http://www.aviary-mag.com/Martin/Standards/standards.html

Setting Standards in Security



Returning from Tokyo a few weeks back prompted me to remember an ongoing problem in the security community. I don't necessarily mean the computer security community, but this certainly applies to computer/network security as well as anyone else. The reason this is a big concern is not because it directly leaves a gaping hole in your defense, rather it helps to create weak links in your defense. As we all know, your system is only as strong as the weakest link. Looking back to Tokyo, I noticed the standards for which they set security at airports. Specifically, the inspection of individuals before letting them on the plane. The US metal detectors are often the source of jokes or parts of comedic routines.

In Tokyo, I walked through with my pager, a pocketful of coins, a metal belt buckle, dog tags, a second metal necklace, steel toed boots and who knows what else. Most US metal detectors have a problem with the coins, buckle, and boots which cause me to move to a second detector and eventually a hand held detector check. In fact, it happens so frequently in US airports, I don't even bother removing most metal at the first gate, rather I walk through holding my arms out saying "My boots always set it off." Without failure, I pass the second detector and hand held check and move on without missing a beat. I started doing that after the inconsistent nature of the US detectors. Some would complain about a pocket full of quarters, while others didn't like my boots and some didn't care about any of it. It made me realize that there were no national guidelines for these detectors. Odd.

When you pass your bags through the x-ray machine, do you get stopped for having a laptop? A single time caused them to swab my laptop and put it in the machine that checks for explosives. One out of five trips they ask for me to power it on. Four out of five times I must show my pager can change the display. We all know that a laptop is sufficient room to pack enough C4 and wiring to make a hefty bomb, so why wouldn't they check it every time? It makes no sense. As much as I hate to say it, the FAA should require ALL electronics to be checked. Anything short of that and all they are doing with the security checkpoints is giving us warm fuzzies, not personal security.

While this seems trivial to many, it means a world more to those in the security field. The fact that all of that metal being carried on a plane without being challenged is an issue. I won't even bring up the fact that I carry at least one knife on all plane trips. Along with that; extra batteries, computer accessories (including cable/wiring sometimes), computer repair tools, and more. Interestingly enough, everything required to make or piece together explosives almost! I certainly have no intention of blowing up a plane or hijacking one, but I do carry half the gear needed to do just that. And I am never stopped or questioned.

As crazy and disjointed as this sounds, it is true twice over in the computer/network security field. What few standards are proclaimed by industry participants are adopted by an amazingly small percentage of companies. Despite this, I can understand why they wouldn't be accepted and implemented. To date, the security standards have been set mostly by third party companies with a financial interest in doing so. Worse, set by third party companies that are not recognized leaders in the security field.

These inconsistent metal detectors in our airports are akin to the security mechanisms guarding corporate infrastructures. Strong firewalls protecting the company from the ten to twenty percent of attacks that come from outside. Little to no interior defenses guarding us from the most threatening attackers: employees with internal access. Failing to set a standard level of security for ALL points of entry creates another weak link in your defenses. Case history shows, those weak links are the first to break at the first sign of pressure.


Brian Martin (bmartin@attrition.org)
Copyright 1999