JANUARY 11, 2010

The Difficulty of Protecting People

UPDATE: In Spring of 2010 BreakingPoint unveiled the pioneering Cyber Tomography Machine to help you with problems such as the ones described in this post. Read more.

We talk a lot about security here on the blog, primarily around how to harden cyber infrastructures against attack. In many of those cases we are detailing ways in which you can secure networks, data centers, sensitive data and more. The concept of personal security, however, is something we all think about now, especially when you are inundated with news stories about TSA security measures. It seems like there is a subtle problem with the focus of our security. Terrorists target people. Yet all of the security measures are designed to protect edifices, not people. It's really the obsession of our enemies with doing something "big" that saves us rather than an effective security strategy.

Take for example the restriction that only people actually flying are allowed past security in the airport. What that means is that, rather than having the majority of people around the airport inside a secured area, you now have big concentrations of people who have not gone through security. Taking that further - in the recent incident at Newark Liberty International Airport, where a man walked in the exit, the result was everybody was forced to leave the secure area, so they could be re-screened. Once the secure area was vacated, great, the airport and planes were protected from the potential terrorist, but now a giant crowd of people were milling around in an unsecured area, along with the potential terrorist.

If I was a terrorist, I'd set up a two-man operation. One guy to go through the exit and force an evacuation and get all the security busy and focused inside, and another guy to drive a truck through the front door into the resulting crowd, and blow it up. Sounds similar to using a DDoS evasion to slip past an IPS, right? Our response, however, protects the planes and the building at the expense of the people. I think it comes from thinking about strategic defense, but the terrorists are not making strategic attacks.

I never complain about something unless I have a positive alternative to offer at the same time, so here is what I think would be a more effective strategy to combat terrorists. To develop an idea, I started thinking what prevented recent terrorist attacks, when the current approach failed.

In theory, there are some secret government programs that have prevented terrorist attacks before they happened, but since they're secret I can't really build anything on those programs. But, when Abdulmatallab (the "crotch bomber") tried his plan, he was brought down by passengers, regular people who stepped up and did something. It was the same thing, regular people stepping up, at the tragic expense of their own lives, that prevented Flight 93 from crashing into the White House.

If you step into an airport full of 20,000 people, the odds are very good that at least 19,999 of them are not terrorists and in fact they are people gladly willing to punch a terrorist in the face under the right circumstances. Rather than treating all 20,000 people as liabilities, what if they simply put a picture up from the security camera showing the guy going in through the exit, with an announcement of "If you see this guy, alert security immediately. And watch for unusual behavior on your flights.". All of a sudden, you have 19,999 allies and they can stay in the relatively safe secure area.

There is precedent for a system like this, look at the Amber Alert system. Rather than attempting to corral a state full of people, which would be the TSA approach to a kidnapping, it gets the word out, on the assumption that the vast majority of people would gladly help if they just knew that they needed to lend a hand.

My concept is a "terrorist alertness" certification class you could take. It would involve getting a background check, and being verified against all homeland security lists. Then you would spend a week learning what is suspicious behavior and what to do if you see it occur. You'd end up with a certification card that would allow you to breeze through security when you fly. Rather than relying on a glassy-eyed security guard at the gates (which, by the way, is not a knock on the security guards, it's incredibly hard to stay alert monitoring for a tiny, remote possibility) before the flight, they'd call all the certified people up to the desk to have a quick meeting. They'd show them pictures of all the people on the flight who are on some sort of watch list, seat them nearby, and tell them to stay alert.

Would you feel safer knowing that the people who are watching out for terrorist behavior were sitting in the same plane you are, not on the ground back at the airport? Would you be willing to go through a certification like that if it saved trouble at the security gates? I bet lots of people would. More importantly - do you think potential terrorists might be deterred if they knew this was going on?

I can say with certainty that this would make me feel a lot safer than having my water bottle confiscated at the security check does. This kind of system exists in other areas, and it works. Neighborhood watches are widely known to reduce crime. CPR training means a random person nearby might be able to help when help is needed, and the experts are too far away.

Of course, being a network guy, I can't help but relate this anti pattern back to the network security world. This same class of mistake is made there, too. People protect the integrity of their network at the expense of the functionality they built it to provide.

Just think about an IPS. Hopefully, you have a high level of confidence that the IPS that secures your network will block an attack, that is the whole point, right? But here is the question: what happens to your good traffic while the attack is underway? Does it still flow? Can you continue to run your business while the attack is prevented, or does the IPS lock things down and get in the way of the good traffic? If you turn on enough filters to secure your network, can the IPS still support the bandwidth you need?

After all, it's not really the network (planes) you're trying to protect, it's the data (people) that flows through it.