Hacker Economics 3: MPACK and the Next Wave of Malware
Third in a series. New variants and new methods proliferate in the wake of 76service.
Mon, October 08, 2007
The Radical New Strategy?
If users are, as one bank CISO said, dumb; and if banks can just write off their losses; and if the Internet is fundamentally insecure; and if vendors defenses can’t keep up; and if law enforcement is overmatched; what happens next?
Like Jackson, Chris Rouland of IBM ISS believes the days of acceptable loss at the banks are numbered, but he has a hard time seeing a “blame the customer” strategy succeed. “These write-offs, this thing about putting it on consumers, it will end. It has to,” he says.
Rouland says that he is rethinking security at a fundamental level, and many others in the industry are as well. “We’re basically telling banks that client security is your problem, not [your customers’] problem. We’re saying all the awareness in the world can not adequately secure client machines. Telling customers to secure themselves will not work. We believe that in order to fix the problem, you have to protect customers’ customers. You have no choice.”
Notice Rouland did not say you have to secure the client. He never says the banks must figure out a way to protect that machine. That’s careful and deliberate, because Rouland doesn’t believe that’s what banks have to do. When it comes to security PCs, Rouland’s advice is radical: Give up.
“In the next generation,” he says, “we will all do business with infected end points,” he says.
He was asked to repeat what he said, just to be sure. So he did: “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”