Rants Archives 6 - MSI :: State of SecurityMSI :: State of Security

I read this article this morning about a movement by TSA to create “approved” laptop bags that would allow passengers to go through airport security without removing their laptop from their laptop case.

This appears to be really true. It really isn’t a joke. In fact, at first blush, it might even seem like a good idea. But…

The interesting part is that it is literally only a bag for your laptop. No power cords, media or other devices.

Now I don’t know about you, but I carry a LOT more stuff than just my laptop in my backpack. If you want an example, here is one from an article a while back in ITWorld.

Pack Contents

As you can see, there’s a lot more than my Mac in there.

While the idea of not removing my laptop seems like a good thing to me and I am sure that it would save us all time in the security line in a perfect world, I am completely unconvinced that even the most basic of laptop users only carries their laptop in these things. I can’t imagine that there would be any real time savings as the TSA explains that only “approved” laptop cases bearing the official TSA seal will be allowed and that you can’t have any folders, paper clips or anything else tucked around the laptop… Blah, blah, blah…

Ordinary citizens still can’t seem to figure out if they can take their makeup, water or beer on the flight, let alone whether or not they need to remove their shoes for the not-so-nice man with the badge. I still routinely have to wait behind people asking the same questions and others hopping around like a pogo-stick rider while they unbuckle, untie and wiggle off their shoes/boots/leggings/etc.

How on earth will special laptop bags even have a prayer of saving us time? Even worse, the whole idea of creating the bags, testing them, approving them and controlling counterfeits or unapproved bags with look alike seals – seems to be a place for a HUGE amount of tax payer dollars to get wasted. Can you imagine the large-scale bureaucracy that would take?

I say forget it. Just keep the same process going of laptop removal. It seems a lot easier, cheaper and as Bruce Schneier would remind us – just as useless in terms of real risk reduction anyway….

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Rants

Your New TSA Approved Laptop Bag????

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?