Quarantine is a word derived from the the 17th century Venetian for 40 (quaranta). The purpose of quarantine is to separate and restrict the movement of otherwise healthy organisms who may have been exposed to disease, to see if they become ill. The 40 day period was designed to identify carriers of the Bubonic plague or Black Death, before they could go ashore and spread the contagion more widely. Desperate times call for desperate measures, nevertheless the concept was widely adopted and remains with us to this day.
The word quarantine has been thoroughly misused by the well-meaning security industry, where known infected files or systems are moved to a protected area until they can be examined and cleaned-up. More accurately we should be calling this “isolation” as in most cases we already know the subject to be compromised or infected. Nonetheless, this serves an equally important purpose of containing the spread of compromise and it’s consequences; abuse of compromised systems for sending Spam, theft of sensitive information and spread of infection just for example.
Today’s unprecedented co-ordinated action between law enforcement, security providers such as Trend Micro and Internet Service Providers gives us a chance to consider how much more widely this concept could or should be applied in the fight against online crime. Desperate times call for desperate measures.
The Internet Service Providers involved in the action against GOZeuS and Cryptolocker are able to take advantage of the intelligence behind the law enforcement operation to identify which of their customers are infected, to notify them and assist them with clean-up. Should this not serve as the establishment of a standard for the future? Systems that are known to be compromised should be isolated until they can be cleaned-up.
When a global alert and education process such as we see today is rolled out, events may seem impressive, particularly to those involved in Information Security; 11 Law enforcement agencies, a list of security companies as long as your arm, press conferences and articles in national and international press. In reality, for the majority of internet users the story will simply pass them by. Educational initiatives are largely only successful at preaching to the choir, so to speak (trying to broaden the conversation was one of the motivations behind our 2020 series last year).
Steps must be taken to bring home to the regular internet user the consequences of their action or their inaction, because even doomsday headlines like ” 2 weeks to block cyber attack” are forgotten the day after they are published. Couple that with the very real possibility of “notification fatigue” as breach after breach and data-loss after data-loss make the news and people simply cease to care, if they ever did in the first place.
ISPs on an on-going basis should take advantage of the threat intelligence feeds of the security industry to identify compromised systems connected to their networks. Those systems should be moved to quarantine, the account owners should be contacted and directed to resources which will enable them to clean up and rectify the situation. Until such time as the infection is remediated the computer should be able to access only limited Internet resources. Don’t care will be made to care.
A parallel has long existed in the auto world. Cars are subject to an annual check, if they do not pass this test of their roadworthiness they may not be driven on public rods until remedial works have been carried out because they represent a danger to the driver and to other road users. Desperate times call for desperate measures.