NetSec Letter #13, 23 October 2001
Afterthoughts and Lessons to Learn

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

In my last letter I promised that this month I would take this space to address security in light of the recent tragedies. What can we learn just 5 weeks after the event? What can we apply to how we address threats and vulnerabilities in the network security arena? Most lessons reinforce what we already know. Some remind us that total security doesn't exist in a usable system, and that "good enough" -- though not always good enough -- is the best we can do.

The Easy Things

  1. Security and usability in balance. We are striving for equilibrium. We want a situation in which we can work while still maintaining a certain level of security. We want to -- oops, I made a classic error. In security, we have to care about requirements or needs. We cannot afford to deal with wants or desires. We need, and our economy needs, to be able to travel long distances in a short amount of time. We needed to get commercial airplanes in the air again. We need to be able to travel in such a way that balances travel needs and security. Do we need to be able to show up at the airport 30 minutes before our flight, and make it to the gate on time? No, we do not. It is a convenience.
  2. Less is more. On that morning the FAA ordered all planes flying over the US to divert to the nearest airport. Those of us who live near commercial airports remember the eerie realization that it was the silence and the lack of contrails in the sky that was so disquieting. Ratchet up the level of security to 100%, and you get what we had for airline travel in the few days after the attack. You do this in time of emergency. How do we know the good guys from the bad? How do we know which jetliners might be considered missiles? Get the good guys out of the sky. The principle demonstrated is important. The fewer potential attack agents, the fewer avenues of attack, the easier your task of protection and detection can be.
  3. Know the enemy, know the risk. Fairly quickly the US government suspected Osama bin Ladin and the al-Qaeda terror network. Fairly quickly some people in the US turned their anger on immigrants -- in some cases, fellow citizens -- who looked like they might be from the Middle East. We cannot defend our homeland effectively if we waste time and effort perpetrating crimes against law-abiding visitors or fellow Americans. We cannot defend our networks, and so our businesses, if we don't know what the threat is, from whence it might come, and how likely it is to happen.
  4. The insider risk. We know this very well. Inside attackers have it made. Insiders have more access, usually more trust, and so the potential damage is greater. Sometimes just being an employee, having the right badge perhaps, gives someone universal access. An attack is always easier if you are already inside. The terrorists were ticketed passengers. They did not have to force their way onto the planes in mid-flight. Also, there is evidence that some used, or attempted to use, false credentials and airline pilot uniforms.

The Harder Things

  1. In network security, threat postulation is a guessing game. We always make educated assumptions. Sometimes we get them wrong. Previous to September 11, procedures for dealing with an attempted highjacking of a commercial jetliner assumed that the highjacker wanted to live. Should we protect our networks against all possible threats? Can we? First, the easy answer: "no, we cannot." Somewhat harder is the answer, "no, we should not." Typically, we cannot afford it. Not for our networks, not for our national monuments and skyscrapers. We cannot do it 100% and still be free. So we make tradeoffs. For our network security, we sometimes allow for a less secure posture in the interest of what we judge is a more important requirement. Furthermore, some would argue that until the threat is actuated, until it occurs for the first time, it does not exist.
  2. Network security remedies must be effective, not just look effective. If not, they are useless and a waste of money. In the aftermath of the attacks, there were (again) discussions of banning or severely curtailing the use of cryptography because perhaps the terrorists used cryptography to keep their plans secret. Changing crypto laws in the US, or worldwide -- were such a thing possible -- will not keep cryptography out of the hands of bad guys.
  3. They must be relevant; they must address the problem. A friend reported that United Airlines First Class was using plastic utensils. My wife had to break off and hand over the 1" metal nail file from her finger nail clippers to get through airport security at BWI. Because a metal serrated knife is an effective weapon? Because they have been used by hijackers in the past? Because a nail file is dangerous? No. I fear it is because we have fallen into the trap of "if we don't know what to do, do something anyway." A 2-hour line to get through security certainly makes it seem like something is being done. Yet I suspect no one is requiring people leave their roller ball pens behind. So, remedies must protect your systems, and not just be for show. (Okay, sometimes doing something "for show" is justified and useful, but we must never start believing that it is for any other real purpose lest we start depending on it for real security.)
  4. Remedies also must support the business requirements. No one has suggested it, but the obvious way to make sure this never happens again is to ground all high-speed commercial air traffic forever.
  5. Remedies should make things more, not less secure. We add devices and technologies to our networks with the idea of making them more secure. Sometimes it works. There has been recent discussion in the past few weeks about an option to shoot down commercial aircraft rather than face such a disaster again. The question has been asked, could faster scrambling of interceptor fighters authorized to shoot have averted the disaster at the WTC or Pentagon? Weighty questions. The question of whether you sacrifice hundreds of people in order to save thousands is not so hard. "Where do you drop a 757 flying over Manhattan," is more difficult. We do not have the technology to cause a plane to avoid populated areas after we shoot it down.

Comments on this column?

Promotions, Self and Otherwise

  1. Dave Piscitello wrote about air travel security in the September 14, 2001 TISC Insight, (Volume 3, Issue 17) at http://tisc.corecom.com/newsletters/317.html.
  2. On the same date, Bruce Schneier in his CRYPTO-GRAM wrote,"Both sides of the calendar debate were wrong; the new century began on 11 September 2001." Find it at http://www.counterpane.com/crypto-gram-0110.html.
  3. I wrote a column for WatchGuard called "From Zero to Expert in Your 'Spare Time'," and you can find it on my web page at http://www.avolio.com/columns/Zero-to-Expert.html.
  4. I comment on the -- short-lived, I hope -- renewed crypto debate for an article at searchSecurity.com. Go to http://www.searchSecurity.com/, and look under "searchSecurity exclusives" and you may find it. You could try this ugly URL if you are feeling lucky: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci772551,00.html.
  5. I reviewed an e-mail security product called IronMail (from CipherTrust) for Information Security Magazine. It's in the print edition and on-line at http://www.infosecuritymag.com/articles/october01/departments_products2.shtml.
  6. I'll be teaching "Internet Security Tools and Techniques" ( http://www.avolio.com/courses/tools+techniques.html) for CSI at the DC conference on November 1 and 2.