At this stage you no doubt have heard about the miraculous emergency landing of the US Airways Flight 1549 in New York’s Hudson river. Thanks to the skill, experience and bravery of the pilot and the crew, all 155 people on board managed to get out of the plane safely with relatively few injuries.
So what has this got to do with Information Security I hear you ask? As the story was breaking and I read the updates on the web and watched breaking news coverage on various TV channels, I was taken aback at how the pilot managed to do such a fantastic job. I then started to think that if we in the Information Security industry adopted the disciplines used in the aviation industry would we would more secure systems?
When you look at is closely you can see that there are many similarities between both the Information Security and the aviation industries;
Both are high tech by their nature.
The users of each industry understand very little of how the technology works, they just want it to do what it is supposed to do without putting them in danger.
While both industries use automation extensively, they still rely heavily on human intervention and guidance to ensure everything works as it should.
When there is a failure it can have significant impact. Although aviation failures are by their nature more serious as they can result in human casualties.
Both industries attract a high number of ex-military personnel. The pilot of Flight 1549 is an ex-fighter pilot and you cannot go to an information security conference without coming across ex-military or law enforcement personnel.
But yet with all these similarities, within Information Security we tend to see a much higher failure rate. So I began to think why this should be. The answer is really quite simple, discipline.
The aviation industry appears to me to be much more disciplined in every aspect. Within Information Security we have the mantra that security is successful only if the blessed trinity of People, Process and Technology are properly integrated. So lets take a closer look at each of the elements in that trinity.
Aeroplanes themselves are highly designed with a lot of fail safe systems put into them. Not only that but they are regularly and rigorously maintained in line with recognised good practises. New models of airplanes are not rushed off the production line with known issues outstanding. Would you get on a plane that was pre-Service Pack 1?
Yet within IT we push new applications and systems into production environments without them being adequately tested and in many cases knowing that there are bugs in the systems. The recent SANS/MITRE list of Top 25 Most Dangerous Programming Errors highlights this approach.
Airplanes are maintained on a very regular basis during which the whole plane undergoes stringent safety testing. Changes to an airplane have to be made in accordance with regulations and strict safety guidelines. Contrast that to how IT systems are maintained or indeed how changes to the IT environment are managed. Change Management has one of the biggest return for your money when it comes to ensuring the availability and security of your systems, yet very few organisations seem to do this properly If at all.
Every member of the crew of an airplane must undergo strict training regimes before they are allowed onboard. That training has to be regularly updated and retested. What is more, the training is specific to the task that each crew member does. A flight attendant for example is not qualified to fly a plane; pilots have to be specifically trained on the type of plane they will be flying and gain hours of flight experience before they are allowed to take to the skies.
Yet within IT we do not have the same rigueur when it comes to those in charge of our critical systems. It is not uncommon for people to be in charge of systems that they have not received any formal training on, or indeed to be working (read that as winging it) with one vendor’s technology having been trained on that of a completely different vendor.
Each plane crew member is also trained in how to react in an emergency and can do so in an efficient and professional manner. Captain Chesley Sullenberger had the training and experience to react to the emergency on the plane and land it in the Hudson, whereby his crew had the training to safely evacuate the passengers. Captain Sullenberger then checked the plane twice himself to check it was clear of passengers and crew before getting off himself.
With regards to information security, many organisations do not have an incident response plan that is properly documented, regularly tested and with all staff properly trained in what they should do in the event of an incident. Too many times responses to incidents are haphazard without any clear plan or roles and responsibilities identified. If your company were to suffer as catastrophic event as that experienced by Fight 1549 would your team have the processes, procedures and training to ensure the event had as minimal impact on your systems?
When looking at the users of both industries it appears to me that the aviation industry once again pips information security when it comes to security awareness. Most passengers are aware of what they are allowed to bring onto an airplane and will dutifully herd themselves like sheep as they wind their way past airport security to display their transparent plastic bag of small liquid containers. Passengers also know not to let others take their baggage or bring someone else’s bags onto the plane. In addition, every time a passenger gets on an airplane they are subjected to compulsory security awareness, i.e. flight safety, lecture, which in turn is backed up by easy to understand awareness material located in each seat.
