(1) Field of the Invention
This invention relates to a method and apparatus for ensuring secure use of computer systems, in particular to a system which is capable of assessing the security of a user and to a system which provides differential access and/or functionality to a user based on their security assessment and which educates users in computer security.
(2) Description of the Art
Businesses are increasingly providing and maintaining various computer based services for users to access and use, for instance via the internet. For example there is continuing growth of on-line retail services where users can purchase goods and/or services on line. There is also a growth in financial institutions offering on-line services, for example on-line banking.
Obviously computer security is a concern. Viruses and the like can cause a reduction or loss of service which can impact the business. Indeed deliberate attacks to cause a denial of service are increasing by criminals seeking to extort money to restore service. Furthermore on-line fraud, identity theft and the like is increasing with a significant impact on businesses and consumers.
The businesses providing on-line access to their computer systems and on-line providers of services generally take steps to ensure the security of their computer systems and protect their systems from attack. However these businesses generally have no direct control over the security measures implemented by the users of their on-line system. The providers of a service may initiate an encrypted connection to allow access to their system and may require some form of identity check such as entry of a password but this may not be adequate if the user's computer is not itself protected against attack or if the user commits some security lapse.
Some users may have taken adequate precautions to protect their own computer systems from attack such that the security measures implemented on access are sufficient however other users will not have taken such precautions. Indeed many users may not be aware of the security measures that should be implemented or may be unaware that their computer system is vulnerable.
There is a great deal of information available about the security measures that users can take to protect their computer systems and general good computer security practice. However some users will not know where to find such information nor how to act on it.
There are also software tools available which allow a user to test the security of an aspect of their computer system, for instance Gibson Research Corporation provide an internet tool which provides a user initiated vulnerability scan of a personal computer looking for, for example, firewall security and basic security of the computer system. The user can then act on the results of this scan or not as they decide. Tools such as this are useful but require the user to be aware of their existence, to perform the scan and to act upon the results.
Security tools also exist which can automatically check workstations for security breaches or vulnerability to security breaches and disallow access to certain functionality if the workstation is not secure. International patent publication WO02/003178 discloses a method of network assessment and authentication which performs a security assessment on a workstation prior to allowing access to a network service. US patent application US2004/0158738 discloses a security management device which restricts access of a terminal in accordance with the security condition of that terminal. EP1158754 describes a client-server system having a security system for controlling access to application functions based on a security policy which determines the security requirements.
The above mentioned systems provide automated checks for defined security measures as set out in a security policy. These systems are intended for use in a corporate type environment where an organisation can and does mandate security policy for the users of its network facilities. For a business trying to encourage customers to use its network facilities mandating the security requirements may not be possible. Imposing security requirements which some customers may not understand may result in such customers being put off from using the services. Denying customers any access may likewise damage customer relations.
Unlike the non-corporate environment, where corporate security policy can clearly allow automatic computer security checks and updating of employees' workstation, it may also not be possible or desirable to alter the security settings of a remote user's computer system in the non corporate setting without their express permission. However many users may not understand the question if asked or may not want to change their settings but still want some access.