TSA's "signature-based " security

Infosec analysts have long been lamenting the shortcomings in signature-based security items like traditional antivirus. It would seem that the TSA has somehow managed to latch onto this philosophy even though it isn't working well in IT. Let's take a look at how the TSA is mirroring this with their decisions.
I recently went through security at FLL in Ft. Lauderdale security. As usual I was singled out and moved through secondary, or extra, screening. I would say this happens to me 90% of the time and always has. I don't complain and understand the gate agents are just doing their jobs and I would hope that most folks don't vent on them, they are not the problem. So I get taken out of the metal detector (md) line and moved to the "nekkid machine" (backscatter xray). I am not shy so the backscatter doesn't offend or bother me, while I am in there, I asked the agent if I could see the picture since it was such a hot topic. She stated that the pictures were displayed somewhere remotely and that I had to go stand on the footprints and await instruction. While I was standing there a very professional male agent began to recite the standard pat down procedure that might be necessary if the xray revealed that necessity. HE then got the call in his secret service earpiece that I needed to be physically inspected. He performed the pat down just like a cop would and off I went. Altogether it was 10 minutes to get through the line and the TSA folks were great. The problem is that most of this still seems like the illusion of security.
I say this based on a couple of different thoughts or observations. First, I know that I have zero desire to take over a plane. This skews my perception of the procedure but I understand they can't know that about me. I have noticed that there is some discrimination taking place as they cannot preform this same procedure on a Muslim woman. In order to be ethnically sensitive the agents have been told only to check their head and neck areas. We have now arrived at the root of the problem. When you give preferential, or discriminatory, treatment to any group you are doing it wrong. If the plane is in danger then we must put our foot down and say search people regardless of their ethnicity. If you want to do some research and pick the culture(s) that would attempt this type of attack you might become much more efficient. Or don't, I don't really care but you are wasting your time giving me a leg massage.
The TSA signatures are as follows:

Someone once hijacked a plane with a gun = no guns allowed on a plane and everyone has to walk through a metal detector

Someone had a device in their shoe = I have to see everyone's feet at security and put my shoes in a bin ( or not in a bin depending on the airport)

Someone had a few ounces of "bad" stuff = I can only have enough shampoo in my bag for three days AND I have to have everything in a ziploc as if the stuff can be verified visually.

Someone uses a printer cartridge to form an IED = no more printer cartridges

What will happen when someone has a bomb surgically implanted or hidden in an orifice? I don't want an answer really. The point is that these actions and reactions don't quite seem to add up, and over time the reactions seem to escalate. Currently you are allowed to carry enough stuff onto a plane (electronics, liquids, shrapnel) that none of the above measures would stop. I don't want to post any combinations but I can certainly have 7 3oz bottles of almost anything under the sun, a significant amount of batteries, a number of other "toiletries", and keys or other small pieces of metal.

These reactions seem similar to how IT security has decided to work. We wait for a threat to surface then ban a symptom and wonder about how to kill the root cause. Alternatively if there is a compliance or regulatory mechanism we check off the boxes for the least amount of money possible and call it a day. This is tough since most of our companies are trying to make money and security can be very expensive. For the IT security world, I would like to see more technical people getting promoted into management positions with budgetary authority. For the TSA, I have no idea what the right answer might be but good luck and don't follow the signature-based model.

No comments:

Post a Comment