Dear ISP, it's time to quarantine your malware-infected customers

Summary:In a perfect world, you will not just get a notification from your ISP about your participation in a botnet, you may easily get "quarantined" until you meet certain "security awareness" requirements combined with proof that you're no longer infected.

Are you infected with malware, that is unknowingly wasting your bandwidth to spread more malware/spam and phishing attacks, in fact even host the majority of these?

In a perfect world, you will not just get a notification from your ISP about your participation in a botnet, you may easily get "quarantined" until you meet certain "security awareness" requirements combined with proof that you're no longer infected.

What's the current international attitude towards this approach? What are the pros and cons of such an action taking into consideration? What do key security experts and cybercrime fighters think about it? Let's find out.

In a MAAWG survey released in 2010, 65% of the users blamed their ISPs and ESPs for the spread of computer viruses, fraudulent emails spyware and spam in general, followed by antivirus vendors. Most recently Microsoft proposed a pubic health model for Internet-connected PCs :

“If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities,” Charney declared.

The proposal once gain puts the spotlight on Internet Service Providers.

An Internet Service Provider is in the unique position to make change. The thing with ISPs from my perspective is that, even though they are in the best position as a distribution channel to monetize and offer (security) value to their customers as a service, the majority are not tailoring their propositions using the right technologies.

There's no shortage of solutions, and even though some ISPs claim they need a decent incentive to offer security services -- besides common sense since it's their network's reputation at stake and the potential revenue increase -- I think that offering their customers the wrong choice is even worse. In Australia, for instance, ISPs are offered a voluntary code of conduct aiming to limit Internet connectivity to malware-infected customers. Germany has been doing that for years using the "walled garden" concept, and though the German Anti-Bot Initiative.

If only would an ISP's marketing folks realize that the right security-as-a-service proposition, can be their most valuable asset in the overall differentiation strategy, meaning happy customer and a socially-oriented ISP with industry credibility for truly caring about its network reputation/customers.

Let's consider the competitive advantages and disadvantages from business perspective when quarantining the customer of a particular ISP. If a random ISP decides to participate, but the rest don't, ISP becomes less competitive as the only thing that the end user cares about is his access to the net, which he's not prevented from accessing. However, a clean backyard means better network performance and a socially-oriented attitude that every major ISP should have already established.

What ISPs should do is reposition themselves as socially oriented company, and migrate from being a reseller of antivirus software to actually educating the end user before and in between offering him Internet access. From disconnecting and alerting malware-infected customers, to quarantining them and educating them efficiently through a standard security awareness course in the form of a game, or simple educational questionnaire.

It's time for a change, a radical one.

Of the three approaches, quarantining, disconnecting, or alerting, which one do you think is most feasible when dealing with botnets?

What do you think?


Topics: Enterprise Software, Security, Telcos


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.