By Jonathan Yarden
In my experience, most people believe that security is always someone else's problem to deal with. Whether you're talking about the IT department, software vendor, programmer, or end user, the issue of security is a hot potato that no one wants to handle until they can't avoid it.
Of course, any system security is only as good as the last point of attack, and you can never really be sure of your security until someone tries to compromise your system.
When it comes to gauging security, both Akamai Technologies and America Online now have a new point of reference. Each company has suffered a nasty security incident and resulting press coverage this month.
Related news articles
Akamai is a large distributed Internet services provider, and its customers include Yahoo, Google, Microsoft, Apple Computer, and dozens of other large companies. Akamai is a "provider's provider"; it has massive resources dedicated to distributing Internet content. According to Akamai's Web site, the ISP routinely handles 15 percent of total Internet traffic.
On June 15, a distributed denial-of-service (DDoS) attack blocked nearly all access to a number of Akamai customers. While the attack focused on Microsoft, Apple, Google, and Yahoo, it caused problems with Akamai's ability to process DNS requests for all of its customers.
On June 23, America Online suffered its own unfortunate turn of events when the story broke that authorities had charged one of its (now former) employees with stealing 92 million AOL customer screen names and selling them to a Las Vegas Internet marketer, who sold the list to other junk e-mailers. This is a classic case of an information security breach, despite the low-tech approach.
But when it comes down to it, the details of these two incidents aren't nearly as important as the potential fallout for the companies. While AOL claims there was no loss of credit card information, that doesn't reduce the severity of the incident.
And according to an Akamai press release, the actual outage, which lasted about two hours and 15 minutes, significantly impacted less than 1 percent of its customers. If you do the math, that's 2.25 hours of downtime out of 720 total hours (24 hours a day times 30 days), which comes out to an average uptime of 99.69 percent.
At the end of the day, both current and potential customers won't remember that Akamai delivered an average uptime of 99.69 percent or that AOL didn't lose any members' credit card numbers. Instead, they'll remember the articles they read about the companies' problems, and the perception of problems is often strong enough to cause the reality of lost customers.
In general, those who refuse to take charge of their own information security often embrace the perception that a security breach is always someone else's fault. But neither Akamai nor AOL are companies that take security lightly, and sometimes security breaches occur despite a company's best efforts.
However, because many customers lack a general understanding of information security, they're unable to differentiate between a company's negligence and plain bad luck.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.