Misguided Security Leads To Insecurity

It's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple denial of service exploit was capable of halting operations at most airlines and airports in the United States.I never released buffer overflow exploit code, and this flaw has since been rectified. Now, I'm just a frequent traveler and industry observer of misguided travel security processes that sometimes seem a physical manifestation of that DoS exploit.

Moreover, it's eerily similar to the worst type of enterprise IT security.

How so? IT security in some organizations is still reactionary, Draconian, and too often just for show. Sometimes this is due to bad managers hoping to save their jobs or impress the boss. In others, it's good intentions combined with inexperience. In either case, many organizations see a threat, react—and cause harm to the organization. In the end, when they get in the way, bad controls and processes are always bypassed for the good of the company.

The travel industry is a prime example of this in action.

At SFO, the TSA installed a new fancy people x-ray machine made by L3 to scan passengers. I am not a big fan of these but was willing to go through it for the experience. (Never mind that I have no idea if these are safe or not. At one time we thought lead paint on childrens toys was safe. Enough said.) As I was waiting in line, the carry-on x-ray machine backed up. Seeing a problem, the TSA shuffled us through a metal detector instead and bypassed the x-ray machine. The x-ray machine took so much longer for each person to properly pass through, that the baggage x-ray machine operator had to stop his work. Impact to business, control bypassed. This new machine, which was supposed to increase our security, caused delays and was bypassed, thus reducing its ROI and proving that our security may not be any better with it than without, and may even be worse.

Granted, the airline industry's security protocol is immature and at times misguided. I like to pick on it as an example, and any corporate security manager will tell you, with time and experience come better processes and controls. Assuming the power-hungry TSA does not remove all of our civil liberties and comes to its senses, we will overcome this. In the meantime, IT security managers of the world, do not follow this example. Be proactive, be risk-based, and align with the organization. Earn trust, prove results, and grow your program.

If you're with the TSA, L3, or Homeland Security and want to chat, e-mail me, tweet me, or just stop me in an airport. I'll be the guy standing in line to be x-rayed with holes in my socks and pants falling down as my belt passes me by.