NetSec Letter #13, 23 October 2001
Afterthoughts and Lessons to Learn
Avolio Consulting, Inc.
In my last letter I promised that this month I would take
this space to
address security in light of the recent tragedies.
What can we learn just 5 weeks after the event?
What can we apply to how we address threats and
vulnerabilities in the network security arena?
Most lessons reinforce what
we already know.
Some remind us that total security doesn't exist in a usable
system, and that "good enough" -- though not always
good enough -- is the best we can do.
The Easy Things
- Security and usability in balance. We are striving for equilibrium.
We want a situation in which we can work while still maintaining a certain
level of security. We want to -- oops, I made a classic error. In security,
we have to care about requirements or needs. We cannot afford to deal with
wants or desires. We need, and our economy needs, to be able to travel long
distances in a short amount of time. We needed to get commercial airplanes
in the air again. We need to be able to travel in such a way that balances
travel needs and security. Do we need to be able to show up at the airport
30 minutes before our flight, and make it to the gate on time? No, we do
not. It is a convenience.
- Less is more. On that morning the FAA ordered all planes flying over
the US to divert to the nearest airport. Those of us who live near commercial
airports remember the eerie realization that it was the silence and the
lack of contrails in the sky that was so disquieting. Ratchet up the level
of security to 100%, and you get what we had for airline travel in the few
days after the attack. You do this in time of emergency. How do we know the
good guys from the bad? How do we know which jetliners might be considered
missiles? Get the good guys out of the sky. The principle demonstrated is
important. The fewer potential attack agents, the fewer avenues of attack,
the easier your task of protection and detection can be.
- Know the enemy, know the risk. Fairly quickly the US government suspected
Osama bin Ladin and the al-Qaeda terror network. Fairly quickly some people
in the US turned their anger on immigrants -- in some cases, fellow citizens
-- who looked like they might be from the Middle East. We cannot defend
our homeland effectively if we waste time and effort perpetrating crimes
against law-abiding visitors or fellow Americans. We cannot defend our networks,
and so our businesses, if we don't know what the threat is, from whence
it might come, and how likely it is to happen.
- The insider risk. We know this very well. Inside attackers have it
made. Insiders have more access, usually more trust, and so the potential
damage is greater. Sometimes just being an employee, having the right badge
perhaps, gives someone universal access. An attack is always easier if you
are already inside. The terrorists were ticketed passengers. They did not
have to force their way onto the planes in mid-flight. Also, there is evidence
that some used, or attempted to use, false credentials and airline pilot
The Harder Things
- In network security, threat postulation is a guessing game. We always
make educated assumptions. Sometimes we get them wrong. Previous to September
11, procedures for dealing with an attempted highjacking of a commercial
jetliner assumed that the highjacker wanted to live. Should we protect our
networks against all possible threats? Can we? First, the easy answer: "no,
we cannot." Somewhat harder is the answer, "no, we should not." Typically,
we cannot afford it. Not for our networks, not for our national monuments
and skyscrapers. We cannot do it 100% and still be free. So we make tradeoffs.
For our network security, we sometimes allow for a less secure posture in
the interest of what we judge is a more important requirement. Furthermore,
some would argue that until the threat is actuated, until it occurs for
the first time, it does not exist.
- Network security remedies must be effective, not just look effective.
If not, they are useless and a waste of money. In the aftermath of the
attacks, there were (again) discussions of banning or severely curtailing
the use of cryptography because perhaps the terrorists used cryptography
to keep their plans secret. Changing crypto laws in the US, or worldwide
-- were such a thing possible -- will not keep cryptography out of the hands
of bad guys.
- They must be relevant; they must address the problem. A friend reported
that United Airlines First Class was using plastic utensils. My wife had
to break off and hand over the 1" metal nail file from her finger nail clippers
to get through airport security at BWI. Because a metal serrated knife
is an effective weapon? Because they have been used by hijackers in the
Because a nail file is dangerous? No. I fear it is because we have
fallen into the trap of
"if we don't know what to do, do something anyway."
A 2-hour line to get through security certainly makes it
seem like something is being done.
Yet I suspect no one is requiring people leave their roller
ball pens behind.
So, remedies must protect your systems, and not just
be for show.
(Okay, sometimes doing something "for show" is justified and
useful, but we must never start believing that it is for any other real
purpose lest we start depending on it for real security.)
- Remedies also must support the business requirements. No one has suggested
it, but the obvious way to make sure this never happens again is to ground
all high-speed commercial air traffic forever.
- Remedies should make things more, not less secure. We add devices and
technologies to our networks with the idea of making them more secure. Sometimes
it works. There has been recent discussion in the past few weeks about an
option to shoot down commercial aircraft rather than face such a disaster
again. The question has been asked, could faster scrambling of interceptor
fighters authorized to shoot have averted the disaster at the WTC or Pentagon?
Weighty questions. The question of whether you sacrifice hundreds of people
in order to save thousands is not so hard.
"Where do you drop a 757 flying over Manhattan," is more difficult.
We do not have the technology to cause a plane to avoid populated
areas after we shoot it down.
Comments on this column?
Promotions, Self and Otherwise
- Dave Piscitello wrote about air travel security in the September
14, 2001 TISC Insight, (Volume 3, Issue 17) at
- On the same date, Bruce Schneier in his CRYPTO-GRAM wrote,"Both
sides of the calendar debate were wrong; the new century began on 11 September
2001." Find it at
- I wrote a column for WatchGuard called
"From Zero to Expert in Your 'Spare Time',"
and you can find it on my web page at
- I comment on the -- short-lived, I hope --
renewed crypto debate for an article at searchSecurity.com.
http://www.searchSecurity.com/, and look under "searchSecurity exclusives"
and you may find it. You could try this ugly URL if you are feeling lucky:
- I reviewed an e-mail security product called IronMail (from CipherTrust)
for Information Security Magazine.
It's in the print edition and on-line
- I'll be teaching "Internet Security Tools and Techniques"
for CSI at the DC conference on November 1 and 2.