Thursday, March 27, 2008

Information security vs. Flying an airplane

I live on Long Island, and depending on the wind, right under the final approach paths for John F Kennedy International Airport. The planes pass overhead when their landing gears are extending, which means that they are low and noisy.



While laying in bed, I was listening to them and I could not help but
think that a pilot's job must be very similar to that of a security
professional. Professional pilots on modern airplanes do not spend the
majority of their time flying the plane. Instead, they are constantly
running through scenarios. What can go wrong in the next 20 minutes? If
it happens, what do I do? What is the closest alternative airport to
which I can go in case of trouble? What do I do if I hit wind shear on
my final approach to the runway? Are my instruments giving me correct
readings? Am I following the directions of the air traffic controller?


Pilots are constantly evaluating their equipment, and the area around
it. In itself, that is very similar to what security professionals do.
We spend a lot of time writing policy, implementing controls, educating
users, etc. This phase is commonly known as preparation. We
also spend time reviewing system log files, IDS alerts, application log
files, etc. When we are doing that, we are looking for indications that
our security controls have failed. In other words, we are identifying
weak spots and potential incidents. A professional pilot has his
instrument panel for exactly that reason. His windows are just a
convenient way to get some daylight in; they do not offer much of a
view. Various visual and audible clues generated by his management console will alert him about unusual circumstances.



When we do indeed spot a problem, we jump into action. We execute a
previously planned response, or we improvise on the spot, depending of
the circumstances. Our first priority is to contain the
problem. When a pilot gets warning that one of his engines is on fire,
he will probably shut it down and activate the fire suppression system.
When we identify a machine that has been compromised, we generally
isolate it off the network (or cut power all together to prevent
contamination of the system) and stop malware from spreading further.



The parallel starts being more far-fetched when considering eradication and recovery.
Recovering from a mechanical failure will almost always require a pilot
to land his plane and have a specially trained crew of ground engineers
fix whatever is wrong. I case of a compromised computer system,
recovery and eradication is often done by system administrators who
rebuild a box and by security administrators who will keep a close eye
on possibly returning attackers.



I find thought exercises like this fascinating. I'm not sure where this
thought came from, or why it stuck long enough for me to actually blog
about. Next time, I might contemplate the role of air traffic
controllers, and see if there is an analogy to be drawn there.
Auditors, perhaps? Consultants, maybe?

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.