Loading in 2 Seconds...
Loading in 2 Seconds...
Talk for the 50th Annual ASIS Conference, Sept 26-30, 2004 (Dallas, TX). Show Your Vulnerable Side: How to do a Vulnerability Assessment. Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory 505-667-7414 firstname.lastname@example.org
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Roger G. Johnston, Ph.D., CPP
Vulnerability Assessment Team
Los Alamos National Laboratory
The VAT has done detailed
vulnerability assessments on
hundreds of different security
devices, systems, & programs.
The greatest of faults, I should say,
is to be conscious of none.
-- Thomas Carlyle (1795-1881)
This talk will focus primarily on vulnerability assessments of physicalsecurity, but presumably many of the ideas and principles also apply to other types of security such as:
Better be despised for too anxious apprehensions,
than ruined by too confident security.
-- Edmund Burke (1729-1797)
physical security: trying to protect valuable, tangible assets from harm.
Examples of assets needing protection:
Security Guard: “Don't make me take off my sunglasses!”
-- From the movie Bringing Out the Dead (1999)
The “harm” that we wish to avoid might involve:
The ultimate security is your understanding of reality.
-- H. Stanley Judd
vulnerability assessment (VA): discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting counter-measures and security improvements.
He that wrestles with us strengthens our skill. Our antagonist is our helper.
-- Edmund Burke (1729-1797)
Before thinking about how to assess physical security, we need to recognize that it is difficult and there are no guarantees of success.
Especially because complacency, over-confidence, wishful thinking, and arrogance are not compatible with good security.
Danger breeds best on too much confidence. -- Pierre Corneille (1606-1684)
Cost/Benefit analysis is difficult.
There are few meaningful standards, fundamental principles, models, or theories.
Everything is a compromise & a tradeoff.Why Physical Security is So Difficult
There is always more spirit in attack than in defense.
-- Titus Livius (59 BC)
Security managers & personnel aren’t always creative or proactive, but adversaries may be.
Adversaries and their resources are usually unknown to security managers, yet the adversaries understand the security systems.
Society & employees often do not like security.Why Physical Security is So Difficult (con’t)
We spend all our time searching for security, and then we hate it when we get it
-- John Steinbeck (1902-1968)
Adversaries can attack at one point, but security managers may need to protect extended assets.
Adversaries need exploit only one or a small number of vulnerabilities, but security mangers must identify, prioritize, & manage many vulnerabilities, including unknown ones.Why Physical Security is So Difficult (con’t)
We have to get it right every day and the terrorists only have to get it right once. So we have to be ahead of the game.
--TSA Spokeswoman Lauren Stover
Security personnel have trouble identifying security vulnerabilities because they don’t want them to exist.
(It’s hard to think like the bad guys if you devote your career to being a good guy.)Why Physical Security is So Difficult (con’t)
No problem can be solved from the same
consciousness that created it.
-- Albert Einstein (1879-1955)
- You can’t (for the most part) get a degree in it.
- Not widely attracting young people, females, the best and the brightest.
- Few peer-review, scholarly journals or R&D conferences.
- Lots of snake oil salesmen.
- Shortage of models, fundamental principles, metrics, rigor, standards,
guidelines, critical thinking, & creativity.
- Overly macho and often dominated by bureaucrats, committees, groupthink, “old boys” networks, linear/concrete/wishful thinkers.Why Physical Security is So Difficult (con’t)
The only security is the constant practice of critical thinking.
-- William Graham Sumner (1840-1910)
The task of identifying Threats & Vulnerabilities, done as part of Risk Management (or DBT), is too often not really a Vulnerability Assessment.
Security Surveys and Risk Management/DBT were major breakthroughs & are still useful… But they are not enough!Security Surveys vs. Risk Management vs. VAs
Men do not like to admit to even momentary imperfection.
My husband forgot the code to turn off the alarm. When the
police came, he wouldn't admit he'd forgotten he code...
he turned himself in. --Rita Rudner
Identify Assets, Threats & Vulnerabilities, Adversaries, Consequences, Safeguards & Countermeasures.
