Be prepared to pay for security

Be prepared to pay for security

Summary: In an ideal world, Microsoft would make secure software, users would apply patches, and virus writers wouldn't write viruses. But this is not an ideal world, so there is only one option

TOPICS: Security

When one million of your customers have their IP addresses added to a spam blacklist, there is clearly something wrong with your security systems. Just ask Telewest, this is exactly what it experienced in May after 17,000 of its users saw their computers turn into spam bots.

Whose fault was this? The users, for failing to update their security software; the ISP for failing to take responsibility for PCs connected to its network; the spammers and virus writers, for exploiting insecure PCs; or Microsoft (and all these PCs will be running Microsoft software), for producing insecure software in the first place? Obviously, all of them.

But while culpability is widespread, the ability to improve the situation is not. Expecting users to install a secure operating system is as unrealistic as expecting Microsoft to produce one, or expecting virus writers and spammers to realise the errors of their ways and take up employment in a soup kitchen.

The one point in the chain that can realistically be expected to make a difference is the ISP, as we have pointed out before. There is a growing groundswell of opinion that ISPs must take more responsibility for the viruses, worms, Trojans and other malware that travel over their networks.

Perhaps it is recognition of this groundswell that prompted Telewest this week to announce that it is to provide firewall, antivirus and automatic update software to its users. We'll have to see how well it works, but if so many businesses are still having difficulty applying patches and virus updates, what chance consumers? A fully managed service seems the best way forward.

Nobody expects free security, and if ISPs need to charge for doing this, then users — that is anyone with an Internet connection — should be prepared to shoulder the cost. Broadband prices are now so cheap as to be negligible, and the ever-falling cost of PCs, notebooks and other devices that connect to the Internet means that any extra cost for security is easily absorbed.

It's not so much a question of can we afford managed security services for ISP customers, as can we afford not to have them?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What a load of rubbish!
  • Paying for increased security (services) is one thing. But to stimulate that it'll have the desired effect vendor and supplier liability should also be increased.

    The desired effect being that consumers will adopt that what offers the most and best security for the least amount of money and effort.

    And that vendor and suppliers who refuse to (or are unable to) provide that what their customers are looking for (quality security at low prices) will either be (financially) motivated to do so anyway or go bankrupt.

    Which in turn will motivate vendors and suppliers to do their at most best to provide such goods and services. Or otherwise their customers will walk away (provided they easily can, so that needs to be addressed as well) and all they get in return for their "efforts" is fine after fine.

    In short. To increase security overall you'll need to have all involved that can make a difference to "pay" for bad security. In other words, share the blame and put responsibility in appropiate amounts there where it belongs. But don't point the finger of blame (those who pay in one way or another) to just a part of the equation because that can (and usually will) backfire.
  • So are you suggesting that those of us who *don't* get infected by spambots, viruses and assorted malware should end up subsidising the clean-up for those users who do?

    I can see this as an optional service? But otherwise, I don't think so.
  • Don't agree 100%. I think the answer is to legally and financially responsible make Micro$oft and any other Vendor responsible for security of their software.
    That will drive the cost up, but if they are going to be held accountable, they will spend the proper amount of time required to ensure that their software is secure, create proper provisions as to how the software is to be installed, configured etc.
    I can't just go make a car that doesn't meet certain safety requirements. Nor can I build a building that will fall down, and say 'oops' sorry. Version 1.2 will be better. Same logic with software.
  • Chris, good point.

    One might think of the following. You can go for a supplier that offers the option of not billing you for extra security services but in return you'll be facing additional cost if your PC turns out to be a security problem (e.g.: it got zombied and its harrassing other PC's).

    Kind of like having the option of not paying your insurance premium but in return you'll have to cough up the money yourself to undo any uninsured damage done.

    On the other hand. It might become the case that suppliers will find out that not charging an extra "security insurance fee" is a commercially attractive business plan as long as they provide guidelines and support to their customers as to use what how. Or it may not. Anyway, it'll be what's commercially healthy but meets consumer market needs. Ofcourse, there'll be diversity as to what meets someones specific needs but diversity is good from a security point of view. Also, the more diversity, the more competition. Which improves quality (of service) yet drives down prices. Because if someone doesn't provide what I need I'll take my business elsewhere simply because I can without it having a negative impact on me. Only positive ones. And that and that alone is what makes vendors and suppliers very customer aware and friendly.

    Again, the benefits of real consumer choice and true open markets are showing here. As in, what works best for most will become dominant yet become obsolete if something betters comes along. Which in turn will be a very motivating factor for vendors and suppliers to always be innovative yet keep prices down.

    In short. If you want to improve good security you'll need to put a price tag on bad security (liability). But be sure to place that price tag in appropiate amounts on anyone involved that can make a positive difference. In other words, the risk and cost involved of being and providing bad security should be higher then being or providing good security but not absurdly higher.
  • Why is it unrealistic to expect Microsoft to produce secure software? No other vendor gets to sell a dangerous product and then completely disclaim all responsibility. Neither the users nor the ISPs can make Windows a secure operating system. Only Microsoft can do that, and until Microsoft does, no one else will be able to do more than just emergency triage. If you want the desktop security problem solved, then the costs of insecurity must be made to fall on those who have the ability to fix it.
  • They should just monitor outgoing traffic. If a PC generates lots of outgoing traffic to port 25 that traffic should be scanned for spam patterns and if it is found to be spammy it should be blocked. Outgoing traffic through mail servers should similarly be monitored for spamlke characteristic (volume, and if high content) and blocked if needed.
    If an ISP does not do this monitoring and instead just hands out free virus scanners etc. then it should just stay on the blocklists.
    There's nothing wrong about giving free software, but it's not a replacement for making sure their system does not send out spam. When they do find a customer whose infected machine sends spam, and after they block that machine from sending more spam, the best thing they can do is politely approach the user and offer help in removing the zombie.
  • David. Good point.

    Although I prefer solving causes I think that fighting long lasting symptoms is still better then doing nothing at all.

    ISPs can make a difference I think. They could block well known attack ports (e.g.: 135 and 445) that are not common ports (e.g.: 80 and 443) of the Internet itself. They could install packet filters that drop packets with a DDoS signature. They could filter out obvious spam and infected e-mails (incoming and outgoing) as a mandatory service. They could block access to proven phishing web sites. They could block access to the Internet to those customers of theirs of which is determined that there PC is infected. They could offer support to those customers that need help in getting and keeping their PC's secure. They could do a whole lot but if they would only concentrate on, say, the Top 5 of problems it would make a difference. And yes, that will cost money. And yes, that will be billed somehow. On the other hand, customers who don't like getting billed for that might go looking for alternative solutions that won't get them billed for that. And if enough do then ISPs will create a new market for that. And if that happens enough then vendors who see their products banned or severely restricted by such ISPs because of security issues will be motivated to produce products that are secure enough. Why? Because it would cost them revenue and thus money if they don't. And that motivates the hell out of them.

    How to motivate ISP's to favour secure solutions? Simply cut into their revenue if they don't. How to motivate suppliers to favour secure solutions? Simply cut into their revenue if they don't. How to motivate customers to favour secure solutions? Simply cut into their wallet if they don't. Not a nice thing to do but so far asking nicely hasn't resulted in anything concrete. As has severely punishing abusers and misusers of insecure products. In fact, it's getting worse so something different (or additional) needs to be done.

    In short. Liability for all involved that can make (some or much) difference in appropiate amounts. If not directly then indirectly.

    Not the best solution but for now the most achieveable one I can think of.

    But you are right. Somehow, some way the vendors of insecure products need to be motivated to produce only secure products to achieve true desired results.
  • Be prepared to pay for security Leader

    Mr. AT Alishtari, POA and Founder EDI Secure LLLP, had 3 million emails sent to prominent Americans with spam who were on a Federal list to report sites who sent spam to block them from the Internet. This also hit some of his associates servers turning their servers into robot slaves.

    Basically, this all came from China but it is becoming all to common as a type of extortion. An invisible man will destroy your business and poison your good name unless you pay him a fee. This shakedown is extortion by any other name.

    Cvbercrime is addressed by the European Union's Cybercrime Treaty now before the U.S. Senate but each nation must join to stamp out this hooliganism and bank rape of private and public ID and this disrepect for all law and order.
  • Am I prepared to pay for security. Yes, with conditions.

    I'm ready to pay for it after you put it into my hands and prove it works. Sure, I'll pay for peace of mind online but who do I pay when companies lie about their products. I want the system backed up by guarantees and patents and then sure I'll pay for a safe place online for my E-Commerce.

    That's what I think. Ciao now.