Misguided Security Leads To Insecurity - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
2/7/2010
05:39 PM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Misguided Security Leads To Insecurity

It's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple denial of service exploit was capable of halting operations at most airlines and airports in the United States.

It's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple denial of service exploit was capable of halting operations at most airlines and airports in the United States.I never released buffer overflow exploit code, and this flaw has since been rectified. Now, I'm just a frequent traveler and industry observer of misguided travel security processes that sometimes seem a physical manifestation of that DoS exploit.

Moreover, it's eerily similar to the worst type of enterprise IT security.

How so? IT security in some organizations is still reactionary, Draconian, and too often just for show. Sometimes this is due to bad managers hoping to save their jobs or impress the boss. In others, it's good intentions combined with inexperience. In either case, many organizations see a threat, react—and cause harm to the organization. In the end, when they get in the way, bad controls and processes are always bypassed for the good of the company.

The travel industry is a prime example of this in action.

At SFO, the TSA installed a new fancy people x-ray machine made by L3 to scan passengers. I am not a big fan of these but was willing to go through it for the experience. (Never mind that I have no idea if these are safe or not. At one time we thought lead paint on childrens toys was safe. Enough said.) As I was waiting in line, the carry-on x-ray machine backed up. Seeing a problem, the TSA shuffled us through a metal detector instead and bypassed the x-ray machine. The x-ray machine took so much longer for each person to properly pass through, that the baggage x-ray machine operator had to stop his work. Impact to business, control bypassed. This new machine, which was supposed to increase our security, caused delays and was bypassed, thus reducing its ROI and proving that our security may not be any better with it than without, and may even be worse.

Granted, the airline industry's security protocol is immature and at times misguided. I like to pick on it as an example, and any corporate security manager will tell you, with time and experience come better processes and controls. Assuming the power-hungry TSA does not remove all of our civil liberties and comes to its senses, we will overcome this. In the meantime, IT security managers of the world, do not follow this example. Be proactive, be risk-based, and align with the organization. Earn trust, prove results, and grow your program.

If you're with the TSA, L3, or Homeland Security and want to chat, e-mail me, tweet me, or just stop me in an airport. I'll be the guy standing in line to be x-rayed with holes in my socks and pants falling down as my belt passes me by.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll