I must say Im surprised at the flood of mail I got from my last column, which suggested that ISPs get more aggressive about security. Ill be following it up after I do some more research, but something a vendor said to me recently was both interesting and related.
The vendors argument was that consumer computing is beginning to resemble corporate computing more and more, largely as a result of the increasing percentage of notebooks being sold to consumers.
In fact, they said that notebooks are now the majority of computer sales to consumers. This may be old news to everyone else, but it hadnt clicked with me yet. The vendors point had to do with physical security, saying that 10 percent of all notebooks will be stolen at some point. Oh well, physical securitys another good topic I ought to get back to.
But it also means that consumer computers are becoming more like corporate computers in terms of security. Many of the concerns we have for corporate notebooks apply just as well to home notebooks in the current environment.
A desktop computer at home protected by a security software that is kept up to date is hardly invincible, but its pretty well-protected. The vast majority of garden-variety attacks it is likely to encounter will be stopped, especially if the user doesnt engage in gratuitous risky behaviors, such as surfing arbitrary porn sites and following links in unsolicited e-mails.
All of this follows for home notebooks as well, but they have numerous other concerns. Users with notebooks, even home users, often take those notebooks out of the base network to other locations. They connect to the Internet in hotels. They go to coffee shops. They go to college and connect there, or at friends houses. Maybe they even go to Mom and Dads house and connect through their wireless router.
When they are out on the road in this way, they may be exposed to more risks than they are used to, and their local defenses, such as a personal firewall and anti-virus, may not be as formidable as they are at home, where perhaps they have a better (or at least different) perimeter defense. They may end up subject to attacks for which they are unprepared, such as “evil twin” attacks by rogue wireless access points.
If they become compromised in some way and they come back home and reconnect to the network, the odds are good that other systems on the network will be compromised as well.
All of these are old stories to business network administrators, and doubtless there are still many businesses, generally the smaller ones, that are as vulnerable as the average home. But for many years there have been tools available for businesses to protect themselves, consultants to help set them up and an understanding that vigilance is necessary.
Home users are still, by and large, clueless about all of this, even as the computer industry sells them more and more dangerous equipment. Its something like putting a truck in the average drivers hands and calling it an SUV. Some people just dont know how to drive those things, and dangerous situations ensue.
To me this phenomenon reinforces my arguments that ISPs need, in the long term, to act more like responsible IT departments and use products and techniques to enforce rules that to many people now might seem intrusive.
Its not the same thing; in a business your computer belongs to the company and you dont (or at least you shouldnt) have the same rights, for instance to privacy, that you should have with respect to your ISP. But you cant demand security and then deny any tools to implement it, especially when users are exposing themselves and everyone to all manner of dangers. Without a middle ground things will only get worse.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer