Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 1

Posted in business and convergent technologies by Timothy Platt on February 4, 2013

I have been writing in this blog from its earliest postings about change, and about how we are facing fundamental change coming out of information technology revolution. This change has been taking place, in a fundamental sense, since the dawn of electronic information technology with the first vacuum tube powered computers. And a closer look at this ongoing process shows that it in fact divides into a whole series of disruptive innovations, their rapid dissemination and their rapid but still evolutionary follow-throughs until that next disruptive change comes along – or sometimes several at once. And collectively this has brought us to a situation where online connected and connectable computers, table top, laptop, tablet and handheld are essentially everywhere and seemingly ubiquitous to our lives, and we are all connected. Moore’s law and its long-term continuance in still accurately describing the pace of this ongoing change, as one of its better known measures, simply touches upon one small part of what has been developing here. I write this posting and begin this series by building up to and then citing a second growth and performance metric, though I add this is one that few would brag about.

From the dawn of electronic computers to roughly the year 2000, malicious hacking was primarily conducted by people who were primarily motivated by the challenge of breaking into computers and computer systems, and of proving their technical skills and prowess through doing that. And the more technically sophisticated of them gained reputations and respect within their communities for their accomplishments.

Many of the events they launched and sought to launch could best be viewed as attempts to penetrate network and individual computer security to gain access to information contained within, but little if any of this was carried out for strictly monetary gain. And as one measure of the overall level of activity during this period, it is estimated that perhaps one million distinct, new computer viruses were launched worldwide, along with significant but much smaller numbers of computer worms, rootkits and other malware. Most of this malware was developed after the development and widespread introduction of the personal computer and in response to its mainstreaming in vast numbers to the general public. Quite simply, bragging rights to have produced a piece of malware that had successfully compromised X number of computers was seen as a real proof of hacking prowess, and particularly as that number X grew to be competitively large.

Breaking that million virus number down:

• On the extreme damage capability-end were zero-day attacks: malware-based assaults that compromised software and the computers it was installed on, through vulnerabilities unknown to the software manufacturers. If even the people who produced that software did not know of these vulnerabilities neither they nor any anti-virus software producers would even know that they should look for attacks that would work through them. So these exploits were wide open for those who could find and capitalize upon them. And I add that true zero day attacks have always been the rarest of all malware forms as they represent true disruptive innovation for malware design and production.
• Next in level of damage came malware that exploits what in principle were known vulnerabilities, but in new ways and with new code. This level represents the step where the disruptive innovation of those zero-day attacks is more fully developed for its potential, and through numerous alternative implementations.
• And next – take your choice as to what comes next as there are two candidates to that next level down. One is old and well-known vulnerabilities that are successfully exploited by old and known viruses and other malware – but that still worked on computers not adequately protected with updated anti-virus software.
• The other is malware cobbled together by less knowledgeable hackers from other people’s code, and basically just reinventing the old meets old scenario. Towards the end of this timeframe of up to the year 2000 these hackers, disparagingly referred to as script kiddies by other more experienced hackers, could even find malware development tools online for help in the gluing together – meaning even less real knowledge or skills were now needed to participate in this.
• Web sites and online forums were developed and maintained where members of the hacker community could trade notes on what worked and on their exploits in proving that. And it became increasingly possible to find and download source code for malware this way too, and of progressively newer vintage too, as well as malware development software tools for building or gluing together your own. This industry began to really mature.

Then a watershed event took place and people began to get heavily involved in malware and black hat (malicious) hacking who entered into this with a profit motive. And here is the second number that when paired with my year 2000, million viruses benchmark forms that second, non-Moore’s law progress metric. By the end of 2010 the number of new viruses out in the wild – in real user computers and networks and not just in sequestered research computers, had gone up 50-fold. That means some 13,700 new viruses on average every day with no breaks over the course of that 10 year period, or if you will that means a new virus produced and launched approximately every 6.3 seconds. But that is misleading and for several reasons. First, the rate of new virus development grew very rapidly over that period, and a large percentage of this overall growth took place in the last few years of that decade. So this underestimates the rate of change and of increased levels of malicious activity. And second, more and more viruses were developed to be polymorphic.

The primary method that antivirus software has traditionally used in identifying and blocking virus attacks has always been in the identification of specific code in them that is associated with known viruses. So when a computer user or systems manager uploads and installs an antivirus update what they are primarily doing is to upload and install a vast file of new virus definitions – code snippets that the antivirus software would look for in any downloads or software installations attempted or already on the computer, to identify where and when a known virus is lurking in it. A polymorphic virus is one that changes its code with each replication, while maintaining the integrity of its underlying algorithm through which it acts. This means that much of the code that would go into a known virus definition in an update might be obsolete and even for offspring of an exact duplicate of the copy that the antivirus definition was derived from. Needless to say this can mean overestimation of the number of distinct viruses out there.

But the exact numbers are not the important point here.

• What is important is that the actual number of viruses and other malware out in the wild is growing and at an increasingly rapid pace.
• The sophistication of this malware has been steadily increasing. In that it is important to note that while early generation malware usually made itself immediately known, as soon as the profit motive entered the picture stealth became a primary goal. You cannot steal credit card numbers and other monetarily valuable personal information if the user knows their computer is infected and no longer uses it for transactions where they would enter that data.
• And everything that I have been writing about up to here has been entirely reactive on the part of software developers, antivirus software and information security systems developers, and for computer systems users too. And reactive in this has progressively come to mean lagging further and further behind.

I am going to continue this discussion in a next series installment, starting with that last bullet point and its consequences. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: