Subscribe to RSS - IQinVision


Will the government revamp aviation security? Tom Ridge and other experts make recommendations in new report

Thursday, March 17, 2011

Complaints about aviation security will never end. Whether it's pissed off pilots or alleged high-doses of radiation from screening devices (certainly worthy of double-checking, don't get me wrong), there's always some sort of drama unfolding in the aviation security space.

Many security professionals would tell you (and have told me, as a matter of fact) that enhanced security measures in airports was a knee-jerk reaction to the events of 9/11. Was it an overreaction? Yeah, probably. But 9/11 was an event that changed the risk landscape in our country forever and made us all realize our gaping vulnerabilities. There are ongoing accusations that aviation security is just "security theater," but I strongly disagree, as I suspect most security professionals would. No one would ever say the Transportation Security Administration is perfect or that it's capable of stopping every person with ill intent. That's an impossible task. The TSA has admittedly gone through some serious trial and error to make the system work, and fails regularly in a very public way. Heck, the agency was so embattled it took a year and five months just to find someone who was willing to run it.

I just read a very interesting announcement that there could be some HUGE security changes coming down the pike. The U.S. Travel Association just finished up a year-long analysis of ways to improve air travel security and screening procedures. In case you're not familiar with this organization, they're a 2,100-member organization that "leverages the collective strength of those who benefit from travel to grow their business beyond what they can do individually" (which would mean pretty much any company, right?).

Recommendations based on this study were released in a report titled “A Better Way: Building a World Class System for Aviation Security.” An important recommendation to Congress was the need to authorize TSA to implement a new, voluntary, government-run trusted traveler program that utilizes a risk-based approach to checkpoint screening, with the goal of refocusing resources on the highest risk passengers. I think that would be smart and a lot of businesses would support bringing back a trusted traveler program for frequent travelers.

Also, an extremely important measure was in regards to the procurement of technology. With the ongoing debacle of whole-body imaging, the panel suggested that the TSA should develop a comprehensive strategy for implementing necessary checkpoint technology capabilities and that Congress should provide multi-year funding plans for TSA to execute this strategy. This kinda seems like a no-brainer, but apparently it isn't.

I thought the mention of developing risk-management methods and tools, while a very vague statement, could be critical as well. To me, this means adopting more of an Israeli approach to security. Pretty much every aviation security expert I've ever spoken to has acknowledged that the Israeli's have superior security measures, but such a system just isn't feasible due to the amount of air travelers in the U.S., especially if the goal is to IMPROVE efficiency for passengers. I understand and agree with that, but think the TSA could stand to improve its behavior detection training and other methods to identify travelers who may pose a risk (it's not profiling people, so just stop saying it).

Anyway, just to put an exclamation point on the report, here's what former Department of Homeland Security Secretary Tom Ridge, who was also a chair of this panel had to say: “A strong aviation security screening system must feature several characteristics, including efficient methods of deterring and interdicting terrorists and criminals; tailored security based upon risk assessment; frequent, clear communication with the traveling public; and cost-effective use of resources.”

Will anything come from this report? Hard to say not knowing.

The dangers of permitting students to have guns on campus

Wednesday, March 9, 2011

I recently blogged about legislation headed to the Oklahoma House that would allow students and faculty to carry concealed weapons on university and college campuses. Not long before that, I wrote about similar legislation coming out of Texas.

Apparently, there are more than a dozen states considering legislation that would allow professors and students to bring loaded guns into their classrooms, according to this article from CNN.

The article is written by Amitai Etzioni, a sociologist and professor of international relations at George Washington University and the author of several books, including "Security First" and "New Common Ground."

He said there is an inherent problem with this kind of approach to guns:
The drafters of these bills seem to have an image of peaceful students, bent over their books, suddenly attacked by gunslingers who materialize from nowhere. They ignore that students can and do shoot people on campus.

