The Unisys Security Index for the first half of 2012 indicates 33% of respondents are “not concerned” about computer security in relation to viruses or unsolicited e-mails. This is up from 18% last year at this time.
Why this sudden view that all is well? Have we knocked out these cyber nasties? Hardly. Estimates discussed at this year’s RSA Security Conference in February were that from 10% to 20% of the Internet is infected with something.
The days when bored college students and macho programmers vied to create and distribute the most elegant or loudest and annoying malware are long over. Stealing information and identities has become big business. Organized crime and nation state-sponsored cyber-espionage are quiet activities – they don’t want to attract attention.
These groups are using remote management capabilities that would be the envy of many corporate IT departments to accumulate and maintain herds of zombie PCs – PCs that belong to unsuspecting computer users everywhere. Once they’ve infected a system, they patch it, suppress the anti-virus software that may be present, and variously manage its configuration. In this way, they ensure that rival botnet herders can’t steal it from them, and the legitimate owner never even knows they are there.
Remember last year when Aunt Sue was driving you crazy asking for help fixing her PC? Haven’t heard from her for a while? “The PC is working just fine, thank you.” Yes, she’s no longer concerned … but the rest of us should be because her infected system can be used to attack ours.
This problem of users who don’t understand their systems well enough to tell something is wrong isn’t going to be solved by educating them. As computers get easier to use, there is less incentive for users to understand how they work internally. Who can fix their car by themselves these days?
The organizations best positioned to detect these infected systems are the major Internet Service Providers (ISPs). So far, they haven’t been incentivized to do anything about the problem. ISPs are in a position relative to their customers to perform the same role corporate IT departments carry out with workstations on their intranets. They can run monitoring systems to detect infected machines, provide mechanisms to help fix them, and not let them on the network until they are fixed.
I don’t think anyone would argue against the result this would produce; the rub is figuring out who pays for it.