Assign relative priorities and probabilities. (Generate lots of tables.)
Field your resources appropriately.Risk Management
The first step in the risk management process is to
acknowledge the reality of risk. Denial is a common
tactic that substitutes deliberate ignorance for thoughtful planning. -- Charles Tremper
DBT basically means “design your security to deal with the current real-world threats”.
In practice, DBT tends to focus more on hardware and infrastructure than Risk Management does.Design Basis Threat (DBT)
A hypothetical paradox: what would happen in a battle between an Enterprise security team, who always get killed soon after appearing, and a squad of Imperial Stormtroopers, who can't hit the broad side of a planet? -- Tom Galloway
Still binary & close-endedLimitations of Conventional Risk Management (or DBT)
You can never plan the future by the past.
-- Edmund Burke (1729-1797)
The attack probabilities are usually a fantasy
Suffers from overconfidence in tables and the
“fallacy of precision”
Not done from the perspective of the adversariesMore Limitations of ConventionalRisk Management (or DBT)
The time to repair the roof is when
the sun is shining.
-- John F. Kennedy (1917-1963)
Often used to justify the status quo--typically does not encourage new countermeasures
Ignores simple/cheap countermeasures when the attack probabilities are judged (rightly or wrongly) to be low or zeroMore Limitations of ConventionalRisk Management (or DBT)
It isn't that they can't see the solution.
It is that they can't see the problem.
-- G.K. Chesterton, The Scandal
of Father Brown (1935)
Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine.
Unlike Security Surveys or Risk Management, don’t let the good guys define the problem or its parameters.Vulnerability Assessment
It is sometimes expedient to forget who we are.
-- Publilius Syrus (~42 BC)
security survey:issue orders to close & lock window!
risk management:ignore if not envisioned as part of a specific threat or attack from a likely adversary; otherwise, design procedure to close & lock window.
VA:Oh boy, an open window! What mischief can this lead to?
You can observe a lot by just watching.
-- Yogi Berra
Play with it.
Play with it some more.Vulnerability Assessment Steps
Scientists are the easiest to fool. They think in straight, predictable, directable, and therefore misdirectable, lines. The only world they know is the one where everything has a logical explanation and things are what they appear to be. Children and conjurors--they terrify me. Scientists are no problem; against them I feel quite confident.
-- Spoken by Zambendorf in Code of the Lifemaker, (James Hogan, 1987)
Nothing can inhibit and stifle the creative process more--and on this there is unanimous agreement among all creative individuals and investigators of creativity--than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge].
-- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963).
In theory there is no difference between
theory and practice. In practice there is.
-- Yogi Berra
Use smart, hands-on, creative people inside your
organization who are not associated with security.
Seek: wise guys, trouble makers, smart alecks, schemers, organizational critics, loophole finders, questioners of tradition and authority, outside-the-box thinkers, artists, hackers, tinkerers, problem solvers, & techno-nerds.
Could Hamlet have been written by committee, or the Mona Lisa painted by a club? Could the New Testament have been composed as a conference report? Creative ideas don't spring from groups. They spring from individuals.
-- Alfred Whitney Griswold (1885-1959)
To see what is in front of one's nose needs
a constant struggle.
-- George Orwell (1903-1950)
increasing employees’ security awareness
Without deviation from the norm,
progress is not possible.
-- Frank Zappa (1940-1993)
Defeats are a matter of degree & probability
No clear endpoint
Wishful thinking is hard to avoid.Tricky Aspects of Vulnerability Assessments (VAs)
Nothing is easier than self-deceit. For what each man wishes, that he also believes to be true.
-- Demosthenes (382-322 BC)
No “Shoot the Messenger” Syndrome. No retaliation or punishment against security personnel or managers when vulnerabilities are found.
Use of independent, imaginative assessors who are psychologically predisposed to finding problems and suggesting solutions, and who (ideally) have a history of doing so.General Attributes of Effective VAs
When people are engaged in something they are not proud of, they do not welcome witnesses. In fact, they come to believe the witness causes the trouble.
-- John Steinbeck (1902-1968)
Rejection of a finding of zero vulnerabilities.
Rejection of the idea of “passing” the VA, or of VAs as “certification”.
Discovering vulnerabilities is viewed as good (not bad) news.Attributes of Effective VAs
When we were children, we used to think that when
we were grown-up we would no longer be vulnerable.
But to grow up is to accept vulnerability...
To be alive is to be vulnerable.
-- Madeleine L'Engle
Done holistically, not by component, sub-system, function, or layer. (Attacks often occur at interfaces.)
No unrealistic time or budget constraints on the VA, or on what attacks or adversaries can be considered.
Done in context.Attributes of Effective VAs
He that will not apply new remedies must expect new evils;
for time is the greatest innovator.
-- Francis Bacon (1561-1626)
The good guys don’t get to define the problem, the bad guys do.
Simple, low-tech attacks are examined first.Attributes of Effective VAs
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-- Douglas Adams (1952-2001)
No confusion about the difference between VAs and other kinds of hardware testing (materials, environ-mental, ergonomic, field readiness) or personnel testing.Attributes of Effective VAs
The first principle is that you must not fool yourself--
and you are the easiest person to fool.
-- Richard Feynman (1918-1988)
• fault analysis
• false alarming
• poke the system
• wait & pounce
• backdoor attacks
• social engineering
• tampering with security training
• insiders, outsiders, insiders + outsidersAttributes of Effective VAs
Evil is easy, and has infinite forms.
-- Blaise Pascal (1623-1662)
Shannon’s Maxim must be considered: The adversaries know and understand the security systems, strategies, and hardware being used.Attributes of Effective VAs
Inanimate objects can be classified scientifically into three major categories;
those that don't work, those that break down and those that get lost.
-- Russell Baker
Everything secret degenerates … nothing is safe that does not show how it can bear discussion and publicity.
-- attributed to Lord Action (1834-1902)
+ We want the good things to be recognized and to continue.
+ Security managers need to be willing to arrange for future VAs.
+ Discussing the good things will make security managers more willing to hear about potential problems.
It should be clear up front that the vulnerability assessment will produce more suggestions and countermeasures than are likely to be implemented. Security mangers (not the assessors) should ultimately decide which (if any) make sense to employ.Attributes of Effective VAs
Our only security is our ability to change.
-- John Lilly
We have met the enemy and he is us.
-- Walt Kelly, the words of Pogo in Earth Day 1971 cartoon strip
is associated with perceptions of unfairness &
inequity, not necessarily objective conditions.
workplace violence, espionage, theft, & sabotage.
What has posterity ever done for me?
-- Groucho Marx (1890-1977)
Honesty may be the best policy, but it's important to
remember that apparently, by elimination, dishonesty
is the second-best policy.
-- George Carlin
on-the-job deaths for female employees
Always go to other people’s funerals. Otherwise
they might not come to yours. --Yogi Berra
We have to distrust each other.
It's our only defense against betrayal.
-- Tennessee Williams (1911-1983)
urbanization, expanding bureaucracy, the
growth of multinational corporations, and
the increased use of email & virtual meetings
No one can build his security upon
the nobleness of another person.
-- Willa Cather (1873-1947)
Americans do not abide very quietly the evils of life.
-- Richard Hofstadter
In every American there is an air of incorrigible innocence,
which seems to conceal a diabolical cunning.
-- A. E. Housman (1859-1936)
are the only reality.
Sincerity is everything. If you can fake that,
you've got it made.
-- Comedian George Burns (1896-1996)
Computer & Computer Media physical security!
Relations with public, neighbors, & local authorities
Effective security awareness training for all employees
Even if you're on the right track,
you'll get run over if you just sit there.
-- Will Rogers (1879-1935)
War & Civil Unrest
Illness & Epidemics
Strikes & Labor Unrest
When choosing between two evils, I
always pick the one I never tried before.
-- Mae West (1893-1980)
Model of how to effectively deal with product tampering: J&J
On a bag of Fritos: You could be a winner!
No purchase necessary. Details inside.
high tech ≠ high security
inventory function ≠ security function
If you think technology can solve your security problems,
then you don't understand the problems and you don't
understand the technology. -- Bruce Schneier
Still depend on the loyalty & effectiveness of user’s personnel
The increased standoff distance decreases the user’s attention to detail
Many more legs to attackWhy High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks
Users don’t understand the device
Developers & users have the wrong expertise
and focus on the wrong issues
The “Titanic Effect”: high-tech arroganceWhy High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks (con’t)
tag: an applied or intrinsic feature that uniquely identifies an object or container.
types of tags
inventory tag (no malicious adversary)
anti-counterfeiting tag (counterfeiting is an issue)
security tag (counterfeiting & lifting are issues)
buddy tag or token (counterfeiting is an issue)
lifting: removing a tag from one object or container and placing it on another, without being detected.
Never answer an anonymous letter.
-- Yogi Berra
Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security
Usually easy to:
* lift * counterfeit * spoof the reader
Between the idea and the reality,
Between the motion
And the act
Falls the Shadow.
-- T.S. Eliot, The Hollow Men, 1925
GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security
government must use the civilian GPS satellite signals.
yet GPS is being used that way!
If you put tomfoolery into a computer, nothing comes out of it but
tomfoolery. But this tomfoolery, having passed through a very expensive
machine, is somehow ennobled and no-one dares criticize it.
-- Pierre Gallois
Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious.
Spoofing: surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries using widely available GPS satellite simulators.
Physical attacks: appear to be easy, too.Attacking GPS Receivers
Sent to HQ
GPS is great for navigation, but it does not provide high security.
Don’t place undue confidence in data encryption or authentication!
Don’t place undue confidence in biometrics!
Don’t assume counterfeiting is difficult!
Only fools are positive.
-- Moe Howard (1897-1975)
Intended for public communication
between two secure points.
Provides reliable security if and only if
the sender and the receiver are physically secure.
The security of a cipher lies less with the cleverness of the
inventor than with the stupidity of the men who are using it.
-- Waldemar Werther
The handwriting on the wall may be a forgery.
-- Ralph Hodgson (1871-1962)
Watch out for the multi-layer fallacy: Believing that multiple layers of bad security equals good security.
Security managers will usually over-estimate the difficulty of defeating their security, and under-estimate the cleverness, determination, & resourcefulness of adversaries.
Adversaries can usually bluff their way into a facility or organization more easily than might be imagined.
The simple act of paying attention
can take you a long way.
-- Keanu Reeves
You’ve got to be very careful if you don’t know where you are going, because you might not get there. -- Yogi Berra
basis threat” ≈ safety “what if?” exercises
“adversarial” safety analysis???
In case of contact [with this chemical],
immediately wash skin with soap and
copious amounts of water. If swallowed,
wash out mouth with water provided the
person is conscious, and call a physician.
-- Material Safety Data Sheet
for sucrose (table sugar)
Widespread arrogance & overconfidence.
Security is viewed as binary. (This inhibits improvement.)
Insiders are not viewed as a threat.
Overly focused on paperwork, auditors, regulations, & formality.
Security & security managers are micro- managed by unqualified business executives.
Security personnel are reluctant to report problems or security incidents, or ask questions.
Security problems, vulnerabilities, & incidents are covered-up.
Vulnerability assessment are rare; security is rarely tested.
“What if?” mental or walk-through exercises are rare, instead of being done daily or weekly.
13. Security personnel are not well respected by
19. Security personnel feel no loyalty or connection
drink from colleagues & co-workers.
Vulnerability Assessment Team
We have a CD containing related papers & reports.
Available today or request a copy at email@example.com
Ring the bells that still can ring.
Forget your perfect offering.
There is a crack in everything.
That's how the light gets in.
Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia,
Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A.
peer review journal:
The Journal of Physical Security
Security can only be achieved through constant change, through discarding old ideas that have outlived their usefulness and adapting others to current facts.
-- William O. Douglas (1898-1980)
Security is like liberty in that many are the
crimes that are committed in its name.
-- Robert H. Jackson, dissenting opinionin U.S. vs Shaughnessy, 1950