TSA Breach is a Nightmare for Holiday Travel

December 9, 2009 by ADMIN

Share |

This week’s revelation that the Transportation Safety Administration exposed its rules for airport security screening online is outrageous.

As holiday travel ramps up, the possibilities and repercussions are horrifying.

Coupled with the huge rise in information security breaches across many sectors of society, and rampant identity theft, the TSA’s breach sets the stage for potential disaster.

Information-Security-Resources editors have been raising the warning flag for some time - it is inevitable these pervasive information security breaches will be used for, among other things, terrorism.

The FBI, the Center for Strategic and International Studies (CSIS), and numerous other experts agree on the gravamen of this threat.

TSA’s security blunder occurred during the process of soliciting bids and proposals for a contract, reports Spencer S. Hsu of the Washington Post: “The 93-page Standard Operating Procedures manual went online in redacted form as part of a solicitation on a federal procurement Web site.”

The attempt at redaction was woefully inadequate.

ABC News quotes the former inspector general for the TSA, Clark Kent Ervin. “It obviously gives a road map to terrorists as to exactly how to exploit the weaknesses in our aviation security system.”

The fact that this breach happened during the procurement process does not surprise me.

Having managed contracts / procurement / deals in several industries that handle highly-sensitive information and systems, I found the process to be riddled with gaping holes that left security vulnerable, and that frequently went ignored for years.

Not every transaction that comes through the contracting process is this flawed.

Depending on the culture, training, and will of the organization, many of these transactions are handled appropriately, even when dealing with sensitive and risky issues.

But it takes only one broken security link in the data access chain to expose this interconnected information to terrorists and other criminals.

Most established organizations have decent policies and controls on the books; however, many security gaps happen when the teams or people desiring to push a project through, quickly and on the cheap, are allowed to bypass the controls on which security, and multiple stakeholders, rely.

If these ‘irrational exuberance’ teams, operating under the same mindset that infected our entire financial world with credit default swaps and toxic loans, override the control teams (those charged with understanding and maintaining security), the entire system is left naked to threats.

If the control teams don’t understand the intricacies of transactions and security, or don’t have the will to push back on fatally flawed transactions (not usually a popular position), the system goes rolling along, on the assumption that appropriate protections are in place.

Adequately securing these transactions is not an unmanageable problem.

It is imperative that information fiduciaries get a better handle on this oft-ignored piece of the data access chain. Stakeholders should demand that this security threat be addressed, really damn quick.

* * *

Stay Informed With ISR News Alerts:

* * *

Laura Wilson is a business analyst, software and solutions inventor, and an advocate for information security and better organizational decisions. She provides products and business consulting services in governance / risk / compliance, deal management, litigation analysis, and problem resolution related to highly sensitive systems and data.

The Editors give permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.