On Sun, 4 Jan 2009, Jeffrey Lyon wrote:
Say for instance one wanted to create an "ethical botnet," how would
this be done in a manner that is legal, non-abusive toward other
networks, and unquestionably used for legitimate internal security
purposes? How does your company approach this dilemma?
The company I work for has not approached this particular dilemma yet.
I'm not sure what legitimate internal security purposes you're looking to
fulfill, but I think you need to ask yourself a few questions first (not
an all-inclusive list, but food for thought nonetheless):
1. What is the purpose of this legit botnet? In other words, what
business objective does it achieve?
2. Do you have the people in-house to write the software, or would you be
willing to take a chance on using something that exists 'in the wild'?
Depending on how security-minded your shop is, your corporate security
folks and legal counsel might take a dim view toward using untrusted
software on your internal network, especially if source code is not
available. That particular monster can get out of control very quickly.
3. Do you have a sufficient number of machines that are controlled by
you to populate this botnet and achieve my goals (see point 1)?
4. How will this botnet be isolated from the rest of your internal
network, and would that isolation limit or even negate the botnet's
usefulness?
5. If the answer to question 4 is "no isolation", how will you
demonstrably control the botnet's propagation?
6. Depending on the answer to question 5, there might be regulatory
compliance (HIPAA, FERPA, GLB, SOX, internal security/privacy policies,
contractual obligations, etc...) issues to consider.
Our company for instance has always relied on outside attacks to spot
check our security and i'm beginning to think there may be a more user
friendly alternative.
Infection, even for ethical purposes, is still infection.
jms
