Airport Security and Data Security: Combining Theater with Effective Controls

I was traveling last week and noticed a similarity between how we are kept secure when flying and how we secure our data networks. In both instances passengers and data are screened when entering the airport or enterprise. Passengers are then transported between destinations in airplanes, much like data is transported in packets. Passenger luggage and the direct shipping of packages are included in the travel transport system–much like data transfer utilizes alternative ports. In some instances, these packages or data packets contain harmful content.

The similarities don’t end there. Methods and procedures used in airport and in network environments to protect us include a combination of real and perceived security controls. Unfortunately, many of the controls in place make us feel better, but have little or no effect on reducing risk.

The Rise of “Security Theater”

In his book Beyond Fear” (Copernicus Books September 2003, //, computer security specialist and cryptographer Bruce Schneier, writes about how changes made to airport security in reaction to the 9/11 attacks consist mostly of what he calls “security theater;” security measures that make people feel more secure but are of little consequence when it comes to actual passenger security. For instance, enhanced airport passenger screening doesn’t do much to affect the actual security of passengers. But hardened locked bulkheads and advanced screening of luggage and shipping (which began in August of 2010) significantly reduce passenger risk. In many of the world’s highest risk locations, passengers (with the exception of those bound for the U.S.) don’t pass through metal detectors. Instead, security forces mingle with the crowd and look for unusual activity.  In these high-risk locales, airline security is a normal part of flying, but there are few, if any, needless restrictions. Sometimes the most visible security measures are the least effective while hidden security endeavors do more to keep passengers safe.

This airport security model is quite similar to what network and data security organizations do. Most follow a “best practices” approach that’s akin to follow the leader: “If everybody is doing it and I do it too, then I’ll be safe.” What this means currently is that an organization’s firewalls, complete with intrusion identification devices (IDS or IPS), are placed on the edge of a corporate network—lodged between the enterprise the public Internet. Frequently, separate controls that filter email and web traffic are placed at the same network interchange points as the firewalls. But once inside the enterprise firewall and interchange points, security is largely non-existent. If it does exist, it’s aimed solely at pre-identified systems. Alternatively, if network segmentation is being used, control points may be placed between selected network segments in an effort to protect critical systems and/or segments. Remote employee and partner access is assumed to be low risk. New regulations will place additional security controls on organizations, but they don’t change the fundamental security design—they merely add controls to existing measures. (Think of it as adding full-body scanning to the passenger screening process.)

Defending Against the Known Threats

So far, compliance to these regulations has lead to an increase in complexity, but the increase in security measures hasn’t fundamentally changed the level of security. Like Schneier’s “security theater,” these regulations produce more drama than results when it comes to securing critical data.

In the case of both airport and data security, “best practices” are employed to make users feel better and, in both instances, the effectiveness of such practices is debatable. Next time you’re at an airport, take a look at the controls put in place to protect us. Compare them to the systems and controls used to protect your network and see if you don’t come to the same conclusion Schneier and I have come to:  Mankind does a better job protecting itself from past attacks than it does of anticipating new attacks. If we’re not looking for new attack vectors, how can we protect ourselves against those threats?

Breadth of experience is a factor, as organizations that have experienced a number of security incidents are often better protected from future events—but only if those future events are similar in nature to past ones. It’s a reason organizations use managed service providers to help protect their networks—and it does work, if the attacks are similar to past attacks. But what about the ones we haven’t seen?

What do you believe will be the next attack vector—the one we aren’t yet looking for?
How can we protect against it?
Steve Hurst Managed Security Product Director AT&T About Steve