This article can also be found in the Premium Editorial Download "Information Security magazine: Meeting cloud computing compliance mandates."
Download it now to read this article plus other related content.
Imagine all the money we'd have if we indeed did get a dollar everytime we heard X? For instance, I wish I had a buck for every time I heard cybersecurity compared to a public health model. Or how about this one: I wish I had a nickel every time I heard someone propose some kind of operator's license for Internet usage.
Talk about Christmas shopping made easy.
Microsoft is the latest to draw a parallel between cybersecurity and human health. Silly comparison aside, at its core, Microsoft's proposal to quarantine and deny infected consumer PC Internet access until their issues are remediated is a noble attempt to quell the botnet problem.
Consumer PCs, I dare say, make up close to 90 percent of all large botnets. Why? Because people, no matter how much you plead with them not to do so, will click on attachments promising naked pictures of Megan Fox. People will fall for scams about their no-longer active PayPal accounts -- even if they've never signed up for a PayPal account. People, consumers in this case, are not Windows administrators and for the most part, don't know a bot from their elbow. They just want unfettered access to FarmVille and Foursquare and they don't care if on the back end, their excrutiatingly slow PC is sending Viagra spam.
So that's argument enough in favor of Microsoft's initiative: "Collective Defense: Applying Public Health Models to the Internet?" Right?
Can't go there.
Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, first hinted at this during his RSA Conference 2010 keynote. Charney followed that up in early October with a more formal presentation at the ISSE 2010 computer security conference in Berlin, calling for a collective approach between governments, big business and Internet service providers to monitor and quarantine infected machines, and notify owners that they're offline until their device passes muster. Comcast already has rolled out ConstantGuard to its customers, which in addition to free malware protection and backup services to its subscribers, also includes a bot notification service. The service notifies the customer if an infected computer routing through Comcast might be a bot.
What ConstantGuard won't do, however, is take you offline. It won't bar you from unfettered Internet access until remediation is applied. It does point you to another page where you can take steps to get your machine cleaned and to download the free antimalware software it provides.
To go beyond is the slipperiest of slopes. The obvious conflict here is that Microsoft might suggest that its NAP technology be at the heart of any such efforts to clean up the Net. But beyond that, who is the arbiter of secure consumer configurations? Do you really want ISPs, or heaven forbid the government, deeming what passes the sniff test for a safe computer? Rogue antimalware scams are rampant on the Internet now; wouldn't this proposal kick the door open for a spate of new scams targeting consumers worried their PCs won't be allowed to connect to Facebook? And targeted attacks backed by a zero-day vulnerabilty or two won't abate because of this.
Microsoft has done exceptional work improving the security ecosystem. It was instrumental in shutting down the Waledac botnet family and has taken similar steps with other organized malware efforts. Patch Tuesday has introduced consistency into organizations' vulnerability management programs, while the Security Development Lifecycle (SDL) has improved the security of Microsoft's products to the point where they're not the scourge of the Internet that they once were. Also, many enterprises have cherry-picked bits and pieces of Microsoft's internal SDL process and adopted it for their respective environments to great results.
Maybe in this case, we're just shooting the messenger. But Microsoft, despite its advances, is still far from a security hero in many eyes. Any industry-wide or Internet-wide initiative such as this one immediately casts a shadow of suspicion about Microsoft's true intentions.
Android and Apple may be making inroads as computing platforms, but the truth for the immediate time being is that Microsoft has a stranglehold on personal computing. And the reality is that Microsoft's products are still feature-rich, feature-first products that make their way to market saddled with security vulnerabilities. Nobody understands market pressures better than Microsoft, but if you're going to forc security onto consumers you risk inhibiting productivity, and that's exactly what we've been pleading with security experts to stop doing for far too many years.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.
This was first published in November 2010