Ira,

Several products do this, and yes, it should be the standard.  But it is costly.  That's one of the problems we face in the security field.  I know you are well aware.

Limited budgets are the fact of life.  We (security) compete with business groups for money.  When compared to a new project that has the potential to bring an increase in revenue, the security tool fails miserably.

It's only been since the age of regulatory compliance (with financial impact) that we've been able to get an edge in the budget game.

I can only imagine where we would be if the NAC solutions were in place and protecting us on a daily basis... Ah Utopia!

ISPs could run pen tests on client machines.  They could also scan in and outbound traffic, identify the bots and disconnect them.  The reason they don't do any of that is because it costs an ISP something like $60 per incident in support costs when the consumer starts complaining, "Why did you cut me off?  What did you do to my computer?  I demand that you fix it!"

I'll have to write a column about that soon.  It's perverse incentive: ISPs won't do the right thing because it's against their financial interest, at least until somebody holds them liable for the damages caused by malicious traffic from their networks.

Ira,

You are per chance, referring to the Cisco Security Agent I assume. A firm that I worked with used this, albeit an older version 5.0.x(?), which was a tad bit buggy and poorly managed. It liked to whack XP upside the chops with the occasional BSOD. Later versions were more stable. The BIG thing with getting the CSA to work properly was allowing enough experienced, knowledgeable support for it (more pesky 'competence' and 'having enough I.T. budget' shtuff in order to do things right). The company using this flew by the seat of their pants a bit with it = issues, including the new CIO’s laptop Blew Screaming when he was overseas (ah lovely). Later on after we (tech support, Mgmt and end users) complained (more like b1tched readily) enough about it and even UN-installed it a few times; THEN more resources were allotted & issues were ironed out. All in all, 'twas a decent tool when configured & supported "PROPERLY!" Beats the “Hope & Pray for the Best Method” used by all too many computer...f-oh-lks.

Thanks for identifying the term I couldnt think of at the time.

Everyone in the technical profession should push for their organizations to implements NAC.  Ironically, the much maligned AOL was a leader in this field, providing malware protection as part of their client software.

Please make sure that your organizations are diligent enough to use this type of protection.  It not only protects the organization, it protects others.

NAC is a concept/technology that has been around for a while, but is still not gaining enough momentum in corporate America. I've actually been a bit surprised that I rarely hear a member of executive management mention it...it's been a buzz word lately, and I know how non-techie people love acronyms. ;-)

What is kind of bizarre (surreal that it is not in use) about your comments is that I remember talking to a large university right after Slammer came out.  That was in 2003 or so.

The university implemented a Cisco end point security agent that worked by verifying a system had all patches and anti-malware updates applied, before the system was allowed on the network.  The technology has been readily available for about 5 years, and it is bizarre to me that it is not more in use.

JP : = "Is this yet another issue we want the government stepping in on?"

most certainly not, at least not in my view. government will make a horrible mess if they try to legislate a solution; at most all I would be interested in is in changing the policy on product liability.  all this would tend to do would be to motivate the industry to pay attention to security

security should be built-in on every computer sold. customers have a right to expect that.

it would undoubtably be usefull to discuss what those expectations ought to be

first and foremost customer computer should not be updated with un-authorized programs -- even if the customer is tricked with a phish -- the security software should discover the phish does not have the necessary credentials -- and refuse to install.

in addition, web pages or other executable documents which the customer might process should not be conducting data-mining or other spying, snooping for account numbers, passwords, or other data.

it should be noted that this wish list is just BASIC security: protecting the operating environment from tampering and protecting one application from another.  just the basics.

IRA,

Couldn't agree more! Internet Community insanity CAN be good for business (for me anyway in some regards). The Internet is really a COMMUNITY. Is it not?

Q: OK...what community DOES not have crime? What person (realistic person anyway), in a community expects to do nothing, NOT be educated about the dangers of the "bad" parts of the community to know when & where to walk during the day/nighttime etc., and expect to have nothing happen to them! 

A: Insane/unrealistic people! Like the ex-nun I know, who lived down in a "bad" area of the city, but she went jogging in the early am anyway, like EVERYONE told her not to! YEP, she was mugged & assaulted! (True story too!). 

The Internet is a dangerous place ppl, inform & protect yourself or stay away!

Can hardware/software be made better? Of course. Will threats STOP? NEVER! Can the PEOPLE who run the hardware/software do it better? Ha ha ha ha.....ahhhh.....maybe????  I vote for DO DILIGENCE (as mirrored by society).

You're right, Mike. The bigger problem is WHO determines what is realistic and what is practical?

The government steps in on a lot of issue regarding the safety and welfare of consumers and the public in general. The FDA requires warnings on medications and foods. Remember the "shown to cause cancer in laboratory test animals" that used to be on everything with sacharine as an ingredient?

Is this yet another issue we want the government stepping in on? Do we want completely non-technical people who will get all of their policy influence from large technology conglomerates?

To some extent, a little bit or regulation and ownership/acceptance of liability might be comforting, but I have doubts that the government would mandate anything correctly. And, if they do, what price will the consumer pay?

Jason: ="Whose responsibility is it to make sure the end-user is informed?"

excellent post and I think we need to examine

• what is realistic?
• what is practicle?

It is not realistic to expect the average customer to effect an A/V defense; the A/V defense must be included in his purchase.

now, from a practicle standpoint how do we get it to happen?  if we can't embarrass vendors into providing an effective a/v defense then we will have to petition government to make it mandatory.

it's looking more and more like it will need to be product liability legislation