The Friday Interview: Dave Rand, Trend Micro

30 May 2008

Dave Rand (pictured), chief technology officer for Trend Micro, talks about the scale of security threats and what can be done to stop them

Why should we worry about botnets?
In 2005, there were about 2.1 million compromised computers used in an average month to send spam. In 2006, that number was 4.2 million. In 2007, that number was 10 million on average. This year I’m predicting between 20 and 100 million.

How is Ireland affected?
The number varies from a low of about 13,000 to a high of a little over 20,000 computers being used in Ireland each month. It’s very hard to get fully accurate numbers on this but the total number is roughly 200,000.

What can be done to stop it?
The internet service providers (ISPs) need to get involved in security. They know the bot networks are there and they know which users are infected and they’re choosing to turn a blind eye and not inform the users. There is a valid reason why: the problem is that any time they have contact with a customer it costs money.

We’ve got to increase the rates overall for ISP access so security is part of the fee you pay. And we in the security industry have to bring effective tools to bear on the problem so the ISP can just go to this website, click yes and the problem will be fixed.

How quickly could that be put in place?
It’s not too far down the road, and with co-operation from the ISPs it can happen a lot faster.

Should businesses be concerned: surely they’re protected against new threats?
Firstly, the number of new types of infections has really risen in the last short while. In the first two months of 2008, there were about five million new pieces of malware. That’s more than in the previous 15 years combined.

Secondly, the malware is becoming a lot more intelligent now. It’s mining data from computers and using them to perpetrate fraud and send spam.

Is the industry hyping the problem?
You have data on your computers and you need to protect that. The downside is there’s no appliance or piece of software; nothing you can do that will adequately secure that information. Security is a process, not an appliance, and you have to really think of it that way in the long term.

By Gordon Smith