On Feb 12, 2008 12:17 PM, Owen DeLong <owen@delong.com> wrote:
Considering that the US is also consistently among the top three sources of desirable content, I'm not sure that this ranking necessarily proves much of anything, but, I do agree that ISPs could do a better job of shutting down mal-sites.
Good thread; nice summary, Owen. There are ways for ISP's to get involved with stopping/controlling botnets e.g. the very recent work here - http://www.offensivecomputing.net/?q=node/623 and here - http://www.secureworks.com/research/threats/storm-worm/ - and the not-so-distant work here - http://www.bleedingthreats.net/index.php/2007/11/14/encrypted-storm-sigs/ ISP's are in a uniquely powerful control situation with software vendors. We can demand audits from vendors that include SAS 70 Type II / SOX 404 / AS5 or PCI-DSS (even better would be PA-DSS) on the specific parts of their applications that their customers use. We can provide a five-star rating system of "approved OS and applications" that work on our networks. I suggest starting with Microsoft, Adobe, Mozilla, and Google - specifically on products such as Windows, Office, Acrobat Reader, Firefox, and Google search. Make sure that any relationship you have with these vendors starts with a conversation about application security five-star rating systems and ends with http://www.sans.org/whatworks/poster_2008.pdf Establish relationships with two companies you may not have head of: ESET and Avira. Avira's AntiVir is the most proven free-for-non-commercial-use AV (http://free-av.com). ESET's Nod32 is the most proven AV that costs a minimal amount of money. Advertise both like they are going out of style everywhere you possibly can. For example, when I call your ISP the phone shouldn't ring, I should go through a menu, and then I should hear, "If you run Microsoft's Windows - consider FreeDashAVDotcom - AntiVir - the safest and free AV solution for your personal computer". Then the technician/salesperson who gets on the line should mention it right after the initial greetings again. All email correspondence should include it at the top of every message. Your websites should have it on the front page, at the top. I chose AntiVir and Nod32 because of http://www.av-comparatives.org and safety issues (although Symantec is the safest because they have an internal file fuzz testing harness called SEEAS that could certainly stand to be open-sourced or sold commercially). Be careful not to oversell AV as the only fix for security problems because of the inherent difficulties of these products to avoid vulnerabilities themselves (I know it's a contradiction, but life is full of contradictions) - see http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Vi... I saw that other people mentioned AVG and avast, so you can just ignore their comments, please. Because of the problems with AV being particularly vulnerable to common software weaknesses (those "in the know" refer to these by their MITRE CWE definitions), I suggest adding ESET and Avira to our list of "vendors we harass about application security" and demand audits from. I understand that SAS 70 Type II and even SOX 404 do not typically cover "non-financial IT infrastructure", but we don't have to tell the vendors that. Similarly, PCI/PA-DSS do not cover applications that do not contain or transmit cardholder data, although I would argue that all of the vendors named have just gotten away with murder if you think about the reality of this presupposition. It's our fault for not pushing AV on your customers, and it's the AV's fault for not providing audit data to us, and it's the software vendors' fault for causing us to have to recommend AV and for AV to exist. The liability should land on the software vendors. Make the five-star security rating systems a company-wide movement from the top-down with support from C-level upper-management and your general counsel. Did I mention product literature? Don't forget to include the five-star security product ratings in this product literature. E.g. Windows 98 (0 stars), Windows Vista (4 stars), Mac OS X (2 stars), Windows 2000/XP (1 star), Adobe Acrobat Reader (0 stars), Mozilla Firefox (0 stars), Internet Explorer 7 (1 star), Internet Explorer 3/4/5/6 (0 stars), Google Search (0 stars), MSN Search (1 star), Microsoft Office 2007 (1 star), Symantec Norton AV (3 stars), ESET Nod32 (2 stars), Avira AntiVir (1 star), McAfee AV (1 star), all other AV (0 stars), etc. Do similar security five-star ratings for your recommended/supported router, DSL, and Cable modem devices, but base it on their software from the audit reports. Hardware security is not worth time/energy. If this means that Cisco (sans Linksys) and 2WIRE are 1 star contenders in a market full of zeros (well ok Juniper gets a 2), then so be it. We've got to show improvement somehow and at some point, so this gives everyone room to grow. Finally, run Honeyclients against all of your hosting. Promote SpyBye (FOSS) and Tenable PVS (commercial) to your hosting customers in the same way you promote ESET and Avira to your access customers. Be careful how you run Honeyclients because there is a lot of malware that responds to these. It used to be that you could run low-interaction Honeyclients and then follow these scans up with high-interaction Honeyclients. Unfortunately, the career-criminals have advanced their methods to prevent this tactic by using elusive/evasive malware. I suggest running taint-mode tools such as Argos because of their efficiency, although Capture is another good high-interaction Honeyclient - http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient I suggest running your Honeyclient infrastructure on systems with hardware virtualization running Xen with the ability to shift VM guests around using xm-migrate. This requires shared-storage such as OCFS2 with iSCSI (or something old like NFS). Management systems such as http://en.wikipedia.org/wiki/Enomalism can verify that hundreds of VM guests are at certain patch levels and deployed in mass. If anyone needs any individual advice, please let me know. I'd also like to hear how you're implementing any of these ideas/concepts and how successful they are - but also encourage you to send to the mailing-list for the benefit of others. Cheers, Andre