Vulnerabilities / Threats
2/15/2011
12:39 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Microsoft Revises Computer Quarantine Proposal

Scott Charney now believes users should present claims about the health of their computers without the involvement of ISPs.

At the RSA conference in San Francisco, Calif., on Tuesday Scott Charney, Microsoft's corporate vice president for trustworthy computing, revised his controversial call to apply the public health model to cybersecurity.

Charney had previously proposed that computers should be required to present cryptographically signed claims to ISPs about their health -- as measured by the absence of infectious malware -- before being granted network access.

But rather than push for an authoritarian approach in which infected machines could be quarantined and kept offline, Charney has come to believe that a community-based paradigm, in which users present machine health claims directly to Web services, without the involvement of ISPs, presents a more workable path.

"What's really changed is that as we started thinking more about the identity model, where you pass claims about your identity, we realized a better model is to pass claims about machine health, where the user controls the claims," he said in an interview last week.

Charney acknowledged that his message -- presented under the theme "Collective Defense" -- is not really a new one. He and his company remain interested in leveraging identity as a means of enhancing network security -- primarily through its Windows CardSpace identity system -- without doing away with the possibility of anonymity.

Identity, says Charney, is even more important as we shift toward a cloud computing model because so much information can be accessed through the network. But Charney now sees value in putting users rather than ISPs in control of the security-related claims process.

"It's not about gating people's access to the Internet," he said. "It's really about taking preventive measures to ensure they have a healthy experience on the Internet."

When Charney first proposed applying the public health model to cybersecurity last year, Electronic Frontier Foundation legal director Cindy Cohn urged caution in using the public health model for computer security until the implications are more fully understood. Her concern was that users could find themselves denied network access without adequate safeguards.

Part of what has prompted Charney to revise his suggestion is the extent to which the Internet has become indispensable. "Increasingly around the world, access to the Internet is being viewed as a fundamental right," he said. "That's an important change in perception."

Charney acknowledges that we have other fundamental rights, like freedom of speech, and says that while these rights are not absolute, they're of such importance that you want to be sure that security needs don't impact those rights in an unreasonable or unnecessary way.

"This model of passing health claims is actually what companies do today with network access protection," he said," where you pass a machine claim that your antivirus and your patches are up to date. And if not, your CIO and your company help remediate your machine. We realized with a claims-based model, that could scale to the public as well."

"The beauty of this model is the user remains in control," said Charney in his keynote address.

Charney argued that finally the social, political, economic, and IT spheres are aligning to make collaborative cybersecurity more workable. He suggested that rather advancing one cybersecurity policy, we need four: one for cybercrime, one for economic espionage, one for military espionage, and one for cyber warfare.

The first three, he said, are problems with precedents. We can harmonize laws to better address cybercrime, use diplomacy to press for international behavioral standards to limit economic espionage, and accept that we're not going to get rid of military espionage, which has persisted for centuries. Cyber warfare he sees as uncharted territory since it's not clear how nations should respond to the theft or destruction of data.

Justifying his advocacy of a public health model for computer security, Charney suggested considering other shared environments like public schools, where children are required to be vaccinated. "We need to make sure that people understand this is a shared and integrated domain," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.