Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Focusing on the Threats to the Detriment of the Vulnerabilities

419 views

Published on

Slides from a talk at the NATO Advanced Workshop on Preparedness for Radiological and Nuclear Threats

Published in: Health & Medicine
  • DOWNLOAD FULL eBOOK INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Focusing on the Threats to the Detriment of the Vulnerabilities

  1. 1. Talk for the NATO Advanced Workshop on Preparedness for Nuclear and Radiological Threats Focusing on the Threats to the Detriment of the Vulnerabilities: A Vulnerability Assessor’s Perspective Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne Na=onal Laboratory 630-­‐252-­‐6168 rogerj@anl.gov hJp://www.ne.anl.gov/capabili=es/vat
  2. 2. This is a plea for more, earlier, better, and more imaginative vulnerability assessments for nuclear and radiological security/safeguards and emergency response.
  3. 3. Argonne Vulnerability Assessment Team The VAT has done vulnerability assessments on over 1000 different security and safeguards devices, systems, & programs. Sponsors • DOE • DoD • DOS • IAEA • NNSA • private companies • intelligence agencies • public interest organiza:ons
  4. 4. Argonne Vulnerability Assessment Team • biometrics • courier bags • GPS spoofing • access control • cargo security • reverse engineering • warehouse security • product tampering • product counterfei=ng • medical device security • consul=ng & training • physical security R&D • security guard turnover • insider threat mi=ga=on • security of sealed sources • security of drug test kits • human factors in security • vulnerability assessments • tamper/intrusion detec=on • RFID spoofing/counterfei=ng • tags & tamper-­‐indica=ng seals • microprocessor & wireless systems • elec=on & vo=ng machine security • countermeasures to security theater • countermeasures to perceptual blindness • nuclear safeguards & monitoring equipment • countermeasures to sleight-­‐of-­‐hand & misdirec=on
  5. 5. Definitions Threat: Who might attack, why, when, and how, and with what resources and probabilities. Threat Assessment (TA): Attempting to identify threats.
  6. 6. Definitions Vulnerability: A security weakness that can be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Often includes suggesting countermeasures and security improvements.
  7. 7. Things That Often Get Confused with Vulnerabilities ² Assets ² Threats ² Attack Scenarios ² Delay Paths ² Features
  8. 8. Threats vs. Vulnerabilities Threat Assessments (TAs) are speculations about groups and people who may or may not exist, their goals, motivations, and resources. TAs are often reactive in nature, i.e., focused on past incidents. Vulnerabilities are right in front of you (if you will open your eyes and mind), and are often testable. VAs are typically proactive in nature. Oddly, however, TAs are usually much more reproducible than VAs!
  9. 9. Purpose The purpose of a VA is to: 1. Improve security or emergency response. 2. Serve as one of the inputs to overall Risk Management.
  10. 10. • list of assets to protect • asset valua=on/priori=za=on • overall security goals • consequences of successful aJack(s) • threat assessment • vulnerability assessment • available resources & possible security measures • general security philosophy/strategy • psychological tolerance for risk • various es=mated/guessed probabili=es • acceptable tradeoffs in produc=vity vs. security, reputa=on vs. security, morale vs. security, safety vs. security, and liberty/privacy vs. security Modern Risk Management • What INPUT PARAMETERS OUTPUT PARAMETERS: to protect • How to protect it • How à to deploy security resources op=mally DECISION MAKING PROCESS Value Judgments Objec=ve Analysis Subjec=ve Analysis Experience & Exper=se Intui=on & Hunches
  11. 11. Not the Purpose The purpose of a VA is not to: • “Validate” • Pass a test • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Test security or do performance testing • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product or program, or certify it as “good” or “ready for use”
  12. 12. Techniques Often Mistaken for VAs • security survey (walking around with a checklist) • security audit (are the rules being followed?) • feature analysis • threat assessment • Design Basis Threat • fault or event tree analysis (from safety engineering) • Delphi Method (method for getting a decision from a panel of experts)
