Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Airport Security: Don't Make The Same Mistakes

Paul Asadoorian
January 7, 2010 • 6 Min Read
by Paul Asadoorian 
Blog Home /

Airport "Security"

Those of us who travel through any U.S. airport are used to the inconvenience of airport security - the long lines, metal detectors, having to take off your shoes, belts, earrings, and of course the ominous "liquids and gels" inspection. While most people accept these inconveniences as an unfortunate necessity, much of what has been implemented shares some of the common pitfalls found in many computer and network security programs. Using the U.S. airport security model as an example, let’s take a look at some of the security being implemented and relate it to security gone wrong in the enterprise:

  • Throwing Technology at the Problem - Airports are equipped with some of the latest technology to provide security, such as full body scanners and x-ray machines, yet breaches still happen. Most of us who have served in a security role in an organization are all too familiar with this problem. The typical knee-jerk reaction from management to a security problem is to buy a product, such as a firewall, and install it on the network. Technology is important, but the process and people that surround it are what really makes it work. Training people to administer the firewall, and other security measures, to ensure they are being used properly is the key to success. Policy also needs to exist and be enforced, allowing businesses to operate securely.
    • airport-security-line.jpg
    The dreaded long lines at airport security are a by-product of the current security model at U.S. airports.


  • Being Reactive Rather than Proactive - There is no question that some aspects of airport security in the U.S. are driven by incidents. For example, in 2003 the infamous "shoe bomber incident" resulted in passengers having to remove their shoes while going through airport security checkpoints. Six years later, a bomber hid explosives in his underwear and I hate to think where this is going if we carry this model forward. These two incidents illustrate that a reactive approach does not learn from previous flaws. In both cases that attacker hid explosive devices on his body and in both cases, security measures in place did not detect them – it was left to the passengers on the plane to do this. Organizations tend to implement the same reactive security measures in response to breaches. For example, if a SQL injection flaw was used to steal sensitive information, a web application firewall may be installed and configured to prevent this type of attack. However, this will only prevent a certain number of attacks, as attackers work around and find ways to slip past defenses using different encoding methods or attack strings (e.g., hiding the bomb in underwear rather than shoes).

  • Not Monitoring Effectively - One of the most successful airport security models comes from Israel, where behavioral profiling is used to identify potential security threats. The TSA appears to do some behavioral monitoring, but it seems misdirected. For example, the article "Confessions of a TSA Agent", states,"He continued to call me horrible names, and finally I told him that if he had any hope of continuing on his flight that day, his best chance to do so was to shut up. I eventually called for the assistance of a supervisor because of his continued verbal abuse. That type of action, behavior and language is a huge red flag for TSA." I'm sorry, but if you are going to commit an act of terrorism, the last thing you are going to do it call TSA agents names and get the "red flag" (maybe as a distraction so the real terrorist can sneak through). Monitoring and behavioral profiling should be a part of your network security strategy. Taking data from multiple sources and analyzing it for behavioral patterns will often reveal a security incident. This data can come from firewall logs, intrusion detection systems, system logs and several other sources that by themselves may not provide the entire picture. You need to develop your own "red flag" system that is based on common sense and intelligence about the attackers who are after your network resources or data.

  • Not Training Your Employees - This can encompass two mistakes: not training your employees at all and/or training them in the wrong specialties. TSA agents go through 22 weeks of training, yet seem to lack the analytical skills of employees and security personnel at high-security airports found in Israel. For example:
    "Boarding a plane at Ben Gurion airport, shoes aren’t removed (no stocking feet!), passengers aren’t body scanned, and there are no pat downs. There are, however, plenty of questions asked by intelligent security officers who have got their eyes firmly on you, know exactly what to look for, and have no qualms about detaining any individual or group who arouse their suspicions."

    Source: http://roomfordebate.blogs.nytimes.com/2009/12/30/aviation-security-and-the-israeli-model/

    Sound familiar? It should. It reminds me of my weeklong class training on intrusion detection systems. We learned what to look for on the network to detect attacks, and had no qualms about digging deeper into specific packets, reviewing them in their entirety to determine their purpose. Employing security personnel trained in what to look for does wonders in keeping your data, or airlines, safe. Couple this with end-user training, and you've added another layer to your security model.