He argues that there aren't (and probably won't ever be) measures to ensure that mentally unstable people don't have access to guns:

And if it were ever created, I expect the National Rifle Association and various state legislatures would strenuously oppose submitting millions of students and professors, or anyone else, to such a test before they could purchase a firearm.

And there's also the issue of allowing students, specifically, to carry weapons. I may be generalizing here, but I'm pretty sure college students tend to drink more than other age groups, and, it's my fair opinion that alcohol and guns just don't mix (although don't get me wrong, I love beer camp, I mean, deer camp just as much as the next New Englander). So, I think he has a good point, the student body is a typically volatile group of people:

Worse, long before anyone storms into a classroom, some students will use their guns -- when their anger boils over, when they have one drink too many or their girlfriend makes out with someone else -- to shoot someone.

His argument is to make guns less accessible, not more. After all, he writes: "Nobody can kill 16 people from a clock tower with a knife."

What do you think? Would allowing students to carry guns make campuses more or less safe? What about campus security? Would it be more difficult to secure a campus knowing students may be carrying weapons?

Inspired by 9/11, this device helps people escape buildings

Friday, March 4, 2011

Hard to believe the 10-year anniversary of the 9/11 tragedy is coming up this fall. When I met with Louis Barani, security director of the World Trade Center, during ISC Solutions this year he talked about some of the events planned to recognize the anniversary in addition to all the work being done to secure the new buildings and memorial site. If you missed that story, you should check it out here. It was an awesome tour.

Anyway, this story in the New York Times caught my eye today. A man has designed a personal escape harness, called the Rescue Reel, which was inspired by the victims who jumped from the World Trade Center. To escape buildings, people strap themselves into the harness, lock the reel to a stationary point like a door frame and gently propel themselves to the ground, according to the article. The Rescue Reel retails for about $2,000.

Do you think this is something corporations would consider adding to their safety devices? Does the procurement of equipment like this fall under the purview of the security department?

TSA supervisor gets busted for helping smuggle 200 pounds of marijuana

Thursday, March 3, 2011

Sometimes people's stupidity astounds me. While I try not to add to the sensational nature of much of the mainstream media's focus on the Transportation Security Administration, I couldn't let this one slip by. Here's a story from the New York Post about how a TSA supervisor who is accused of helping a man bypass airport security measures in order to smuggle cash and 200 POUNDS (!) of marijuana out of the state:

Behavior detection officer Minnetta Walker, 43 — whose position gave her free reign at the airport — used her status to help drug boss Derek Frank’s gang avoid full body scanners, luggae x-ray machines and secondary screening at the gates, authorities said.

First of all, I can't even imagine what 200 pounds of pot must look like. That's got to be at least several suitcases worth, right? I just don't understand how people think they could get away with such things, inside help or not. According to the article, Walker had been involved in such illegal activity since February 2010 and was only caught after she was wiretapped. But once again, more bad publicity for the TSA. It's pretty clear this agency will never be the recipients of good press, but I'm pretty sure John Pistole knew that going in.

Canadian government gets hacked. How secure is your network?

Thursday, February 17, 2011

One of the hottest topics at this year's TechSec Solutions conference was the issue of cybersecurity. While it's traditionally the role of IT security to protect a company against cyber attacks, security practitioners have a role to play as well. During his keynote address, Gareth Webley had an interesting point:

"Physical security devices on the network must have the right information security controls. I've found that physical security devices that are IP enabled without the right information security measures are more dangerous than not putting anything on the network."

(You can read more details about his keynote address here.)

In other words, he thinks it's more risky for an organization to put a non-secure video camera on the network than not to have that camera in place at all.

During TechSec, I talked to several attendees about the challenges of educating employees about cybersecurity. One of them told me a story about how one of their executives divulged private information, including login and password information that compromised the company's network. Talk about an IT security manager's nightmare.

Well, apparently even high-ranking government employees are equally susceptible. I just read this CNN story about how two Canadian government agencies were hacked in January due in part to employee negligence:

The hackers took over computers in the executive offices of the Finance Department and the Treasury Board, unnamed sources told the network. They then sent fake e-mails to government computer techs and other employees to get them to divulge sensitive passwords in a technique known as executive spear-phishing.

