NetSec Letter #22, 1 November 2002
Security Awareness Musings from the Friendly Skies

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

I write this on a flight from Denver to Baltimore, returning from teaching at MISTI's WebSec 2002 (www.misti.com). I have 3 things in my pocket from my flight from San Diego. I put them there because each brought to mind some important guidelines we can apply to computer and network security awareness training.

Plastic knives

The first thing I take out of my pocket is a knife from breakfast (clean, unused). It is plastic. The knives in first class are still plastic. (The forks and spoons are metal.) I have mentioned this before,  but please read on for a few more thoughts.

I am still unable to get anyone to tell me why they've removed the metal knives. I have assumed that it is as a deterrent, keeping a potential weapon out of the hands of bad guys. There may be another possibility. What if UAL has removed metal knives to make a statement? What if they want to keep reminding us that things are not as they used to be? Okay, I admit that's lame. How about this: it is so first class passengers will feel safer. Perhaps the sight of metal knives on the tray will cause people to worry needlessly. Possibly people would complain.

Yes, also probably untrue. What can we learn then? First, make sure security controls mediate or mitigate real risk. The risk of a take-over of an airplane, or even of a crazed passenger attacking another with the metal knives they *used to* have, is about the same as the risk with the new plastic knives (nearly zero). Come to think of it, the risk with plastic is slightly higher. This plastic knife is not pointy or sharp and neither were the metal. Unlike metal, however, it can be broken with little effort, producing a sharper, pointier "weapon." (*Please* don't mention this to United!)

Second, if the controls do nothing, then get rid of them, unless the cost of "going back" is too great. In this context, "cost" means *total* costs including usability, maintenance, image, etc.

Drinks and questions

The next is an article from the Associated Press that was in this morning's (8/23/02) San Diego Union-Tribune. The headline is "Drinks now OK at airport security; annoying questions may be dropped." If you travel at all, you know the "questions" referred to are "Has anyone unknown to you asked you to carry an item on this flight?" and "Have any of the items you are traveling with been out of your immediate control since the time you packed them?" I'm not so sure I'd call them "annoying." The article pointed out that "many passengers question [their] value, since anyone with something to hide ... would not be truthful."

When you have a security control in place, and users interact with it, make sure they have some understanding of its purpose. If they don't understand it, maybe they need education. Or maybe you have to tweak the control. Every control should be periodically evaluated for effectiveness and relevance. The questions are not to stop bad guys from carrying weapons onto a plane. There are other controls in place that attempt to deal with that. They are to try to stop someone who is not a bad guy from unwittingly doing the bad guy's dirty work. According to the article, the only cases of this happening -- quoting the FAA -- "involved men who deceived their girlfriends into carrying explosives onto planes." The article said the Transportation Security Agency was "reviewing the questions." Good. But they needn't stop asking questions. [They have stopped, based on the flights I have taken since then]. Security awareness is important. It involves education. In this case, the concern should be communicated in a different way that clarifies the concern and more directly raises people's awareness of the threat. Maybe different questions are needed.

Educating our users about reasons helps them see policies in the correct light, and those that seemed foolish may seem sensible. We were always allowed to send liquids through the X-ray machine. But only in closed containers. This is to protect the machine from the problems of spilled coffee, etc. on the belt. Now, we can also *carry* them through the metal detector. This is a good thing, as is all periodic re-evaluation and adjustment of controls and policies. Also, it allows for using principles as rules, rather than having many detailed rules (kind of like the way we are to apply the “10 Commandments”).

Profiles

The third and last item I take out of my shirt pocket is another article from the same newspaper. From the Reuters News Agency, this headline is "Airline trade group calls profiling key to thwarting terror." The Air Transport Associate of America has complained about the cost of "bomb sniffing" machines, and suggested that the US federal government pick up the cost rather than airports. Further, they recommend that the bigger bang for the buck is to rely more on profiling and intelligence gathering "to identify would-be terrorists."

I travel a lot. I've seen more than a few senior citizens randomly pulled out of line for searches. On this trip, the elderly woman was traveling with her extended family (young children included) and was in a wheelchair. If we must, we must. But, I'd like to know that people who might be more likely to be terrorists would also get a second look. The risk of a 93 year old woman, such as my grandmother, being a terrorist is zero. The risk of a young family with 3 little kids being terrorists is zero. Enough is enough. Risk assessment is vital. We shouldn't waste the time and energy of the TSA people on searching my grandmother. Okay, maybe we don't know 100% who may or may not be a possible attacker. We do not need to. We have a fairly good idea who probably is not. It does not have to be 100%.

Promotions, Self and Otherwise

My October "Just the Basics" column in Information Security Magazine, is "Practical Incident Response." Please read it at http://www.infosecuritymag.com/2002/oct/justthebasics.shtml.

On the same subject, I have a new course -- developed with TruSecure Corporation -- called "Investigative Response." Please check it out at http://www.avolio.com/CourseDescr.html.

November 11--15, I will be at the CSI 29th Annual Computer Security Conference and Exhibition in Chicago. I'll speak on wireless security, on applying synergistic controls, take part in a VPN panel, and teach "Internet Security Tools and Techniques.” (See the course description page above.)

Check out my speaking and teaching calendar at http://www.avolio.com/calendar.html and courses and services at http://www.avolio.com/services.html.