Setting Standards in Security
Returning from Tokyo a few weeks back prompted me to remember an ongoing problem
in the security community. I don't necessarily mean the computer security community,
but this certainly applies to computer/network security as well as anyone else.
The reason this is a big concern is not because it directly leaves a gaping hole
in your defense, rather it helps to create weak links in your defense. As we all
know, your system is only as strong as the weakest link. Looking back to Tokyo,
I noticed the standards for which they set security at airports. Specifically,
the inspection of individuals before letting them on the plane. The US metal
detectors are often the source of jokes or parts of comedic routines.
In Tokyo, I walked through with my pager, a pocketful of coins, a metal belt
buckle, dog tags, a second metal necklace, steel toed boots and who knows what
else. Most US metal detectors have a problem with the coins, buckle, and boots
which cause me to move to a second detector and eventually a hand held detector
check. In fact, it happens so frequently in US airports, I don't even bother
removing most metal at the first gate, rather I walk through holding my arms out
saying "My boots always set it off." Without failure, I pass the second detector
and hand held check and move on without missing a beat. I started doing that after
the inconsistant nature of the US detectors. Some would complain about a pocket
full of quarters, while others didn't like my boots and some didn't care about
any of it. It made me realize that there were no national guidelines for these
When you pass your bags through the x-ray machine, do you get stopped for having
a laptop? A single time caused them to swab my laptop and put it in the machine
that checks for explosives. One out of five trips they ask for me to power it on.
Four out of five times I must show my pager can change the display. We all know
that a laptop is sufficient room to pack enough C4 and wiring to make a hefty bomb,
so why wouldn't they check it every time? It makes no sense. As much as I hate
to say it, the FAA should require ALL electronics to be checked. Anything short of
that and all they are doing with the security checkpoints is giving us warm fuzzies,
not personal security.
While this seems trivial to many, it means a world more to those in the security
field. The fact that all of that metal being carried on a plane without being
challenged is an issue. I won't even bring up the fact that I carry at least one
knife on all plane trips. Along with that; extra batteries, computer accessories (including
cable/wiring sometimes), computer repair tools, and more. Interestingly enough,
everything required to make or piece together explosives almost! I certainly have
no intention of blowing up a plane or hijacking one, but I do carry half the gear
needed to do just that. And I am never stopped or questioned.
As crazy and disjointed as this sounds, it is true twice over in the computer/network
security field. What few standards are proclaimed by industry participants are adopted
by an amazingly small percentage of companies. Despite this, I can understand why they
wouldn't be accepted and implemented. To date, the security standards have been set
mostly by third party companies with a financial interest in doing so. Worse, set by
third party companies that are not recognized leaders in the security field.
These inconsistant metal detectors in our airports are akin to the security mechanisms
guarding corporate infrastructures. Strong firewalls protecting the company from the
ten to twenty percent of attacks that come from outside. Little to no interior defenses
guarding us from the most threatening attackers: employees with internal access.
Failing to set a standard level of security for ALL points of entry creates another
weak link in your defenses. Case history shows, those weak links are the first to break
at the first sign of pressure.
Brian Martin (firstname.lastname@example.org)