Sunday, January 23, 2011

On "Quarrantine"

I'm not sold on the "quarantine" idea; it does seem like a kludged response to a problem we simply don't have an answer for (the malware problem has been compared to the halting problem). Modern malware has evolved beyond the ability of consumer / small business users to cope with; if organizations like Google and the Army (see September's Foreign Affairs) have public-record losses against malware and the structured threats who create it, what are a small business's chances? None, in the long term. Quarantine is not the answer; it's not a question of motivating the users to do the right thing; it's beyond their abilities to remain free from anything more sophisticated than first-generation nuisance malware created by children. Quarantine might actually degrade provider's security capabilities even further by interrupting their revenue streams. In the long run, small business IT will probably have to move to the cloud as security becomes simply too hard.

As for consumers, it's far too hard. Take banking Trojans for example; two-factor is no longer sufficient for securing access to online financial services (and trying to keep a general purpose desktop free of infection is becoming too expensive and too much work). It's now necessary to also use a stateless virtual machine that boots from a read-only device such as a live CD; this is well beyond the ability of the average consumer. They're going to need a new paradigm - either a platform that authenticates code and makes reputation-based policy decisions like the Apple store, or a largely stateless virtual desktop that can be created and destroyed as often as necessary, or both - I believe we will see ISPs begin to offer virtual desktops to consumers within five years or less; perhaps sooner if the quarantine system becomes painful enough.

It's the principle of the dog park. No matter how careful one is, one inevitably returns from the dog park with dog waste on the shoes some of the time. Cleaning this off is possible, but can be a fair amount of work, esp. when it hardens. Eventually you learn that the best solution - in time and effort - is to wear cheap, disposable shoes. At least this is the best analogy I have to date.

On the subject of the proposed consumer PC infection problem, I think the best answer is probably to give the consumers a stateless virtual machine or virtual desktop that can be disposed of and replaced with a clean instance as necessary. Not trying to push a particular virtualization product; I am increasingly subscribing to the survivability vs. security school of thought and I have begun virtualizing my desktop systems to this end.

I use a number of virtual desktops; one or two stateful machines for doing work, one stateless non-windows machine dedicated to financial transactions and another stateless non-windows machine for cursory examination of suspicious URLs and windows code (serious forensics needs to be done in an isolated lab, away from everyday workstations, as always). All of this runs on a non-windows host platform.

No comments: