Little green idol
“a consumer doesn’t need protection from phishing attacks when visiting your personal blog or Star Wars fan site, or even your company’s brochureware site. It’s only where the actual commerce takes place.” And, of course, he has a point: if you concentrate on the transactional business parts of the web, rather than trying to cover everything, then EV SSL makes much more sense, or at least you’d think so. However, Callan reports that one of the arguments against adoption he hears from some businesses evaluating EV SSL is that there’s no benefit for them until their main competitor – business B – also starts using it.
This is what Callan calls an “evaluation fallacy”, and what I call a bloody big business blunder. Waiting for your competitors to implement a security solution before you do is probably the most ridiculous argument I’ve ever heard. As Callan goes on to say: “If your competitor started sending big boxes of poo to its frequent customers, would you run out and start sending poo to your own customers as well?” I’m not sure I’d have chosen this box of poo analogy myself, but it does strongly make the point that anything that helps validate the trustworthiness of a transactional website has got to be good news. When it comes wrapped up in something as obvious as a big green address bar that news is easy enough to understand, and that should be as true for the transactional business at one end of the line as it is for the consumer at the other end.
WARP speed for security
I first heard of a WARP back in 2005 – and even then it turns out it had actually been around for a couple of years – yet rather surprisingly at least half the information security professionals I talk to have never heard of it, and when it comes to anyone outside the security business that figure rises to 99.9%. So assuming you’re not in that extremely clued up 0.1% minority, I’ll explain exactly what a WARP is and why the heck you should care about it. A Warning, Advice and Reporting Point is quite simply a small and focused security community for sharing advice on threats, exploits and solutions, and simplicity is at the very heart of the WARP concept.
The brainchild of the Centre for the Protection of the National Infrastructure (.cpni.gov.uk) and originally developed to help protect national communications systems from tampering, WARPs have remained small while expanding to fulfil a broader security brief. A WARP will be no larger than 100 members at the most, and more typically between 20 and 50 in order to ensure the community focus is retained. What you end up with are numerous small and discrete security communities consisting of a select and secure membership, rather than a handful of huge, impersonal and unfocused security resources that end up being too diluted to be anything more than generic and broad interest.
Neighbourhood Watch for the IT crowd
WARPs function by having a single security savvy operator at the helm that steers a course through the specific security information needs of a highly-targeted, but not so savvy, community of members. The information is propagated by way of websites, email, SMS and telephone messages, which the community supplements by encouraging members to become involved in forum-based discussions as well. As a small, local, targeted and not-for-profit community-driven resource, a WARP is pretty much the online equivalent of a Neighbourhood Watch scheme.
It’s vital, in my never very humble opinion, to understand the importance of the fact that the community is largely less savvy regarding IT security than the operator, when it comes to the success of a WARP. It isn’t as if the information that’s being distributed can’t be found elsewhere – it’s all out there online for those who know where to look for it. Indeed, I’ve heard it said that if a WARP community is too savvy it’ll most likely fail, and the reverse is just as true. Keeping on top of security information is a non-trivial matter for most businesses, and a lack of trust can often prevent people from sharing details about attacks they’ve encountered.