action at all. As we discussed above, keeping a computer secure involves a significant amount of continuous work, and potentially also direct costs involved in purchasing security applications. Individuals and organizations may choose not to invest in the needed security. They view (rightly or wrongly) that the inconveniences of (an) infected computer(s) are less than the costs involved in minimizing risk. In this calculation the cost for other persons and organizations that may subsequently being infected, does not apply.

Seen from the ISPs point of view, the same may apply: Should it be the ISP's responsibility - and cost - to invest time and money to supervise its customers and "punish" behavior that the customer herself has chosen? It may even be legally questionable.

These are typical examples where actions that may seem wise for single units are unwise for society.

Obviously several of the parties that must be involved in a functioning isolation scheme, will view it as their own interest that such a system is functioning. Best practice agreements will therefore probably to some extent function. The problem is that if some participants do not comply, the consequences may be substantial, as few infected computers have the potential to be a considerable problem for the others.

The inevitable consequence seems to be that in order for such a system to function fully on a national level, legislative or similar actions need to be invoked. Since the Internet does not know national boundaries however, global agreements will have to be set up in order for the system to be really effective.

Additional issues

In addition to the more political issue that is discussed in this article, there are some more practical issues that are outside this article's scope, but nevertheless must be addressed if one chooses to pursue the discussed approach. Some examples are:

• The false positive problem
  Similar to all technology that is used to identify a malicious program, the risk of erroneously restricting a computer access to the network, applies. This in itself represents a special problem - we refer to our security article Problemi di sicurezza? - no! for further discussion.
• Who should decide what type of malware that requires quarantine
  As we have discussed in other security articles - see for example Problemi legati alla valutazione della pericolosità - there are grey areas. Additionally, the ongoing discussion regarding accessing Internet resources that are politically "suspect" in certain countries, also applies.
• Reporting fit for duty
  If an ISP has quarantined an account from access to the Internet, the account owner at some point (hopefully) is able/willing to fix the problem. Procedures must be set up regarding how to inform the ISP and how the ISP can check that the account is OK.

Conclusion

Handling infected computers in a similar way as dealing with infected human beings is an interesting approach to the malware problem. In order for the system to be efficient however, substantial amount of self-justice, and ultimately national legislation and multinational agreements, are required.

References

• Webcast from RSA Conference 2nd March 2010, Scott Charney, Corporate Vice President Trustworthy Computing, Microsoft Corporation
  (Flash Player 10 required)
   
• CNET news - follow-up interview with Scott Charney, Microsoft after the abovementioned speech.