Those of us who travel through any U.S. airport are used to the inconvenience of airport security - the long lines, metal detectors, having to take off your shoes, belts, earrings, and of course the ominous "liquids and gels" inspection. While most people accept these inconveniences as an unfortunate necessity, much of what has been implemented shares some of the common pitfalls found in many computer and network security programs. Using the U.S. airport security model as an example, let’s take a look at some of the security being implemented and relate it to security gone wrong in the enterprise:
Throwing Technology at the Problem - Airports are equipped with some of the latest technology to provide security, such as full body scanners and x-ray machines, yet breaches still happen. Most of us who have served in a security role in an organization are all too familiar with this problem. The typical knee-jerk reaction from management to a security problem is to buy a product, such as a firewall, and install it on the network. Technology is important, but the process and people that surround it are what really makes it work. Training people to administer the firewall, and other security measures, to ensure they are being used properly is the key to success. Policy also needs to exist and be enforced, allowing businesses to operate securely.
The dreaded long lines at airport security are a by-product of the current security model at U.S. airports.
Being Reactive Rather than Proactive - There is no question that some aspects of airport security in the U.S. are driven by incidents. For example, in 2003 the infamous "shoe bomber incident" resulted in passengers having to remove their shoes while going through airport security checkpoints. Six years later, a bomber hid explosives in his underwear and I hate to think where this is going if we carry this model forward. These two incidents illustrate that a reactive approach does not learn from previous flaws. In both cases that attacker hid explosive devices on his body and in both cases, security measures in place did not detect them – it was left to the passengers on the plane to do this. Organizations tend to implement the same reactive security measures in response to breaches. For example, if a SQL injection flaw was used to steal sensitive information, a web application firewall may be installed and configured to prevent this type of attack. However, this will only prevent a certain number of attacks, as attackers work around and find ways to slip past defenses using different encoding methods or attack strings (e.g., hiding the bomb in underwear rather than shoes).
Not Monitoring Effectively - One of the most successful airport security models comes from Israel, where behavioral profiling is used to identify potential security threats. The TSA appears to do some behavioral monitoring, but it seems misdirected. For example, the article "Confessions of a TSA Agent", states,"He continued to call me horrible names, and finally I told him that if he had any hope of continuing on his flight that day, his best chance to do so was to shut up. I eventually called for the assistance of a supervisor because of his continued verbal abuse. That type of action, behavior and language is a huge red flag for TSA." I'm sorry, but if you are going to commit an act of terrorism, the last thing you are going to do it call TSA agents names and get the "red flag" (maybe as a distraction so the real terrorist can sneak through). Monitoring and behavioral profiling should be a part of your network security strategy. Taking data from multiple sources and analyzing it for behavioral patterns will often reveal a security incident. This data can come from firewall logs, intrusion detection systems, system logs and several other sources that by themselves may not provide the entire picture. You need to develop your own "red flag" system that is based on common sense and intelligence about the attackers who are after your network resources or data.
Not Training Your Employees - This can encompass two mistakes: not training your employees at all and/or training them in the wrong specialties. TSA agents go through 22 weeks of training, yet seem to lack the analytical skills of employees and security personnel at high-security airports found in Israel. For example:
"Boarding a plane at Ben Gurion airport, shoes aren’t removed (no stocking feet!), passengers aren’t body scanned, and there are no pat downs. There are, however, plenty of questions asked by intelligent security officers who have got their eyes firmly on you, know exactly what to look for, and have no qualms about detaining any individual or group who arouse their suspicions."
Sound familiar? It should. It reminds me of my weeklong class training on intrusion detection systems. We learned what to look for on the network to detect attacks, and had no qualms about digging deeper into specific packets, reviewing them in their entirety to determine their purpose. Employing security personnel trained in what to look for does wonders in keeping your data, or airlines, safe. Couple this with end-user training, and you've added another layer to your security model.
Relating Geography to Security - When I was managing security for a large network, attacks would originate from all over the globe. If I performed incident response, I could gather enough information to identify a likely source country that the attack was coming from. The problem is, attackers are working, communicating and launching attacks from many different countries. As a network security administrator I could find out what the country's IP address ranges are that are assigned to it and block all of them from coming into the network. This is not an effective means of security, as attackers will just come from different IP addresses in other countries. If you take this type of defense to a whole new level, you'd end up blocking the entire Internet when all is said and done. Rather than focus on the origin of attacks, focus on the nature of the attacks. Gather intelligence about those who are attacking you and implement an effective defense against it. This is far more useful than labeling countries and IP address ranges as "bad" and treating them differently with respect to security.
The really scary part is how this relates to the most recent attack against the U.S. on Christmas day by the infamous "underwear bomber". President Obama announced that intelligence agencies knew that the "underwear bomber" posed a threat, but could not "connect the dots" and prevent this attack from happening. I’ve been in the same situation, as it relates to network security. After an incident occurs, I would go back to my logs and realize that I could have prevented it from happening, but it was too late. This highlights the need for both tools (such as the Tenable Log Correlation Engine, otherwise referred to as "SIM" or Security Information Management) and people who are trained to use them.
We're Here to Help
At Tenable, we strive to provide you the tools, skills and guidance necessary to build a successful security program. The tools include Nessus, PVS, Security Center and LCE. You can see them in action here on this blog, on our YouTube channel,and our demonstration video page. We offer a comprehensive training program for all of our products as well. There are other resources on our whitepapers page (for example the paper titled "Maximizing ROI on Vulnerability Management") that offer guidance on how to use the tools and skills to build a successful information security program.