Ever since the events of 9/11, passengers are more likely to report suspicious behaviour of a fellow passenger in case they are a terrorist and indeed will probably tackle someone who is behaving outside the acceptable norms.
Contrast the passenger to the average IT user. How often do your IT users get regular security awareness lectures? How clear are your policies and procedures that people should follow? Are they as easily understood as the not taking liquids onto a plane rule or the airline safety leaflet? What are you doing to ensure users know not to click on attachments or links in emails or insert that USB or CD they found into their computer? How confident are you that your users know not to share their login details with others or how to recognise suspicious behaviour that may indicate their systems are infected or hacked.
Before take-off every person connected with preparing the plane before, during and after the flight has to complete a set of predefined checklists. The ground crew ensure the plane is properly set up, the pilot logs his flight plan, checks his instruments and the plane, while the cabin crew ensures all equipment within the cabin is functioning as it should. Everybody has to go through these checklists before the plane is allowed to take off. Once the plane is in the air the systems are continuously monitored with everything recorded and logged to the airplane’s flight recorder, commonly known as the Black Box. On the ground the airplane is also constantly monitored by air traffic control to ensure it reaches its destination safely.
Although the airline industry is very high tech, it still relies heavily on humans to check and double check everything to minimise the risk of anything going wrong. It seems to me that the airline industry views technology as merely the tools of the trade but it is the human element that ensures everything runs smoothly.
The information security industry is also high tech but seems to rely much more on the technology element and overlooks the human. Shinier tools and vendor promises of silver bullet technology seem to be what we rely on. Checklists and formal procedures are more the exception than the norm.
Another area we are very weak on in the information security area is monitoring. During a flight an airplane is constantly monitored, both by the onboard crew and air traffic control. Feedback from these systems is taken into account and adjustments made where necessary. Monitoring within the information security world is yet another area that many of us do not utilise properly. While we have excellent logging facilities available in our systems to record everything that happens in our environments they are very rarely turned on, and if they are, it always appears that we do not record the right information we need. Key metrics to help the business and management make necessary decisions are not measured. System logs are not properly monitored to create alerts in the event of suspicious activity being detected. How often have we seen IDS systems implemented and then turned off because of lack of proper configuration? How often do we hear about breaches that have occurred where if the affected company had been monitoring their systems properly they would have detected the attack much earlier?
Time for Some Discipline
It has taken the airline industry a long time to get to where it is today. Many hard lessons had to be learned from serious disasters to ensure they would not happen again. But thanks to those efforts air travel is now the safest form of travel. To get to this level required discipline, and lots of it. So I think it is time that we as a profession and an industry raise the bar and instil a lot more discipline into how we do things.
We need to ensure that everyone, from developers, to infrastructure management, to information security professionals, to senior management and of course the users are more disciplined in what we do and how we approach protecting our data. By disciplining ourselves to do some of the basic chores there are many quick wins that we can put in place that will raise the bar.
Discipline yourself to review the checklists that you currently have and ensure that they cover all the key elements that should be checked daily, weekly, monthly, quarterly and yearly. Once you have those checklists in place make sure the discipline is there to ensure they are completed when they should.
With regards to information security policies you need to have the discipline to regularly review them, constantly monitor compliance with the policies and to deal with any non-compliance in a fair and consistent manner.
You should ensure that those managing the network infrastructure are disciplined enough to regularly monitor key systems and ensure that everything is patched and configured in a secure manner.
Instill the discipline in your organisation to develop and implement, or review existing, change management and incident response processes and procedures. Once these are in place make sure the discipline is there to regular review and test them to ensure they operate as should and always look for ways to improve.
Discipline is a small word but if used correctly you can become a Captain Chesley Sullenberger of information security.