According to the Online Trust Alliance (OTA), first and foremost, clear and actionable user notifications are a critical component of the fight against bots and related online threats to users’ data, privacy and identity. But implementing them will be a joint public-private effort.
Providing users notices with the tools and educational resources to help them remediate and recover from bots is a shared responsibility and critical to the vitality of the internet, OTA noted in a whitepaper it has released on the subject.
“Collectively the working group recognizes the importance of preserving online trust and the integrity of the Internet,” said Craig Spiezle, executive director and president of OTA. “We can no longer afford to work in a silo to fight the growing sophistication of the cybercriminal. It is now necessary to look at the intersection of the public and private sectors to develop and implement the most creative, resilient and effective solutions.”
The growth of bot-infected end-user devices represents a significant threat to the vitality and resiliency of the internet and to the digital economy, OTA explained in its bot overview. They compromise sensitive and personal data from consumers as well as businesses and government agencies, which can lead to online fraud and hijacking of online accounts, impacting commerce and banking sites worldwide. They can lead to attacks against public and private networks, and exploitation of end-users’ computing power and internet access. And, to boot, the growth and the sophistication of bots have spread from the PC to all platforms (Windows, Linux and Mac OS), mobile devices and smartphones, and to critical infrastructure.
Bots are also frequently used as part of coordinated distributed denial-of-service (DDoS) attacks motivated by criminal, political, or other goals. Bots impact everyone from the casual home user, to businesses and government agencies worldwide, because they are able to proliferate as a result of a combination of vulnerabilities and by socially engineered exploits.
There is thus a growing importance of moving from sectorial efforts to a wider holistic view of consumer protection, the OTA noted, and the burden of fighting botnets should not rest solely on any single stakeholder. The strategy is to focus on a holistic view, including prevention, detection and remediation. OTA efforts include working with law enforcement, ISPs and website hosting companies in take-down efforts, promoting best practices to reduce the distribution of bots and aiding users to reduce the vulnerability attack surface.
Meanwhile, users share a responsibility to keep their devices patched and to exercise safe computing practices. The first line of defense, the OTA suggests, is keeping browsers updated. Modern browsers offer significant security and privacy innovations that can block bot-infested downloads and malicious sites. Users should set all systems to automatically download and install patches. Also, users should install and update anti-virus software and solutions, and use a third party solution to automatically scan and update all applications, extensions and add-ons.
All banking and commerce sites need to update to always-on SSL, to encrypt user log-ins and communications to help prevent online snooping and capturing of log-on credentials, OTA advised. And, authentication is a widely accepted best practice to help prevent the delivery of spoofed and forged email. When combined with the draft DMARC specification, brand and domain holders receive telemetry and forensics reports while networks (ISPs and corporate networks) benefit from an increased ability to block bot-infested email, OTA noted.
To augment this effort, OTA has published several recommendations in an effort to help curb the spread and damages from botnets. These include email authentication to aid in the detection of bot-laden email; application auto-updating to reduce device vulnerabilities; server security to reduce website exposure to security and privacy threats; and best practices to help secure the advertising and interactive marketing supply chains from malvertising.