The Internet needs its own Weather Channel

An Internet early-warning system would help organizations stay a step ahead of cyber criminals

Living on the East Coast, I often wonder how the early pioneers lived without Doppler radar and the Weather Channel. Today, we know about hurricanes weeks ahead of time, and you have days to batten down the hatches, gas up the car, and buy strawberry Pop-Tarts at Wal-Mart. Think I'm kidding about the last item? It's a consumer behavior proven to be an early indicator of where a hurricane will actually strike. Just look up the phrase "hurricane poptarts walmart" in your favorite search engine.

We often say that security should be baked in to any system from the start, but we usually don't do it -- especially with the Internet. In the early days, the architects of the Internet were just trying to get a few separated computers to communicate with each other. By the time the miscreants began showing up to wreak havoc and commit cyber crimes, it was too late to rebuild the Internet's basic underpinnings. It's been a hardscrabble fight ever since, with the good guys and end-users losing most of the way.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

One of the best things we could do for the Internet is to create an early-warning system (EWS) to warn us against rapidly spreading malware, spam attacks, and the like. Having thought about this for years, I envision this EWS as being a free, centralized, Internet-wide service -- a DNS where participants could report and keep abreast of security events.

Here's how it would work: First, trusted devices or people would post notifications about malicious events to the service the moment they're noticed. Examples include the following:

  • "IP address x.x.x.x is currently serving up a botnet"
  • "XYZ Company is currently under attack by a spam worm and any email coming from them should be investigated more thoroughly"
  • "Company X's website is currently hosting a malicious JavaScript redirect"

From there, any person or device could query the health status of any destination or origination point. Thus, when my email server receives an email from a given domain, it would send a one-packet query to the "Internet health service" to see if the sender's domain has been reported as healthy or ill. In either case, it would require only one packet to be sent and one packet in reply.

When the EWS reports something as unhealthy, it would generate a warning message; alternatively, devices could be instructed to handle the incoming traffic appropriately. Your organization could choose to drop traffic from very ill places immediately, accept traffic without further inspection from very healthy places, or further investigate traffic reported in between the two reputation scores.

That reputation score could be based on a confluence of factors, such as written security policies, authentication method, patch status, secure code development, and demonstrated health over years.

To prevent information blockage early on, the EWS could be designed for such legacy systems to be allowed by default, although treated as untrusted, until all the new software and devices start using the centralized security defense.

There are some clear benefits to this sort of system. I know people who want to block wholesale a particular country's IP address space because they are tired of all the maliciousness coming from that nation. But why throw the good out with the bad? What they truly want is an easy way to see if the traffic is originating from a good, healthy part of that country versus one of the thousands of bad IP addresses. An EWS as I've described would make that far easier.

Additionally, such a system would help company's protect themselves against their weakest security link: end-users. As it stands, the average end-user can't be expected to make all the necessary reputation decisions that they are being asked to make on a daily basis. How can they be expected to know if a proposed download from a website they've been visiting for years is malicious? Thus, a centralized reputation service that could be queried to see if the website was compromised and respond accordingly would be welcome.

As to the plausibility of building a service that would rely on reports from various participating organizations, consider this: Most antivirus companies already have daily feeds telling them where the bad traffic is coming from. That information could easily be shared with the world, immediately and for free, from a DNS-like service.

Moreover, all the protocols we need to make this service happen today (HTML, XML, WS-*, IF-MAP, and so on) currently exist. It would just take a few dozen smart people sitting down in a room to figure out values in a table, agree on the service, and implement it.

The Weather Channel and Doppler radar have helped countless people protect themselves, their loved ones, and their belongings from imminent threat. It's high time to extend that early-warning model to the Internet.

This story, "The Internet needs its own Weather Channel," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies