Internet group to consumers: Think security

A coalition of technology companies and others doing business on the Internet have released a list of nine steps they believe consumers and remote workers should take to protect themselves and keep their computers from being used as weapons on the Internet.

The Internet Security Alliance’s (ISA’s) recommendations, as published in its “Common Sense Guide for Home and Individual Users,” won’t be a surprise to most company system administrators, but some of the steps may be new to many Internet users, according to speakers at a Thursday press conference.

In July 2002, the ISA, which represents about 2,500 technology and Internet companies, also released its “Common Sense Guide for Senior Managers,” and both guides are available here.

More consumer education is needed about Internet security, said Orson Swindle, a commissioner with the Federal Trade Commission (FTC). He prefers a proactive approach, with publications like the ISA’s, instead of consumers finding out about security issues when a virus is making the rounds.

“We have long way to go, and we literally do need events every month to raise awareness,” Swindle said. “I believe that good privacy and security practices help build consumer trust and confidence, and without trust and confidence, I am almost certain the benefits of information technology and communication … will never, ever reach their full potential.”

The nine recommendations are divided into seven basic actions and two advanced actions. The seven basic actions are the following:

• Install and use antivirus programs.

• Keep your system patched.

• Use care when reading e-mail with attachments.

• Install and use a firewall program.

• Make backups of important files and folders.

• Use strong passwords.

• Use care when downloading and installing programs.

The two more advanced actions:

• Install and use a hardware firewall.

• Install and use and file encryption program and access controls.

Some of the items are easier recommended than implemented. The vulnerability allowing the Slammer worm, which hit Microsoft servers worldwide last month, was first identified eight months earlier, and Microsoft  issued a patch for it six months before the recent attacks, noted Dave McCurdy, executive director of the ISA.

“There are many people who should have been aware, but had not taken action,” McCurdy said.

Consumers need to pay attention, Swindle said, because their computers can be used to spread viruses and cause mayhem if the owners don’t take active security measures. “We’re all linked together through this marvelous invention called the Internet … with very powerful personal computers,” he said. “If that computer is not adequately protected from intrusions, that computer can literally be turned into a weapons system.”

But speakers at the press conference didn’t lay all the responsibility for Internet security on individual users. Companies, government agencies and individuals all need to be security conscious, McCurdy said.

Companies lax on security and privacy issues could face FTC action, such as the 2002 investigation into the Microsoft Passport service’s security and privacy promises, Swindle noted.

“If you don’t make respect for personal privacy and security of information part of your corporate culture … then there’s going to be an FTC in your future, in all likelihood,” Swindle said. “You can’t have reckless, irresponsible, careless actions concerning privacy and confidential information.”

While the panelists at the press conference agreed that corporations need to be responsible for information security, they disagreed on how to accomplish that goal. Susan Grant, vice president of public policy for the National Consumers League, said additional laws are needed to punish reckless corporations. Businesses and government agencies that store gigabytes of personal information are the most inviting target for computer criminals, she noted.

“Governments, businesses, and organizations that don’t take information security seriously should be held accountable,” she added. “Consumers expect and deserve to have their personal information guarded as carefully by others as we’re asking them today to guard it themselves.”

But Swindle disagreed that more laws are necessary, saying the current fraud and privacy laws the FTC enforce are sufficient to deal with corporate security problems. New laws would scare companies away from innovating, he said.

“The Internet and all that it is has gotten that way because it’s free and open,” he added. “It’s truly evolutionary and revolutionary, and the quickest way to slow that sucker down is to have the trial lawyers encroach on everything that’s been done.”