Apparently, Canadian officials disabled the two departments' internet connections for a time to halt any loss of data, but that's what I would tell the public and media, too. The article suggests China was involved, which is no big surprise.

How worried are you about cybersecurity? Do you think your organization is doing enough to educate employees about security protocol? What's the role of physical security in this or is it just the IT department's problem?

FBI says no-fly list isn't as long as people think

Thursday, January 27, 2011

On a recent business trip I sat next to a gentleman who told me he was on a government watchlist. Trying not to look nervous and in my head debating whether or not I should ask for a different seat, I asked him how he knew this. He said every time he went through security he was pulled aside and subjected to secondary screening. The man was obviously a seasoned business traveler and he said after the fourth or fifth time he started telling TSA officers that he was on the list. They immediately pulled him aside, screened him, and sent him on his way. "It's great," he told me. He hasn't waited in a security line since.

Well, few of us would have the same sentiment about being included on a government watchlist, especially the no-fly list. I just read an article on NPR that the FBI is saying the list isn't as long as people think:

"About 10,000," said Timothy Healy, director of the FBI's Terrorist Screening Center, which maintains the list. "And [the number of] U.S. citizens on the no-fly list is even much smaller, between 500 and 1,000."

But, the government won't say who is or is not on the list. Douglas Laird (also of SDN fame) told NPR that the system isn't perfect—and would-be terrorists can get around it.

"If that person is a professional, it's too easy to change an identity, so for that reason I wouldn't put a lot of faith in the system," Laird says.

I think having such a system has its place - there are certainly people we don't want on planes - but like every other system, there needs to be checks and balances. Intelligence gathering is probably the most challenging, and, also one of the most important tasks for federal agencies and it has to continue refining such systems to make sure it only hinders the bad guys. And, the government also has to expand training so personnel can spot suspicious behavior or activity and people who aren't on such watchlists are still identified and scrutinized.

Moscow airport bombing is a stark reminder of what aviation security is up against

Monday, January 24, 2011

As I continue to read reports coming in about the bombing at the Domodedovo airport in Moscow, I can't help but think that this should serve as a reminder to the public and aviation practitioners alike about what we're up against when it comes to securing the world's airports.

The latest news reports say 35 people have been killed and more than 100 injured from the blast that detonated in the international terminal at Moscow's busiest airport. Russian authorities are treating this as a terrorist attack, but no parties have yet taken responsibility for the attack.

Some are saying that this attack is evidence that Russia hasn't taken security seriously enough despite previous attacks:

Leonid Mlechin, an independent journalist who covers security issues, says the return of terrorism to Moscow shows that Russian security forces have failed to address the lessons of past terrorist attacks.

"This is a serious failure of special services," he says. "No one can carry out such acts alone. He needs to be trained, equipped, and supported by an organized group. Our intelligence services have clearly not been able to catch these groups."

While Russia has a long history of violence and unrest, those in aviation security in the U.S. and around the world must remain vigilant against such future attacks.

Security negligence lands 21 in court

Wednesday, January 12, 2011

In recent months I've written quite a bit about museum security, or rather the apparent lack of security at many museums around the world. Remember this story about a $50 million Van Gogh painting being stolen from a museum in Egypt. And this wasn't some late-night, Mission-Impossible type heist, no, the thieves walked in during business hours, moved a couch underneath the painting and simply cut out the painting.

Today, I saw this article that 21 museum officials and employees (including the Deputy Culture Minister) are facing charges of negligence for not adequately supervising employees and not following up on their work:

The Administrative Prosecution also accused the defendants of failing to perform their duties in touring the floors securing the museum, an especially significant failure given their alleged knowledge that the surveillance cameras haven’t been working since 2006.

