20 Layers of Security … and One Attack Vector

[Notice for our international readers]

I knew the TSA blog would yield something for me right when they started it. I didn’t expect this to happen so soon, though. Today they proudly present their 20 layers of security. Twenty! The TSA has twice as many layers of security as the average U.S. worker gets paid vacation days. This is impressive. Look at their diagram for a while (slightly larger version here). Impressive, marvelous, rainbow-colored, magnificent, fantastic.

But wait, what are those dashed arrows? Terrorist paths are they labeled. Let’s take a closer look at the top one. Out of the impressive set of 20 layers, this path hits only two. Now this is the sole purpose of having redundant layers of security, to ensure that every possible attack hits at least one of them – and is stopped there. The latter seems pretty unlikely.

The two layers are labeled Joint Terrorism Task Force and Random Employee Screening. What would it take to get through both? Perhaps not much. The Joint Terrorism Task Forces seem to be some kind of local committees and their members comprise anti-terrorist specialists such as the U.S. Park Police. If these task forces can stop terrorist attacks then I fail to understand how they would achieve this.

The other layer – our final hope! – seems even lesser strong. Random Employee Screening, as a security measure, has two obvious weaknesses. It is random, so there is a good chance of getting through at least once if you try several times, and it applies only to employees who have access to sensitive areas of an airport.

Twenty layers of security can be pretty useless, can’t they? To make this clear, I understand that the TSA’s illustration is not meant to be taken literally. It represents a general concept, and there may be no attack path in reality that corresponds to the arrow discussed here. Yet, this is a good example for the pitfalls of security. Stacking layers is useless if there are attack paths that avoid a major portion of your stack and break what remains in their way. Don’t let impressive numbers deceive you

Another issue with stacking security layers, by the way, is complexity. There are few security measures that are pure in the sense that they always and only increase security. Most real-world security measures have side effects that might be exploitable as means to malicious ends. Even worse than an attack that bypasses security is one that actively exploits the measures in place.


About Sven Türpe

Sven Türpe is a computer scientist. His current research focus is on security engineering methods, techniques, and tools. All opinions expressed in this blog are his own.