Malware protection in the 21st century

Series of locks on binary code with one unlocked

There are some very peculiar tribal divides in our business. Even though security is these days much more about education than it is about arcane and ever-changing automated attack and detection software, it's still thought of as being "what firewalls do" or "that's in anti-virus on the PC". Even though lots of businesses have the web running through the whole of their daily lives, from business model to server setup and more besides.

So why, then, do we think of stuff on the web as being at arms length from "IT" and - certainly in the minds of most cloud salesman - as a replacement for it?

I don't see that distinction at all. Especially at the very worst of times, when the chips are quite literally down and various fantasies about running a light-out business with everything up the wire evaporate in as long as it takes for someone who knows their stuff to confirm that yes, the link's gone cold or the servers are not responding.

This is normally the point at which in one especially painful scenario that of the Distributed Denial of Service attack the cloud or hosting-dependent business has a sudden introduction to the business of web server security and attack responses. Some of this is treated as arcane knowledge within the hosting business, with dark comments about good and bad hosters for vulnerability to attack but that can all be filed under puff-chested industry self-delusion, because affected businesses tend to jump rapidly back to the people they know they can trust, and that starts with the internal IT people, many of whom do not deserve the inefficient or difficult label they are landed with.

My impression is that the general hosting environment is in many ways less securable, and as a result actually less secure, than a well-run Company Windows LAN. Tight control of user roles and logging of activities is only really maturing now, which is why web hosting toolkit makers Parallels wanted everyone to understand what could be done to minimise risk provided that you were starting with the new release of their Plesk control panel application platform.

To do this, in true Parallels style, it invited various businesses and individuals with long security track records to come and make up a panel session at the recent Parallels summit in New Orleans. I know, it might sound as if sitting in a freezing over-airconditioned room listening earnestly to opinions on security would be poorly attended with the French Quarter only a 10-minute walk away but trust me on this if there's ever a topic on which the inside track is quite literally company-saving stuff, it's this one.

For me the most interesting presentation and answers to questions from the floor were from Matt Prince, CEO of Cloudflare. Even a few minutes talking to him showed me that my somewhat traditional, Windows mindset as to what makes up good security and how to form a response to an attack whose source you can't contact, whose motives are hidden, and whose end is nowhere in sight.

It seemed to me that one practical outcome of the difference between "IT guy" security and "Web Guy" security is that the Web Guy Stuff is all post-facto. You wait for something to go bang, and then you apply the kind of traffic redirection and gateway filtering that Cloudflare offers. Hey presto as happened with pathe Film and the Eurovision Song Contest sites the minute they even tick the basic service offering at $20/month, the botnet simply goes away. Matt agreed that this is the traditional approach (there were some funny stories in there about Eurovision too), but took the whole concept and turned my head inside out just using these simple examples.

The first gold-plated aside was that apparently, if you go into the Dark Net and look around with some care, the open market in hack capacity available to hit targets on receipt of payments is essentially a gargantuan product review system. Matt likes this because the verdict on Cloudflare is extremely simple. Price for taking down a non-Cloudflare site: $50. Price for with-Cloudlfare: $2,000.

More subtly, though, the Cloudflare approach of routing all your site traffic through their homegrown, non-standard, proprietary analysing smart traffic gateways allows them to break rules which underpin not just the ease of entry for a hacker and their army of home-alone drone PCs: The gatewaying system also cheapens your hosting traffic charges, by cutting out inefficiencies inherent to plain old HTTP over IP.

(in case you think I am in the thrall of Cloudflare here, I should point out that all the answers coming from the Wordpress security expert on the panel started with him jerking his thumb at Matt Prince and saying "hire these guys, then do this")

The final semi-accidental aside that I thought worthy of thinking about under the heading of "pause for thought for IT types with web roles" was Matt's justification for the sunny day signup option. Yes, DDOS attacks are relatively rare, though they do tend to crop up as a result of high growth or public attention. Yes, after the attack starts the 90 percentile quick fix is easy to apply and doesn't have to involve web host people or HTTP jockeys. However; if you are already signed up even just to the free version of Cloudflare's services then its custom gateways can collect web traffic analystics and metrics, and thereby come up with a reasonable summary of what your legitimate site traffic looks like.

The longer they have doing this, the more accurate their division of good and bad traffic can be when the fell day dawns that you are (as seemed to be the case with Pathe News) the end-of-course exam target for a hacker school somewhere in China.

As quick views into the heart of a massive body of expertise gained out on the front line of a desperate problem, I thought that was definitely worth your attention. It surely got mine.