  • Relating Geography to Security - When I was managing security for a large network, attacks would originate from all over the globe. If I performed incident response, I could gather enough information to identify a likely source country that the attack was coming from. The problem is, attackers are working, communicating and launching attacks from many different countries. As a network security administrator I could find out what the country's IP address ranges are that are assigned to it and block all of them from coming into the network. This is not an effective means of security, as attackers will just come from different IP addresses in other countries. If you take this type of defense to a whole new level, you'd end up blocking the entire Internet when all is said and done. Rather than focus on the origin of attacks, focus on the nature of the attacks. Gather intelligence about those who are attacking you and implement an effective defense against it. This is far more useful than labeling countries and IP address ranges as "bad" and treating them differently with respect to security.

    The really scary part is how this relates to the most recent attack against the U.S. on Christmas day by the infamous "underwear bomber". President Obama announced that intelligence agencies knew that the "underwear bomber" posed a threat, but could not "connect the dots" and prevent this attack from happening. I’ve been in the same situation, as it relates to network security. After an incident occurs, I would go back to my logs and realize that I could have prevented it from happening, but it was too late. This highlights the need for both tools (such as the Tenable Log Correlation Engine, otherwise referred to as "SIM" or Security Information Management) and people who are trained to use them.

    • We're Here to Help

    At Tenable, we strive to provide you the tools, skills and guidance necessary to build a successful security program. The tools include Nessus, PVS, Security Center and LCE. You can see them in action here on this blog, on our YouTube channel,and our demonstration video page. We offer a comprehensive training program for all of our products as well. There are other resources on our whitepapers page (for example the paper titled "Maximizing ROI on Vulnerability Management") that offer guidance on how to use the tools and skills to build a successful information security program.

    Paul Asadoorian

    Paul Asadoorian

    As founder and CEO of Security Weekly, Paul remains one of the world’s foremost experts on all things cybersecurity. Security Weekly is a one-stop resource for podcasts, webcasts and other content, informing community members about penetration testing, vulnerability analysis, ethical hacking and embedded device testing. Previously, Paul served as a lead IT security specialist for Brown University, and as an instructor with The SANS Institute.

    Related Articles

    How To Assess the Cybersecurity Preparedness of IT Service Providers and MSPs

    December 13, 2022

    Improperly evaluating the cybersecurity capabilities of prospective IT service providers and managed service providers (MSPs) can put your organization's data and systems at risk. A new guide from CompTIA can help you ask the right questions.

    Juan Perez

    Juan Perez

    A Holiday Story, Internet Edition: The Impact Of Assessing And Addressing Log4j Installations Proactively

    December 30, 2021

    A look at our log4j data.

    Glen Pendley

    Apache Log4j Flaw Puts Third-Party Software in the Spotlight

    December 12, 2021

    Even in the most mature organizations, addressing the issue, also known as Log4Shell, requires a complex mix of software development practices, vulnerability management and web application scanning.

    Robert Huber

    Robert Huber

    CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor

    April 25, 2024

    Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.

    Satnam Narang

    Satnam Narang

    CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited

    April 23, 2024

    A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.

    Satnam Narang

    Satnam Narang

    Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid

    April 19, 2024

    In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.

    Zach Bennefield

    Zach Bennefield

    • Log Analysis
    • Passive Network Monitoring

    Cybersecurity News You Can Use

    Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

    Try for Free Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now
    Try for Free Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now
    Try for Free Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now
    Try for Free Buy Now

    Try Tenable Web App Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

    Buy Tenable Web App Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try for Free Contact Sales

    Try Tenable Lumin

    Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try for Free Buy Now

    Try Tenable Nessus Professional Free

    FREE FOR 7 DAYS

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

    NEW - Tenable Nessus Expert
    Now Available

    Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

    Fill out the form below to continue with a Nessus Pro Trial.

    Buy Tenable Nessus Professional

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Buy Now
    Renew an existing license | Find a reseller
    Try for Free Buy Now

    Try Tenable Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Tenable Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Tenable Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Buy a multi-year license and save more.

    Add Support and Training

    Buy Now
    Renew an existing license | Find a reseller