It’s quite obvious that with every passing day the world is becoming more and more dependant on IT and the Internet, to the extent that many governments rightly include these when considering their “Critical National Infrastructure”. Internet-borne threats can clearly do much damage to all kinds of businesses, large or small.
But what can a small business, for example, do to help protect themselves? They’re too busy being grocers or mechanics or gardeners to learn about IT security. They don’t have the budget to hire someone to take care of this. A lot of the time they aren’t even aware of what they need to be aware of, because they’re grocers, mechanics and gardeners, not IT security geeks. IT is often pivotal to the day to day operation of their business, and a security incident could prove catastrophic.
Wouldn’t it be great if a small business had access to somewhere they could go to get relevant advice and share information. A community where:
- Everyone has something in common; perhaps profession (e.g., lawyers, local government, etc.), or membership of a local traders’ association, etc. Ideally, at least one of the members should have some IT security expertise; this person need not be drawn from the membership demographic.
- Members can get a single tailored feed of security information that is relevant to their specific needs (someone who uses Windows XP and Office 2007 has no need to know about flaws in Debian’s random number generator, for example, nor do they want to have to draw this information from multiple sources).
- Members can ask for advice from each other. Initially, most of this would come from the resident IT expert, but as the community learns they’ll start to help each other.
- If the community is kept small and focussed, the trust between members will grow. As trust builds, people will hopefully feel able to start sharing their own experiences, both positive and negative, without worrying about any kind of bad press or reputation damage. Sharing the story of “I got hacked, here’s how I found out, and here’s what I did to prevent it from happening again” would be of great benefit to all, but people aren’t going to tell it if they don’t trust the people they’re telling it to.
I think that this sounds like a pretty reasonable concept. It isn’t my concept of course; it’s a summary of what the UK’s Centre for the Protection of National Infrastructure calls a “Warning, Advice, and Reporting Point” (WARP). Without wishing to reproduce too much of the WARP website, a WARP provides three core services:
1. Filtered Warning Service – where members receive only the security information they need, selected via an on-line tick-list;
2. Advice Brokering Service – where members can learn from other members’ initiatives and experience, possibly through a members’ bulletin board;
3. Trusted Sharing Service – where reports are anonymised so that members can learn from each other’s attacks & incidents, without fear of embarrassment or recrimination.
How is this different to the myriad of tech support websites already on offer? The intimate and closed nature of a WARP facilitates the building of trust that you just can’t get when a site’s membership is world+dog. Trust leads to a more open sharing of information, and “sharing is protecting”.
The Australian government has a similar strategy, the Trusted Information Sharing Network, and there’s even a working draft for an ISO/IEC standard (27010) for the sharing of security information. WARPs can also share information with other WARPs, not just their own members, who can be from all kinds of organisation or demographic.
I’m enthusiastic about the concept, and we’re looking into setting up a WARP for one of a number of communities that we have ties to. Recently, we attended the WARP annual forum with the aim of learning more and meeting people who could help us get the ball rolling. The morning presentations were really useful (including a great animation from the Hitachi IRT), and lunch was jolly nice too (some of the afternoon sessions appeared to be verging on being sales pitches, but I can’t comment because we unfortunately had to leave the event prematurely).
The event served as good encouragement for setting up a WARP – with a bit of luck, this won’t be the last time I mention them!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk