Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who's flying the plane? The latest reason to never ignore security holes

Evan Schuman | May 20, 2015
Companies make excuses for not addressing security holes that seem unlikely to be exploited. The problem is that they often do get exploited. Just ask United.

I risk being assaulted for saying this, but Roberts is not the bad guy here. He told the airlines what the hole was and they chose to either not believe him or at least play dumb. The only way to prevent real bad guys -- actual terrorists -- from doing this is for Roberts to do it himself. Why do companies refuse to take security holes seriously? 

A few years ago, a security specialist at one of the largest big-box chains described a straightforward ROI mechanism that is used to decide which security holes and bugs get IT attention and which do not. Given that there are always IT projects that the team doesn't have time for, triage is being done constantly.  

With security, the questions include: Realistically, how much fraud -- in terms of dollars -- is likely to result from this issue near term? How many hours of IT work will it take to fix? How much revenue will be likely generated from whatever project has to be put on hold to make room for this fix? Which execs are behind which projects? (There were other issues too, such as "Who is our boss angry with this week?" and "Who do we owe a favor to?") 

The problem with using those kinds of questions to arrive at a project ROI is that it doesn't consider other factors. Let's say, theoretically, that a security hole was projected to result in $100,000 worth of fraud while costing $200,000 worth of IT time to fix. The missing factor is the media. Even if the fraud is small, coverage in the news media and social media will leave a far greater number of people worried. 

In the case of the airplane, will consumers actually avoid using the kind of aircraft susceptible to this attack? The fact is that as long as travel sites make it easy to do so -- "Show me all flights that do not use planes from these two aircraft manufacturers" -- I think this one has potential. If a bad guy can steer the plane -- even briefly -- the consequences could be devastating. What if it's done at a crucial instant during landing? What if the attacks are coordinated and two planes are quickly turned to collide? 

If an engine can be taken over, Airbus and Boeing have some explaining to do. The explaining is not about how this hole was allowed to exist. It's why it wasn't dealt with the instant this security guy screamed about it.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.