Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Huh? A Center For Internet Disease Control?

http://www.conceivablytech.com/3333/products/huh-a-center-for-internet-disease-control/

Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information.


As we are still trying to figure out what Stuxnet, the truly first public example of a new era of superworms, we are listening to Microsoft warning that consumers, governments and enterprises may not be prepared for a wave of cyber attacks.

Microsoft’s Scott Charney, corporate VP of trustworthy computing, has come up with the idea since, in his argument, our disease prevention infrastructure that has been put in place especially by the Center For Disease Control (CDC) could work for the Internet and threats originating from cyberspace as well. Much like it is the cases with diseases in their traditional meaning, Charney describes a society that is aware of risks, a society that is educated how to avoid infection, and a society that can access advice what to do in a case of infection – from simple actions such as washing hands to systematic approaches how to get rid of a disease.

“To improve the security of the Internet, governments and industry could similarly engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem by promoting preventative measures, detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, and taking additional action to ensure that infected computers do not put other systems at risk,” Charney writes.

He especially focuses on consumers, as they do not have the layer of protection enterprises tupically have in the form of IT departments and “many consumers have no desire to become IT professionals, let alone security experts.” This circumstance will have the effect that “many consumers may be unwittingly running malware and their computers may be part of a botnet.”

“Such botnets may be used to send spam and engage in illegal activities, including launching denial of service attacks against critical infrastructures,” Charney writes. “Some of these activities create enough traffic on the network to make other egregious activity harder to detect and mitigate.

Education may not be enough anymore in today’s world. And tools that were designed to protect consumers, have been proven inadequate to battle botnets, as there will always be conbsumers who deviate from the guidance given (such as downloading files from unknown sources), Charney argues. “We need a better process of ensuring the health of the IT ecosystem. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet. This will benefit not only users, but also the IT ecosystem as a whole.”

According to Charney, the “health of consumer devices” needs to be ensured by governments, the IT industry and Internet access providers before they can get “unfettered” access to the Internet.

The executive believes that such a scenario can be achieved by “bolstering efforts to identify infected devices and promoting efforts to better demonstrate device health.” From the presentation:

Bolstering efforts to identify infected devices involves analyzing and sharing data from sinkholes, network traffic, and product telemetry to identify potentially infected devices. If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities. In most cases, this can be done with current technology across multiple systems and platforms. In fact, at least one access provider is now attempting this approach. It is our view that approaches like this need to be broadened significantly, even globally.

Promoting efforts to better demonstrate device health can be done by granting access to resources based on the health of a device; this is similar to using Network Access Protection (NAP) in enterprise environments. To achieve this for consumer devices, four developments must occur. First, we need a mechanism for devices to demonstrate their good health (that is, a way to produce a health certificate) without rendering the systems more vulnerable, less reliable, or providing a conduit for leaking private information. Second, the mechanism that produced the health certificate must be trusted (that is, infected devices should not have a way to fake a health certificate). Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information.15 Third, access providers and other organizations must have a way to request health certificates and take appropriate action based upon the information provided. Finally, we will need to create supporting policies and rules to ensure the effectiveness of this model.

Charney proposes that this approach could provide a consumer with a “health certificate” for a device accessing the Internet. If there is a small “problem”, such as a missing patch or out-of-date virus signature, there may be an entity that “assists the user in addressing the security concern or directs the user to resources for remediation.” If there is a more serious problem and a user refuses to get a health certificate, Charney proposes that the user will be motivated to shape up by throttling the bandwidth of the potentially infected device. He does not believe that it is appropriate to deny a user access to the Internet as devices and services converge and a shutoff could have “damaging” consequences: “For instance, an individual might be using his or her Internet device to contact emergency services and, if emergency services were unavailable due to lack of a health inspection or certificate, social acceptance for such a protocol might rightly wane. But much like a cell phone may require a password but still allow emergency calls to be made even without that password, infected computers may still be permitted to engage in certain activities.