  13. 13. Techniques Often Mistaken for VAs • vulnerability “modeling” • software assessment tools • 3D representations of the facility • CARVER Method (DoD & law enforcement) • performance testing • Risk Management • delay path analysis
  14. 14. Vulnerabilities Are the Threat Maxim: Security (and emergency response) typically fails not because the threats were misunderstood, but because the vulnerabilities were not recognized and/or not mitigated.
  15. 15. Vulnerabilities Trump Threats Maxim: If you understand your threats but are clueless about your vulnerabilities, you’re in trouble. One the other hand, if you understand your vulnerabilities and try to mitigate them, you might be ok, even if you get your threats wrong (which is quite possible).
  16. 16. Examples of Vulnerabilities Being the Problem • Hurricane Katrina, 2005 • Breach of the Y-­‐12 nuclear facility by an 82-­‐year-­‐old nun and two other protesters, 2012 • Target stores credit card hack, 2013 • White House fence jumper, 2014
  17. 17. Michener’s Maxim: We are never prepared for what we expect.
  18. 18. Waylayered Security Maxim: Layered security will fail stupidly.
  19. 19. For 170 other security maxims: https://www.scribd.com/doc/46333208/Security-Maxims-October-2014
  20. 20. So why are threats more popular • There than vulnerabilities? are fewer threats than vulnerabili=es • TAs are reproducible & reac=ve • Formalis=c, objec=ve methods work fairly well for TAs • VAs require imagina=on, subjec=ve judgment, and “thinking like the bad guys” • No security or emergency response program claims zero threats, but there is strong cogni=ve dissonance about vulnerabili=es • Vulnerabili=es depend cri=cally on local details
  21. 21. Thinking Like the Bad Guys Bad Guys Don’t Do: TAs, DBT, security audits, etc. They do something closer to VAs. So if we are going to predict what they might do, we need to do creative VAs as well!
  22. 22. Creative Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them.
  23. 23. Creative Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine.
  24. 24. We need to be more like these expert fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law
  25. 25. Where Vulnerability! Ideas Come From! The Vulnerability Pyramid
  26. 26. Warning! “Fear of NORQ” is not a valid reason to try to force-fit formalistic methods onto VAs! The… Non-­‐Objec=ve Non-­‐Reproducible Non-­‐Quan=fiable NORQ All effec=ve security and risk management is ul=mately subjec=ve, no maJer how much we may wish to pretend it isn’t.
  27. 27. Emergency Response Two Kinds of Vulnerabilities: - flaws in the response - vulnerability to attacks on the response Are we properly prepared for attacks during emergency response, attacks by the original attackers or by a different set of attackers? (Wait & Pounce is a very effective attack strategy!)
  28. 28. Nuclear & Radiological Security Problems from a Vulnerability Assessor’s Perspective • Poor tags & seals, poor use protocols, poor tamper detection for monitoring and security devices • Confusing inventory functions with security functions: why GPS, RFIDs, MC&A programs often provide poor security • VAs not done, not done early, not done iteratively, not done well, not done by the right people • VA myths & blunders • Poor or not-existent Chain of Custody for procured hardware & software
  29. 29. Warning: Chain of Custody The importance of a cradle-­‐to-­‐grave, secure chain of custody: Most security devices (locks, tags, seals, access control & biometrics devices, monitoring equipment, etc.) can usually be compromised in ~15 seconds, at the factory or vendor, on the loading dock, in transit, in the receiving department, before or aler being installed. Most “security” and nuclear safeguards devices have liJle built-­‐in security or significant ability to detect intrusion/tampering.
  30. 30. Nuclear & Radiological Security Problems from a Vulnerability Assessor’s Perspective • Security as a last-minute “Band-Aid” • Lack of insider threat mitigation • Lack of research-based practice • Few countermeasures for groupthink & cognitive dissonance • Compliance-Based Security and “Security by Obscurity” • Confusing Safety & Security
  31. 31. Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about intentional nefarious adversaries. Safety: No adversaries.
  32. 32. Problem: Lack of Research-Based Security Practice" The Journal of Physical Security A free, non-profit, online peer-reviewed R&D journal http://jps.anl.gov
  33. 33. For More Information… rogerj@anl.gov http://www.ne.anl.gov/capabilities/vat

×