Countries, companies and consumers struggle to understand and manage the myriad of cyber threats that have been launched against us for the last twenty years. Unfortunately, we’re largely on the losing side of this struggle as determined criminals focus their full efforts on finding new methods to attack internet systems, services, and the individuals who use them.
Today, Scott Charney, Corporate Vice President, Trustworthy Computing, at Microsoft posted a blog titled The Need for Global Collective Defense on the Internet with his thoughts and links to white papers he’s written on the subject.
Written in layman’s terms, his thoughtful approach is a short but important read for everyone who wants to understand the issues, complexities, and potential approaches to reducing cyber threats.
Excerpts from Scott Charney’s blog post:
“….Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.
Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis…
…one possible approach to addressing botnets and other malware impacting consumer machines… involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”
…Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.
Cyber security policy and corresponding legislation is being actively discussed in many nations around the world and there is a huge opportunity to promote this Internet health model. As part of this discussion, it is important to focus on building a socially acceptable model. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.
Within the current legal and political landscape, and with the current state-of-the-art in technology, there are collective defense actions we can take now and we should commit to continued cooperation, collaboration and investment to fully leverage current tools and technology. With examples like France’s Signal Spam or Japan’s Cyber Clean Center as models, industry and governments need to build upon the successes to more systematically help improve and maintain the health of Internet connected systems and to disrupt cybercrime and other threats to individuals and society.
For its part, Microsoft looks forward to continuing to provide and promote research and development that will make system scanning and cleanup more cost effective, along with looking to solve current technical barriers. We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy. “
The internet is too valuable a resource to allow crooks or creeps to exploit. It powers our countries, our commerce, and our communications. Supporting thoughtful efforts to increase security and safety while ensuring privacy is critical to our future, but something harder for individuals to do.
What you can do right now
In spite of serious security threats, the answer isn’t to unplug your computer and head for the hills. Instead, take a few precautions to protect yourself, your friends and family, and the nations infrastructure.
Make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.
- Secure your computer. If your computer isn’t protected from Trojans, viruses, bots, and other malware your financial information and passwords and identity will be stolen harming you, and potentially spreading the malware to others. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
- Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
- Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Safe passwords don’t have to be hard to create; just hard to guess
- When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
- Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble
- You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
- Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do not have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself. Learn how to Mitigate Risks When Using Shortened URL’s.