Tuesday, April 14, 2015

It Wasn't Englebart's Fault! (part 2)

   When we have a post with a "part 1", it probably means we should have a "part 2".  Sometimes other things get in the way!

   A few posts ago we had part 1 of this discussion.  To briefly review, Douglas Englebart was an engineer, inventor and pioneer of the early internet.  He died in 2013.  He was known for a number of key ideas and inventions.  In 1967, he invented a very useful computer device that is a key component in propagating malware and facilitating phishing attacks... the Mouse!

   In part 1 we discussed how malware (malicious software) like viruses get into our computer systems.  Today we'll wrap things up by looking at why it's difficult for our organizations to stop this malware (and why it's difficult to stop this at home).

   Really, the primary issue this stuff is hard to stop is because it's too easy to click on links and attachments.  As we discussed in part 1, as long as we're clicking, we'll have problems.

   But what about anti-virus software?  Anti-virus (or anti-malware or endpoint protection) software has been around for nearly 30 years.  Yet malware problems seem to be getting worse.  (I'll continue to use the term "virus" generically, but I'm really talking about any kind of malware.)

   Initially, these programs used a technique called "black listing".  The idea is that every time a virus is discovered the security vendors will find a unique aspect of the code, called a "signature", and add it to the list of known signatures.  Then, whenever a program is loaded onto a computer, it is compared to that list and, if found, it is not allowed to run.

   That sounds good in theory.  But there's a saying in security... "You can't enumerate badness".  That means it's not possible to keep up with the variations in malware.  A slight change to a virus program file essentially yields a new virus.  Any new virus is initially not detected, but eventually leads to a change in anti-virus signature files, which leads to creation of a new variant, and so on.  We can't win that race.  These new variants are often called "zero days" because on release day, or "day zero", the virus is not detected by traditional anti-virus programs.

   So what other choices do we have?

   White listing is kind of the opposite of black listing.  Here we create a list of only those programs that are allowed to run on the computer.  Everything else is blocked.  This sounds great in theory!  And, if you're in an environment in which what you run on your computer doesn't change much, that could work.  Of course, in most environments, software does change quite a bit.  Not all products can roll with this.  Still, I think this is a promising direction.

   Some of the newest anti-malware products are using various kinds of statistical or stochastic analysis or execution analysis.  This means that a program is checked for statistically normal execution based on what kind of program it seems to be.  There were some anti-malware products in the past that tried this method and failed.  But there are some new products that also seem promising.

   The Future.

   Ultimately, we have a fundamental problem... we use general purpose computers, that are made to run a very wide variety of code; when most people only need to edit a few documents, answer some email and surf some web pages.  These are highly complex systems and malicious code exploits this complexity.  The "cure" lies in simplicity.

   One technology that can really reduce our exposure is called "virtual desktop" or VDI (virtual desktop infrastructure).  Without getting too deep into the details, a virtual desktop executes programs on a cloud or data center server instead of on your desktop.  There can still be some malware problems, but you can wipe away your "desktop" and start over anytime.

   Another way we can move away from general purpose computers is to use "thin" computers like Chromebooks.  These are not for everyone, but they are simpler, run less code on your desktop, and can be wiped and restarted if there are any issues.

   Malware is with us to stay.  Complex computers containing valuable data and resources will always be a target, but by limiting our total amount of programs and using security programs or thin/virtual machines, we can limit our exposure.

   Oh... and be careful where you click!

No comments:

Post a Comment