Internet Security Systems - AlertCon(TM)

How do you continue to do business with malware infected customers?

Posted by Gunter Ollmann on November 04, 2008 at 2:30 PM EST.

A visual metaphor commonly employed by people to describe the enormity of something that’s not receiving due attention is “the elephant in the room”.

Whenever I’m meeting with customers, and they’re describing their security problems and the threats that concern them, there’s often a herd of elephants kicking about the room (luckily only a few of them are ‘white elephants’). But, surprisingly enough there’s one particular elephant that rarely gets a mention at all. I’m not sure whether that’s because it’s an elephant that ‘none dare to speak its name’ or the fact that it’s too big to fit inside the room in the first place, regardless though, how do you continue to do business with malware infected customers?

Let’s faces it, we’ve been inundated with statistics for years now about how many botnet empires there are, how big they are, and how risky it is to be surfing the Web today. Popular estimates of somewhere between one-quarter and one-third of ALL computers are thought to be infected with something bad. How malicious that “something” is, can vary greatly, but it sure as hell isn’t getting any friendlier.

From an online business continuity perspective, what are organizations doing? Not a lot really. Some are extolling the benefits of desktop anti-virus (and even offering it for free to their customers), while others are deploying additional physical security devices (e.g. tokens, calculators, Chip & PIN readers, etc.) and out-of-band “secure” communications (e.g. SMS text messaging, encrypted email, etc.) – the net result is that the end-user of the technology – i.e. the customer – has to do more work in order to keep on being a customer. That doesn’t sound like such a great strategy to me.

On top of all that, what about this huge elephant in the room? The figures say that a sizable percentage of an organization’s customers are going to be infected regardless of all these client-side security technologies they deploy – and the numbers are going up all the time. So, how should businesses operate in a world where they are forced to continue to service a growing population of infected customers?

Most organizations have perceived the problem to be their customers problem – after all, they’re the ones that are infected – and have dealt with it by instructing them in how to cure themselves of the ailment, or offered various self-medication programs. 

I guess, without trivializing the nature of the threat, the ubiquity of customer infection should now be thought in terms of the common cold (acute viral nasopharyngitis) rather than an Ebola filovirus.  The malware infections businesses must contend with aren’t designed to kill the host outright (e.g. Ebola), instead they’re sneaky and persistent, and resilient to most protection strategies (e.g. the common cold) and, for the most part, it’s business as usual once they’ve caught it.

Just like in the physical world, people catch a cold and largely continue on doing the things they did before. That’s the nature of the threat businesses have to contend with now – assuming that the infection is out there, acknowledging that there’s very little they can do to stop the infection, and finding new ways for customers to continue to conduct their business without contaminating the overall system.

Unfortunately, as you’ve probably discovered from some of my previous posts, the man-in-the-browser attack vector is particularly insidious and difficult to thwart – and I’m not a great fan of pushing more and more technology down to the end customer (i.e. go forth and protect thyself).

So, with that in mind, over the weekend I put some serious thought in to the problem and examined some of the new protection options online businesses could adopt. The net result was a short paper designed for Web application developers and designers, and security auditors or penetration testers – focusing on new design elements that can help reduce the threat, without increasing the onus on the application end user.

You can access the paper “Continuing Business with Malware Infected Customers” now.

I’d welcome any feedback you have.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.