bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

sponsorType

urlAlias

moreOnThisArticles

commentCount

authorLocations

authors

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

While many companies believe technological solutions are the answer, an American expert urges making it easier for end-users to do the right thing

THE FACE OF computer security may have changed over the past 25 years but the underlying threats have not and end-user habits continue to play a key role, according to an American expert who recently relocated to Hong Kong.

Thomas Parenty, an independent security consultant, used to work for the super-secretive National Security Agency (NSA) in the United States, has a patent pending on internet encryption and has written a book on digital security.

He has also testified before the  US Congress on security matters pertaining to  the mainland.

'From one perspective, over the past 25 years fundamentally nothing has changed. There are just so many more computers to attack now. We all knew about these attacks back in the 1970s and '80s,' he said.

'We knew how to stop them then as well. If programmers checked user input so that it was what they were expecting, most viruses today would not exist.'

When Mr Parenty was  with the NSA, it had the most sophisticated computers and networks available. But computers numbered in the thousands at that time, not in the tens of millions as is the case today.

'There is now a demand for security consultants and products that did not exist when I was starting out,' he said. 'Not only are there many more computers in the world today that you can see, but there are huge numbers of them embedded in almost every appliance and electronic device on the planet.

'The opportunity to break in and have bad things happen is so much greater today than ever before.'

Another big difference  today is that a great deal more data can be found on computers.  That means  that there is more in digital form to steal. Protecting that data has become a multibillion-dollar business.

Because there are so many solutions available, many companies and managers become quite confused about the essential issues.

If ever the term 'silicon snake oil' was truly applicable, it must surely be in this area. Some companies attempt to persuade their customers that a purely technological solution will work, but Mr Parenty is doubtful about that.

'Any place where an end-user has to do something relevant to security, he will do it wrong. What you need to do is design your security technology to make it easier for the end-user to do the right thing,' he said.

When he is given the job of analysing the security of a system, he looks at the functionality of the whole setup. He looks for areas where fairly common behaviour could compromise the system.

One   example is the advice given by nearly all the experts for users to choose really difficult passwords. It is almost sacrilegious to argue against that. But Mr Parenty said this was a big mistake.

'If you make people use difficult-to-remember, random combinations of letters and numbers, you are guaranteeing that they will write it down somewhere near the computer so they can look it up.

'They will not remember it and you will have achieved the exact opposite of what you wanted,' he said.

Asia has long fascinated him  and  after many years of studying Chinese culture, Mr Parenty recently moved to Hong Kong.

He has set up a consulting company for security issues and has begun to formulate some ideas about how the subject is approached  in Asia as opposed to the United States.

'There is a huge difference between Asia and America in the way they approach security. The level of sophistication in America is greater because we have been doing it for a long time,' he said.

But Asia was not some monolithic place where everything was the same.  Each part of the region approached the subject in different ways, Mr Parenty said.

'I see a substantial difference depending on where you are. Singapore, for example, is more sophisticated than Hong Kong. The recognition of the technology and policy issues is far better. Japan as well has a better appreciation of the need for deep security,' he said.

The problem in  the SAR, according to Mr Parenty, was derived mainly from two things.

'The fact that Hong Kong doesn't have a military underscores one of the fundamental reasons for its lack of understanding.

'There is also a complete lack of fear of attack. 'Who would attack Hong Kong?' they ask. It almost seems to be the price one pays for the extraordinary safety one enjoys here,' he said.

It would seem that without a sense of paranoia, it was difficult to be serious about security.

'One of the fundamental issues of security is that you have got to persuade people that others will attack you,' Mr Parenty said.

'It requires a sense of danger to begin to understand the issues surrounding security.'



Good habits may offer best defence