One virus alert system won't fit all

Antivirus companies, when issuing virus alerts, use a standard scale to tell us how dangerous each pest is. But that just won't work.
Written by Robert Vamosi, Contributor
commentary When Homeland Security chief Tom Ridge unveiled the new Homeland Security Advisory System, he added five new levels of alert--each distinguished by its own color--to our already crowded color-coded vocabulary. Ridge's plan is only the latest effort aimed at standardizing warning systems in the security community these days. There's even a semi-serious proposal afoot to have antivirus companies conform to a standard warning scale.

I think that would be a huge mistake. There's strength in the diversity of warning systems, if only because they allow dissenting opinions to be heard on whether a particular threat is serious or not.

THE NUMBER OF different alert systems out there seems endless. The military uses a 1-5 Defcon (DEFense CONdition) rating to show the status of our armed forces. The country is usually placed on DefCon 1 or 2 alerts (the lowest levels). Computer-security companies use a variation on this classic model. SecurityFocus, for example, now posts a daily Internet 1-4 ThreatCon rank, and the SANS Institute's Incidents.org uses a four-color monitor.

Perhaps the most comprehensive warning system online is GTOC from Internet Security Services (ISS). It not only gives you an Altercon warning (1-5), but also explains which vulnerabilities lead the company to choose a particular warning level, and often provides links to vendor patches (when available).

Antivirus vendors are all over the map when it comes to alerting the public. Sophos, F-Secure, and Central Command do not use an alert scale. More common, however, is the low, medium, and high rating system used by McAfee, Trend Micro, and Norman. On the other hand, Symantec uses a 1-5 scale.

SO WHY SHOULDN'T we standardize these diverse rating systems? First off, because it's very difficult to compare and rate separate threats for the different segments of the online population. Code Red, for example, affected Web servers, while SirCam was a classic e-mail worm that affected home users. Then there's Nimda, which affected both Web servers and home users. To a home user, Code Red should not be rated a high alert, but to system administrators it should be.

More importantly, a unified scale would tuck all the diverse opinions and views regarding what's serious and what's not into one neat package. As most of us realize, the world of Internet vulnerabilities is not black-and-white.

Yes, it's time-consuming to visit several antivirus and security sites to find out about the latest threats. But it also allows a variety of opinions to be heard. For example, if only two antivirus companies declare a worm to be on high alert, while everyone else thinks that worm is a dud, you may realize you don't need to worry too much about the worm.

TWO SITES I particularly like are created by security companies MessageLabs and Trend Micro. MessageLabs's site tells you how many of its customers have been infected with a given virus. For those who like maps rather than graphs, Trend Micro offers a world map that shows where in the world its customers are encountering viruses. It also lets you view the top 10 viruses in the world, on any specific continent, within any specific country.

Trend's top 10 list differs from MessageLabs' top 10, but by using these sites together, you can get some idea where in the world a virus is hitting--and where it is not.

I recommend signing up with several antivirus and security companies--even those whose products you don't use--just to get a few different perspectives. I also encourage these companies to continue to offer competing, even contradictory information, and to not conform. We're smart enough to figure it out for ourselves--really.

Do you favor a standardized rating system for viruses and other security threats? Why or why not? TalkBack to me below.

Editorial standards