Topics of Interest
- Application Protocol Fuzzing
- Cloud Computing and Virtualization
- Custom Applications and Attacks
- Cyber Warfare
- Data Center Planning and Consolidation
- DDoS and Botnet Simulation
- Deep Packet Inspection
- IPTV
- IPv4/IPv6
- Layer 2-7
- Network Traffic Generation
- Performance Testing
- Security Updates
- Server Load Testing
- VoIP
- 10/40/100 GigE
Devices
The Difficulty of Protecting People
We talk a lot about security here on the blog, primarily around how to harden cyber infrastructures against attack. In many of those cases we are detailing ways in which you can secure networks, data centers, sensitive data and more. The concept of personal security, however, is something we all think about now, especially when you are inundated with news stories about TSA security measures. It seems like there is a subtle problem with the focus of our security. Terrorists target people. Yet all of the security measures are designed to protect edifices, not people. It's really the obsession of our enemies with doing something "big" that saves us rather than an effective security strategy.
Take for example the restriction that only people actually flying are allowed past security in the airport. What that means is that, rather than having the majority of people around the airport inside a secured area, you now have big concentrations of people who have not gone through security. Taking that further - in the recent incident at Newark Liberty International Airport, where a man walked in the exit, the result was everybody was forced to leave the secure area, so they could be re-screened. Once the secure area was vacated, great, the airport and planes were protected from the potential terrorist, but now a giant crowd of people were milling around in an unsecured area, along with the potential terrorist.
If I was a terrorist, I'd set up a two-man operation. One guy to go through the exit and force an evacuation and get all the security busy and focused inside, and another guy to drive a truck through the front door into the resulting crowd, and blow it up. Sounds similar to using a DDoS evasion to slip past an IPS, right? Our response, however, protects the planes and the building at the expense of the people. I think it comes from thinking about strategic defense, but the terrorists are not making strategic attacks.
I never complain about something unless I have a positive alternative to offer at the same time, so here is what I think would be a more effective strategy to combat terrorists. To develop an idea, I started thinking what prevented recent terrorist attacks, when the current approach failed.
In theory, there are some secret government programs that have prevented terrorist attacks before they happened, but since they're secret I can't really build anything on those programs. But, when Abdulmatallab (the "crotch bomber") tried his plan, he was brought down by passengers, regular people who stepped up and did something. It was the same thing, regular people stepping up, at the tragic expense of their own lives, that prevented Flight 93 from crashing into the White House.
If you step into an airport full of 20,000 people, the odds are very good that at least 19,999 of them are not terrorists and in fact they are people gladly willing to punch a terrorist in the face under the right circumstances. Rather than treating all 20,000 people as liabilities, what if they simply put a picture up from the security camera showing the guy going in through the exit, with an announcement of "If you see this guy, alert security immediately. And watch for unusual behavior on your flights.". All of a sudden, you have 19,999 allies and they can stay in the relatively safe secure area.
There is precedent for a system like this, look at the Amber Alert system. Rather than attempting to corral a state full of people, which would be the TSA approach to a kidnapping, it gets the word out, on the assumption that the vast majority of people would gladly help if they just knew that they needed to lend a hand.
My concept is a "terrorist alertness" certification class you could take. It would involve getting a background check, and being verified against all homeland security lists. Then you would spend a week learning what is suspicious behavior and what to do if you see it occur. You'd end up with a certification card that would allow you to breeze through security when you fly. Rather than relying on a glassy-eyed security guard at the gates (which, by the way, is not a knock on the security guards, it's incredibly hard to stay alert monitoring for a tiny, remote possibility) before the flight, they'd call all the certified people up to the desk to have a quick meeting. They'd show them pictures of all the people on the flight who are on some sort of watch list, seat them nearby, and tell them to stay alert.
Would you feel safer knowing that the people who are watching out for terrorist behavior were sitting in the same plane you are, not on the ground back at the airport? Would you be willing to go through a certification like that if it saved trouble at the security gates? I bet lots of people would. More importantly - do you think potential terrorists might be deterred if they knew this was going on?
I can say with certainty that this would make me feel a lot safer than having my water bottle confiscated at the security check does. This kind of system exists in other areas, and it works. Neighborhood watches are widely known to reduce crime. CPR training means a random person nearby might be able to help when help is needed, and the experts are too far away.
Of course, being a network guy, I can't help but relate this anti pattern back to the network security world. This same class of mistake is made there, too. People protect the integrity of their network at the expense of the functionality they built it to provide.
Just think about an IPS. Hopefully, you have a high level of confidence that the IPS that secures your network will block an attack, that is the whole point, right? But here is the question: what happens to your good traffic while the attack is underway? Does it still flow? Can you continue to run your business while the attack is prevented, or does the IPS lock things down and get in the way of the good traffic? If you turn on enough filters to secure your network, can the IPS still support the bandwidth you need?
After all, it's not really the network (planes) you're trying to protect, it's the data (people) that flows through it.
IPS analogy flawed
An IPS is a dedicated device specifically designed and installed (i.e. "paid") to watch choke points for malicious traffic (i.e. "evildoers).
A casual observer, even if trained, is not dedicated to this, is not paid, and in fact has little to no liability or risk of NOT reporting suspicious behavior.
An "Airport IPS" would be dedicated personnel specifically tasked with identifying terrorists.
A better analogy may be to compare a casual observer to a server. Yeah, it can log security stuff, but it really doesn't care - it's primary mission is something else. Anything that detracts from the primary mission incurs cost. If the cost is reasonable, then it can be done effectively. If not, forget it. And of course, the optimal targets of this effort would be frequent flyers - those who have significant value attached to their capabilities already to justify flying all over the world. Attracting THEIR attention and commitment to a training course, certification, etc. would require more than just civic duty. It would be costing them 2%-5% of their annual productivity, plus whatever time would be required in the actual airport to observe and report.
That could easily cost each individual $7,000 - $10,000 annually, assuming a compensation model for frequent flyers of approximately $100,000/year. Multiply that by the number of frequent flyers, probable effectiveness(percentage of bad guys caught), and likely impact, and the cost/benefit doesn't work out to address the risk.
Dedicated personnel are cheaper than co-opting someone else's time, as well as being more effective. That's why IPS devices exist as opposed to putting significant loads on servers with other jobs to do.
Re: IPS Analogy Flawed
Concerning the costs, bear in mind that the participants would be compensated with a fast path through security. Frequent fliers would see the most benefit from that. I think the time savings could very easily overcome the time expense of the training. As for time spent being vigilant, that's time that they are spending on the plane anyway.
I disagree that the casual observers face no risk from not reporting suspicious behavior. They're on the plane where the suspicious behavior is occurring, after all. I'd say they in fact have a much deeper vested interest than the security team does. In fact, that's kind of the point - this plan has people taking more responsibility for their own security. Since their fate is linked to their fellow passengers, the community benefits as well.
Of course, you're right that the individuals will be less effective than the dedicated personnel. On the other hand, there would be more individuals, in more places, and in closer proximity to where the action is happening. History says that will work. Look at the terrorist attacks I mentioned. Look at the CPR training program.
Still, I would never suggest that we do this instead of using dedicated security - we'd do it in addition. It's not an either-or proposition.
Tags: blog post // cyber warfare // ids ips //