Friday Summary, TSA Edition: April 26, 2012By Rich
Rich here. I’m writing thi from an airport, so I will eschew my normal ‘personal’ intro and spend a little time on our favorite security show: Airport Screening Follies.
(But before I do that, go buy Motherless Children by Dennis Fisher. Dennis is an actual writer, and despite him screwing up an EMT reference it’s a great book (so far… nearly halfway through)).
It’s easy to knock the TSA. But like kicking a puppy, it’s also far from satisfying.
And while it’s also easy to criticize specific screening techniques, it might be more useful to understand them. Because if we really want our airport traveling experience to change, we need to attack the economics and stop wasting our time focusing on the value of particular security controls, or the failings of a small percentage of the workforce.
If we look at the TSA, there are really three levels of people involved (not counting the public):
- Policymakers (politicians)
- TSA executives (and high-level appointees)
- TSA staff
Let’s take a moment to look at the dynamics at each level.
- Politicians only care about being reelected, and don’t want any responsbility for their actions. To them the risk of changing the TSA is that on the off chance something bad, happens they will be excoriated (worst case: not re-elected). The reward for actually changing TSA practices is low, while the reward for posturing is high. In other words: if a politician implements a reduction in security and something bad happens they are likely to be held responsible even if it’s a coincidence; but proposing bills that don’t pass, loudly demanding tigher security (even if their demands are meaningless), and spending complaining to the press, all help them get reelected. So they all talk a lot without doing anything useful.
- TSA execs – the high-level decision-makers – face the same risks as politicians. Drop a single pointless security ‘control’, and when the next event happens they will be stoned by politicians, press, and the public. There is no cost to them for implementing more security theater, but there is a high risk from removing anything. It’s not an evil mindset, and not one they are necessarily conscious of, but the sad truth is that it is at least as important for them to look like they are doing anything to address every potential visible risk, as to actually stop an attack or improve transportation.
- TSA staff mostly just want to keep their jobs. One important way to do that is to buy into the security theater. They also want to feel good about their work, so like an AV vendor hyping Mac malware, they believe that even low-value security is important – it’s what they do, day to day. I don’t mean this in an insulting way. There is actually a lot of value in screening, although certain TSA technologies and practices are basically pointless. When you are in the trenches, it is often hard to divest yourself emotionally and to understand the differences objectively. I’m fairly certain that many of our fine readers enforce plenty of IT security theater (especially when it comes to passwords), so you all know what I mean. As a guy who used to hand-search thousands of concert and football attendees, I get it.
What about the flying public? The only thing we can control is the political environment, and if we aren’t going to hold our elected officials responsible for their economic foibles we certainly aren’t going to vote based on who will change the TSA.
So our politicians really have nothing vested in reducing security theater. We have executives and appointees who see only a downside to reducing it, because public complaints don’t really affect them. And they are motivated to double down when challenged so they seem ‘decisive’ and knowledgeable. Last we have the staffers who just want to keep their jobs and go home without feeling like asses.
It’s all risk/reward, and the odds certainly do not favor the flying public. Until the political climate for security theater becomes untenable nothing will change. And that won’t happen as long as we have 24-hour news channels and talk radio.
Oh – and this all applies to CISPA, and whatever else is pissing you off today.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: Vulnerability Management Evolution: Value-Add Technologies. This is the type of graphics we need more of.
- Mike Rothman: Understanding and Selecting DSP: Use Cases. In case some of the theory behind DSP wasn’t clear, these use cases should clarify things. This was a great series.
- Rich: Mike’s Privileged User Management paper – this is heating up.
Other Securosis Posts
- Incite 4/25/2012: Drafty Draft.
- Watching the Watchers: Integration.
- Vulnerability Management Evolution: Core Technologies.
- Vulnerability Management Evolution: Value-Add Technologies.
- Vulnerability Management Evolution: Enterprise Features and Integration.
Favorite Outside Posts
- Mike Rothman: Motherless Children (buy it now!). Our friend Dennis Fisher published a novel. You can buy it on the Kindle and within a week or so you’ll be able to buy a paperback version. I’m getting my copy this weekend. You should too.
- Mike Rothman: The Mystery of the Flying Laptop. We all get security theater. Nice to see a mass market pub lampoon the idiocy of flying with electronics in the US.
- Rich: Bill Brenner on the TSA – tying into my intro.
Research Reports and Presentations
- Watching the Watchers: Guarding the Keys to the Kingdom.
- Network-Based Malware Detection: Filling the Gaps of AV.
- Tokenization Guidance Analysis: Jan 2012.
- Applied Network Security Analysis: Moving from Data to Information.
- Tokenization Guidance.
- Security Management 2.0: Time to Replace Your SIEM?
- Fact-Based Network Security: Metrics and the Pursuit of Prioritization.
Top News and Posts
- Mozilla Weighing Opt-In Requirement for Web Plugins. This is already available, if you use the Add-on tool to keep all this stuff turned off.
- US and China conduct cyber-war games.
- Hotmail Password Reset Bug Exploited in Wild.
- Critical 0day in Oracle.
- Backdoor implanted in control system.
- Lisabeth Salander-like hacker-hero featured in new thriller. Are you noticing a trend today?
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to CJG, in response to Watching the Watchers: Access to the Keys (to the Kingdom) – New Series.
There are many solutions out there for identity management and access control, almost all are software bits installed on the servers themselves. What I have found is most if not all (yet to find one that doesn’t have this P-User hole) software based tools only manage the “logged in” user. In the case of windows servers many of the tools watch the windows user account you are logged in with, unfortunately if you then connect to a DB with SA credentials you are now outside the awareness of the tool. SA in MS SQL is dangerous because of XP_cmdshell, you now have system access to run any command line kung fu you can Google. This is true with most DB software, MS SQL being the biggest eyesore I’ve come across so far.