Photo Credit: Robert S. Donovan via Compfight cc
The air was suddenly alive with the cheerful yet insistent voice of a loud pre-recorded announcement, “Attention Please! Attention Please! Do not leave any of your belongings unattended. Unattended bags will be confiscated for search and possible destruction.”
Unexpectedly I was confronted by a policeman who told me to stop, and pass to his left. I was confused, as he met me in a nearly empty and rather wide passage in this major airport which I was traversing. He did not explain why, but he was firm, and I complied. As I passed by and looked around the next corner past him, I saw yellow caution tape fencing off an elevator, with a guard standing by, and an unattended knapsack on the floor in the middle of the fenced area.
I wondered what would become of the knapsack, and what had already become of its owner. Had the owner mistakenly lost the knapsack off a tall pile of bags on a pushcart? Or perhaps the owner suddenly became ill, and in asking for assistance ended up leaving the knapsack behind? Or most ominously, was this the case the procedures are designed to manage – a dangerous device intentionally left to cause mayhem?
Such a bag may be placed in a suitably sized portable blast container, and removed for examination or detonation. This removes the threat to the public, and provides an opportunity for further analysis or destruction of the bag depending on the perceived threat. In any case, the owner of the bag is not likely to receive it back in a timely manner, if at all.
In information security there are similar capabilities available to determine if content is malicious or poses a threat to recipients or processing systems. These tools can segregate email attachments, downloads and other content in isolated computing environments. The content can then be subjected to a variety of inputs or conditions, such as code execution in a segregated virtual machine. This provides an opportunity to identify malicious behavior in the computing equivalent of a “blast-resistant container” such that no collateral damage occurs in the computing environment.
The best part of such a virtual “bomb disposal” approach, is that if the content is determined to be clean, the original recipient can receive it with no more than a slight delay. That is definitely not the case for the unattended knapsack at the airport.
Both physical security and information security have much to gain from the concept of a bomb disposal unit. Looking to similar circumstances in the physical world can often give us clarity regarding effective controls to apply to computing environments.