A Brief History of Internet-Time
When we look at our (over-)connected life today, it is hard to remember that only ten years ago, some of us had no Internet. When we look at legislative efforts, such as the EU, Finland, or France, to declare 'access to the Internet' or 'access to high-speed data' to be a basic human right, it is good to recall that the early Internet was provided as access between universities and between government agencies. The main design focus, such as in TCP/IP, was around speed and Ubiquity of Access. The focus was not, and arguably is not today, around Security, Privacy, or Integrity.
For over sixty years, a nascent Information Technology (or, as called then, Automated Data Processing) effort has been going on separately and for different reasons than the Internet. This effort, Information Security (also known as Information Protection, Information Assurance and other names), was NOT focused on the Internet and its many threats. Initially, it too focused on military applications.
Even then, in today's forgotten past, certain voices were heard that we are doing it wrong.
Fast-Forward to Now
As I called for in my Strategy to Secure The Federal CyberSpace, we need of a different approach. With malware counts estimated by some to be at the millions and rapidly increasing every day, we no longer can rest on the laurels of current generations thinking, programs and defensive appliances. As my friend John Viega stated in his The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
the question is asked once for every piece of malware that has a cryptographic signature
Which means that often every byte in every file on every computer has to be compared to every signature in every database in the current version of the virus signature files….
If we take real numbers (of about 2 million known malware pieces) and add a mere 10,000 new signatures per day (and this is even without counting poly-morhpic code!), and apply it to a mere 50MB file, we see that each and every part of every file has to be compared to millions of signatures. The math boggles the mind.
2,000,000 (signatures) X 50MB (file) = 2,000,000 X 50,000,000 Bytes = 100,000,000,000,000 attempts (100 million millions)
2,000,000 (signatures) X 500MB (file) = 2,000,000 X 500,000,000 Bytes = 1,000,000,000,000,000 attempts
2,000,000 (signatures) X 5GB (file) = 2,000,000 X 5,000,000,000 Bytes = 10,000,000,000,000,000 attempts
2,000,000 (signatures) X 50GB (file) = 2,000,000 X 50,000,000,000 Bytes = 100,000,000,000,000,000 attempts
2,000,000 (signatures) X 500GB (file) = 2,000,000 X 500,000,000,000 Bytes = 1,000,000,000,000,000,000 attempts (1 million, million, millions)
It does not scale.
Likewise, the shear number and variety of hacker attacks today, combined with Smart attacks are such that we had to invent yet another acronym: APT. APT, or "Advanced Persistent Threat", is what i predict all (well, over 80%) of attacks to become in the immediate future. Basically we are saying "we know what, we know whom, but we can't do didly about this". This is tantamount to us admitting the Hackers have won.
Old Thinking is New Again
Roger Schell, in a famous demand from the mid-1970's has warned us: We must switch away from Black-Listing. Black Listing, the practice of blocking 'known bad' events, processes, programs and computers from accessing our protected data resources is simply no longer relevant. While i understand that many voice in the information security community will disagree with me, especially those affiliated with Symantec, McAfee and the such, I must issue a call for the re-birth of WHITE listing.
Under the rules of White Listing we, and in particular businesses, must create a list of "allowables". These allowabales would include, for example:
- Allowed users
- Allowed connection (on a firewall, or on every single computer)
- Allowed software (yes, we need to learn the signature of the software we allow on our computers)
- Allowed addresses (just think: no more spam!)
- Allowed traffic forms (if we don't use SNMP, why allow it in the network?)
- Allowed time-of-day and source for individual process
- and many more
While this approach will be difficult at first, the difficulty will not be technical. We must adjust to a new format of thinking and we must teach this format. We need to have Security reborn.
Considering the forces laid out against us, do we have a choice?