The museum had 43 cameras in place, but only seven were actually working. And budgets can't be blamed for this one:

The prosecution added that the museum’s maintenance company for security devices hadn’t performed any maintenance in 15 months, which effectively wasted the LE 100,000 designated to the museum for that very purpose.

The prosecution is also stating that the museum misused funds and hired more administrators whose job duties were redundant instead of hiring the necessary security personnel, further putting the security of the museum in jeopardy:

The number of security guards in the museum was reduced from 30 to nine, and that — on most days — that number was further reduced to only one guard on duty.

So, you don't have working cameras PLUS you don't have enough personnel to keep watch over millions of dollars worth of artwork? Um, yeah, I'd say there's some negligence here.

Public doesn't like bag inspections on D.C. Metro. Where's the middle ground?

Friday, January 7, 2011

It was only in November that I wrote this story about Tom Ridge's comments regarding a bombing attempt in the D.C. Metro. Basically, Ridge said that no matter what measures are put in place to secure public transportation, the risk remains high. But, better some security than none, right? Recently the Metro announced it has begun conducting random inspections of carry-on items.

“This adds another layer of security to our system,” said MTPD Chief Michael A. Taborn, in the article. “The program will increase visible methods of protecting our passengers and employees, while minimizing inconvenience to riders."

Well, apparently the inconvenience has become too much. I just read this article in The Washington Post that the Metro Riders' Advisory Council voted overwhelming for a resolution that will ask the Metro board to suspend bag inspections and consult with the public about transit security policy. Some members of the council said that the inspections are unnecessary because there are no credible threats to the transit system. Um, well, no threats except that guy who said he wanted to blow it up, right?

But, apparently the inspections are only suppose to take a few minutes and are fairly non-intrusive:
Police will randomly select bags or packages to check for hazardous materials using ionization technology as well as K-9 units trained to detect explosive materials. Carry on items will generally not be opened and physically inspected unless the equipment indicates a need for further inspection.

I know the public probably finds the inspections annoying more than anything, but there's got to be something in place to deter the crazies. Let's work to find a middle ground and not just kill the inspections, people. It's for your own good.

From "cooked rabbits" to fake White House emails - Welcome to the new year

Wednesday, January 5, 2011

Welcome to the new year. I took a week-long break from the working world, and I must say, it was wonderful. I actually unplugged myself for the most part, too, thanks to spotty cell phone coverage in northern Vermont and my parent's barely-better-than-dial-up satellite Internet. I highly recommend disconnecting, if even for a few days, it's very rejuvenating.

But now we're back and there's so much to catch up on. I'm getting excited for our upcoming conference, TechSec Solutions, which focuses on IP security technology. Our line up of speakers is looking great, covering everything from retail to critical infrastructure. For 2011 we're focusing largely on real-world situations and panels will be discussing ways that security folks have solved their biggest challenges by leveraging IP technology. The event is happening in Delray Beach, Fla., February 13-15th (can't beat Florida in February, now can you?).

In other news, things were somewhat quiet over the holidays (or compared to last year's Christmas Day bomber fiasco anyway). I've seen a few bizarre security stories come across my radar including this story about a man who accidentally butt-dialed his wife who thought he was being held hostage and called the police who then sent in the SWAT team. Oops.

Maybe you missed this story about a Yankee Stadium security guard who tried to get through airport security claiming he had "cooked rabbit" with him, but upon further investigation he actually had three large bricks of cocaine.

On a serious note, President Obama signed into law the Food Safety Modernization Act, which is the largest overhaul of U.S. food safety laws in more than 70 years. The $1.4 billion legislation makes sweeping improvements to the security and safety of our nation’s food supply and gives the U.S. Food and Drug Administration authority to order product recalls, and requires food manufacturers to keep more detailed food safety plans.

In other White House news, an e-mailed Christmas greeting purportedly from the White House actually contained dangerous malware aimed at extracting sensitive financial data and documents from government employees. Yikes. Wonder what the cybersecurity czar thinks about this?

All in all, the year is off to an interesting start. Here's to hoping 2011 is a hell of a lot better than 2010.