United Airlines seems to be lurching from one bad PR story to the another. This time, a United Airlines flight attendant accidentally posted the keypad access codes for airplane cockpit doors on a public website. The Wall Street Journal revealed the story, but did not identify the website or online forum where the codes were posted. Based on the available information, it appears the code leak was unintentional – pilots and flight attendants regularly use online forums such as Facebook groups for general discussion. This time however, one flight attended took the discussions a bit too far.
This was a significant breach of security without a hacker in sight. Just another case of the biggest security risk and the weakest link in the security chain – the human element.
Airlines maintain strict access control to the flight deck ever since 9/11. The keypad code alone would not necessarily grant access. The captain must also visually validate the person requesting access and only then unlock the door. Using the correct keypad codes does not entitle anyone to enter the flight deck. Access can be declined by the captain. United moved immediately to change all their cockpit door access codes and avoid the possibility of exploitation.
This story highlights the importance of staff training in the chain of ownership and control of security information, as well as regular training and refresher courses.
How significant is the human element in security procedures?
The alarming fact is that the human element contributed to 95% of all security incidents recorded globally by IBM in their Security Services 2014 Cyber Security Intelligence Index. The most common failures are opening unsafe email attachments, clicking on an unsafe website link, weak and easily identifiable passwords, losing laptops and mobile devices, not keeping software up to date or applying security patches, and so on. Humans quickly become blasé and bored by routine, losing sight of the rationale for maintaining alertness and sticking religiously to security procedures.
There is also an element of laziness, forgetfulness and the “it can’t happen to me” syndrome.
Planning for the human element in security defenses
Humans design the asset and facilities that security systems protect. They then design the security defenses around those assets, which are then used by humans. Humans make mistakes all the time and this critical characteristic needs to be addressed by security design, implementation and training.
The most effective remedy is frequent and relevant refresher training. Frequent and very short bursts that focus on a particular aspect of security work best and are least disruptive. The more dramatic and memorable they can be made, the better. The objective is to ensure as much as is possible, that the subject remembers this training at the point where it is needed. For example, when entering a door keypad access code, ensure that nobody can see the code being entered. It is the simple routine things that humans fail at, as time goes by.
The role of government in protecting human lives
The United Nations Human Security in Theory and Practice covers a much wider scope of what constitutes security, of course. However, it does acknowledge that “human security threats cannot be tackled through conventional mechanisms alone”. Governments have a duty to protect their citizens. While national security, anti-terrorism and highly visible security measures such as airport security screening are vital components, so is the education of the man and woman in the street. In wartime, the slogan was “Careless talk costs lives”. While not as dramatic, carelessness is the biggest threat to security defenses of all types and at all levels.
Governments can do more to raise public awareness of the need to maintain a simple but effective level of vigilance. Human security failings that lead to breaches cost money, reduce consumer confidence in technology, and are an attack vector for foreign and criminal hostiles. National security starts at home.