In search of sensible security advice

Where does one turn to find objective, authoritative advice on security issues?

Certainly not the vendors if the recent reports of a security flaw in Internet Explorer are anything to go. There’s a fair bit of spin or FUD in the announcements made in the last few days by Microsoft and its rivals. You have to carefully analyse the weasel words to get at the truth.

Nor can you rely on advice from governments, who seem to have created a hostage to fortune by recommending a temporary switch to other browsers. What does that mean? When will it be safe to go back? Are we talking days, weeks, months or years?

Security advice needs to consider the full range of circumstances. The size of the risk depends on many variables: products, versions, settings, behaviour, business impact, and of course the modus operandi, targets and capabilities of the attackers.

If Government wants citizens to use the Internet, then it needs to develop a more sophisticated approach to responding to vulnerabilities. Products cannot be judged to fine one day, and unsuitable the next. Security flaws in products are inevitable. We need defence in depth and better citizen education, not last minute panic warnings.