SIDEBAR: Spreading the Word

Never forget that ever so vital communication strategy

David Hua, producer of the ABC Shop Online ABC Enterprises, says online sales through the shop grew by 41 percent last financial year and are set to grow at an even greater annual rate in future. But it is not just a potential loss of sales during the time the Web site is inaccessible that causes Hua to worry so much about disruptions; it is also "a loss of goodwill and the loss of the brand and the seed loss if the strength of the brand is diminished".

Hua says for the ABC Shop Web site to go down is the equivalent of the ABC's Queen Victoria Building being closed due to vandalism - the ABC simply cannot afford to have someone deface the shop site with the cyber equivalent of spray paint, so it must have the equivalent of cyber security guards front and back with everything locked down. It is not enough to build security into the system behind the scenes, he says, one also must make sure customers know how secure the site is. And when disruptions do occur, Hua believes it is vital to communicate effectively with customers about the reasons why.

"We do all of the regular things, which is to use the most secure encryption system possible and so on, and to reassure our users of that. We're also very aware that a lot of our customers are first time Internet customers who are doing their first online transaction on our site, so we're very clear and upfront about the way in which their information is used. It's not just the fact that we do have all these security systems behind the scenes - we also have to communicate effectively that it is a secure system that they're engaging with."

Hua says perceived security is every bit as important as actual security, and communicating with users about even the briefest disruption is vital.

"Obviously as with any Web site we do regular upgrades. When we upgrade we put up a 'Sorry Page' to say that we're enhancing the Web site and please be patient with us, we'll be back in an hour with something flashier and something nicer for you," Hua says. "If you approach it that way most people are understanding in the same way they are in a bricks and mortar shop if the shop manager has to step out for five minutes and puts out the sign 'Back in five minutes'.

"When we do have issues - and we've only had very minor issues - we're just very upfront about it. If the Web site is a bit slow, then we might put up a message on the front page to say you might be experiencing some slowness at the minute, it's being worked on, or we might mail to our subscribers and say thank you very much for your help and your patience and we'll be back very soon."

SIDSEBAR: The People Paradigm

Bruce Schneier, security technologist and CTO of Counterpane Internet Security, answers questions about computer network defences and sloppy end users

Q: Now that we've moved beyond the "security perimeter" paradigm for security, we seem to be stuck with impossible-to-manage solutions. What is your outlook for relief?

A: I think that the "death of the perimeter" is premature. Perimeter security defences are still valuable, and always will be. It's just that they used to be enough, and now they're not.

The firewall model of network security is based on the castle paradigm. The good guys are on the inside, and you build walls to keep the bad guys out. That worked pretty well when networks were largely self-contained and people worked inside them. Today, things are more complicated. The good guys are regularly on the outside, and the bad guys are inside. Even worse, you want the bad guys on the inside - just not doing bad things. So we have all sorts of solutions: intrusion detection systems, authentication services, VPNs and so on.

Instead of dumping the notion of a perimeter, we need a new paradigm. I think network security is like city security. In a city there are all sorts of perimeters: fences, buildings, rooms. People move in and out of those perimeters, depending on who they are. If you're a shopkeeper, you want everyone to be able to enter the store but only during business hours. And you want only employees to be able to open the door to the stockroom. I think the usability of products is the most critical Internet security problem right now, and I don't see much relief.

Q: Do you think "umbrella" security services - for example, directory services, identity management and user provisioning, single sign-on, transitive trust models - are ready for prime time?

A: Your question points to an interesting paradox in the computer world: Products are never ready for prime time until after they're widely deployed. In other words, it takes a healthy marketplace for a given technology before the problems shake out. Until they're deployed, we don't know what the problems are. We can't fix the technology until we start using it.

So no, I don't think that these services are ready for prime time. But I think we have to deploy them anyway. We need to break them in. We need to watch the bad guys attack them. And slowly, over time, they'll become more robust.

Q: While hardware and software security solutions abound, it seems like users are still the biggest security problem. How do organizations ensure that their people don't violate security?

A: Honestly, they can't. Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, don't properly delete critical files, and they bypass security policies. They're susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, they're a huge security problem.

Education is part of the solution, but I'm not optimistic about radically changing people's behaviours. I would rather see technology that takes sloppy users into account. For example, there are e-mail encryption programs that automatically secure e-mail: The user doesn't have to remember to do it, and doesn't even have to understand what's going on. Managed security monitoring provides network security even in the face of sloppy users. These types of solutions assume that insecurity - especially user insecurity - is inevitable; they try to maintain security anyway. I don't think there's any other reasonable alternative.

Q: With the advances in technology such as intrusion prevention systems (IPSs), are people becoming obsolete in network security?

A: People are the biggest security problem, and they're also a critical security resource. Even though security products are getting better all the time, attackers are getting more sophisticated. IPS is not any different than intrusion detection systems, or firewalls. They simply don't work without people.

SIDEBAR: Customers Curb Net Enthusiasm

by Jon Surmacz

The Los Angeles Times recently reported that many computer users have begun to curb their use of the Internet because of myriad threats that it presents: identity theft, spam, spyware, viruses and so on. In one extreme case, the Times reports, an avowed technology enthusiast named Stephen Seemayer decided enough was enough. His inbox had become so wrought with spam and his system so choked with spyware that the best solution, in his opinion, was to pull the plug. He's been untethered since September. And he's OK with that.

Although use of the Internet continues to grow across the globe, there are some numbers to suggest that users are increasingly wary of potential threats - especially when it comes to e-commerce. According to Forrester Research, 26 percent of consumers of online financial products say they would rather apply for or purchase products through snail mail or telephone than through the Internet because of phishing concerns. A smaller group (20 percent) says it won't open e-mails that claim they are from a financial provider for the same reason, and 19 percent say they will not enrol in online banking or bill payment because they don't trust the Internet. Furthermore, Harris Interactive reports that growth in e-commerce users has ground to a halt: 27 percent of Internet users conducted a transaction in 2004, up just one percentage point over 2003. (That group grew 20 percent from 2002 to 2003.)

So much for consumer confidence in the Internet.