Security is as much about giving people information as it is about building security systems. That’s the message from the managing director of the London Undergound, Tim O’Toole, but it could as easily apply to personal computer security. Don Phillips’ piece in today’s International Herald Tribune could offer useful lessons to software developers and anyone trying to keep trojans, viruses and spyware at bay:
Tim O’Toole, the managing director of the London Underground, who said a terrorist attack last summer was the greatest Underground crisis since the Nazi blitz of World War II, was telling U.S. transit and rail officials they should avoid the temptation to spend lavishly on new security systems just to reassure the riding public.
Instead, he said, spend first on human resources, including constant training and a system to lavish fresh information continually on every employee in the system during a crisis, even if there is a chance some information could fall into the wrong hands.
O’Toole’s message may not have gone down very well since, “outside the hall where he spoke were many exhibits of expensive new equipment to battle terrorism on transit and rail systems.” One could imagine the same thing happening at a computer security conference. But here, I think, a difference emerges. What I think firewall and antivirus vendors need to think about is this: giving timely, useful and intelligible information to users so they can make good decisions. It’s not about locking everything out, because that’s clearly impossible.
Neither is it about ‘educating the user’. Vendors usually complain that they try to do this but fail, so go the other way — software that does everything silently, behind the scenes, and automatically, with an interface that gives only the barest information or choice to the user. Neither option — education or invisibility — works. Instead, the secret is like the Underground lesson: let people know what’s happening in the context of the situation and threat.
Back to Don’s piece:
O’Toole said the greatest mistake the London Underground had made after the bomb attacks of July 7 was its “poor performance” in keeping employees fully informed of everything that was happening even if that information is sensitive and could not be released to the public right away. In an information vacuum, employees may grow suspicious of authorities just at the time they need to be full members of a crisis team, he said. Management did a “poor job” of information flow during last summer’s attacks, he said. In the future, “We will be pumping everything we know out internally. Some of it may get out, but that’s O.K.”
There’s a clear parallel, in my mind, to Internet threats. Don’t hide knowledge about newly discovered vulnerabilities — newly found holes in existing software that might let bad guys in, if they knew about it — until a fix is found. It’s clear that attacks happen too quickly for antivirus vendors and software developers to be able to cover all contingencies, so better to inform customers and let them assess the risk. The trick is, how to do this?
I would suggest the following guidelines:
Most people now have firewalls installed on their desktop computers. These programs — or anti-virus programs, or antispyware programs, or combinations thereof — could become a sort of signalling service giving timely information to the user. For example, the current Kama Sutra worm, Nyxem.E or Grew.A, could be flagged with a small pop-up message informing the user of the danger and offering suggestions.
Make the information relevant to the situation. How do I know whether the new updates to my firewall keep me safe from the WinAmp bug identified by Secunia? If something big is happening, letting people know quickly might be more worthwhile than feverishly working on an update which doesn’t reach the user in time. Worst case scenario, the user can just unplug their computer for the rest of the day. Let them make that decision, but give them the information first.
The text of such alerts or advisories has got to be useful and clear. ZoneAlarm and other vendors often leave their messages too vague to be meaningful for us ordinary folk, scaring us out of our wits the first few times and then, gradually, just like the wolf crying scenario, we get blasé.
Sadly we’ve become accustomed to ignoring messages we don’t understand. This needs to change. Just like in the ordinary world, we’ve become both numb and constantly terrorized at the same time because of poor or insufficient information. We need to learn lessons about security from other fields. I don’t recommend bombarding users with alerts, but if they are used sparingly, judiciously and with good solid guidance contained inside, I think they are the best way to keep the user in the loop.