SlideShare a Scribd company logo

How to Think Like a Vulnerability Assessor

Roger Johnston
Roger Johnston

If you can't think like a bad guy to get good security, at least try to think like a vulnerability assessor.

Self Improvement
1 of 19
Download to read offline
1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Roger G. Johnston, Ph.D., CPP Jon S. Warner, Ph.D. Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov Vulnerability Assessment Team (VAT)! Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done detailed vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into 2
2 Terminology! Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats. Terminology! Vulnerability: Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting countermeasures and security improvements.
3 Threat vs. Vulnerability! Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti-malware software up to date. _____________________________________________ Threat: Adversaries could dump toxic chemicals on our property, then blame us to try to get us in trouble with environmental officials and the public. Vulnerability: We don’t have good access control or video monitoring of our grounds. 5 Why VAs Trump TAs! (especially for catastrophic security incidents)! 6 Threats Vulnerabilities reactive, focused on the past proactive, focused on the future speculative right in front of you (if you’re willing to see them) hard to test testable not usually fixable often easy to fix often generic specific to the ground level details If you get the threats wrong but understand and (at least partially) fix the vulnerabilities, you may be ok. If you get the vulnerabilities wrong (or ignore them), you are probably in trouble despite how well you understand the threats.
4 Security Risk Management - An Optimization Problem! Inputs: ü assets to protect ü overall security goals ü asset valuation/prioritization ü consequences of successful attack(s) ü threat assessment ü vulnerability assessment ü available resources & possible security measures ü general security philosophy/strategy ü various estimated/guessed probabilities *often vague, incomplete, or missing **often under-estimated * Outputs: Ø What to protect and at what level Ø How to deploy resources optimally ** * * ** ** 7 * Purpose! The purpose of a VA is to improve security & minimize risk, not to: • Pass a test • Test security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 8
5 A VA is Not…! § auditing § quality control § reliability testing § efficiency testing § compliance testing § acceptance testing § ergonomics testing § performance testing § response time testing § operational assessment § environmental robustness testing 9 Techniques Often Confused with VAs! q feature analysis q threat assessment q Design Basis Threat q CARVER Method (DoD) q software assessment tools q security survey (walking around with a checklist) q security audit (are the rules known & being followed?) q fault or event tree analysis (from safety engineering) q Delphi Method (method for getting a decision from a panel of experts) 10
6 Vulnerability Assessment (VA) Blunders! These assumptions are wrong: • A vulnerability assessment should be done at the end. • There are a small number of vulnerabilities. • Most or all can be found & eliminated. • A VA should ideally find zero vulnerabilities. • Vulnerabilities are bad news. Vulnerability Assessment (VA) Blunders! • Not using creative people with a hacker mentality who want to find problems and suggest solutions • Conflicts of interest (economic & psychological) • Shooting the messenger • Sham rigor • The fallacy of precision • Fear of NORQ analysis 12 NORQ = Non-Objective Non-Reproducible Non-Quantifiable
7 Vulnerability Assessment (VA) Blunders! • Focusing on high-tech attacks • Letting attack methods define the vulnerabilities, not the other way around • Arbitrarily constrained VAs (scope, time, effort, by modules or components) • Limiting the VA to the lower part of the Vulnerability Pyramid Where Vulnerability Ideas Come From! The Vulnerability Pyramid 14
8 Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about nefarious adversaries. Safety: No adversaries. 15 16 Working with Outside VAers! • Seek creative, hands-on assessors with a history of finding problems and suggesting solutions, and who are psychologically pre-disposed to doing so. • At least be sure at the end you understand what subtle attacks & insider attacks look like! • You don’t have to mitigate all discovered vulnerabilities or accept all suggestions, but be sure you have good reasons (not just ego, arrogance, denial, laziness, or wishful thinking).
9 17 Assembling Your Own VA Team:! Seek…! q hackers q narcissists q trouble makers q hands-on types q creative people q loop-hole finders q independent thinkers q questioners of authority q people curious about how things work Blunder: Thinking Engineers Understand Security" Engineers... • ...work in solution space, not problem space • …make things work but aren't trained or mentally inclined to figure out how to make things break • ...view Nature or economics as the adversary, not the bad guys • …think of technologies as failing randomly, not by deliberate, intelligent, malicious, opportunistic intent • …are not typically predisposed to think like bad guys • …focus on user friendliness—not making things difficult for the bad guys • ...like to add lots of extra features that open up new attack vectors • …want products to be simple to maintain, repair, and diagnose—which usually makes them easy to attack 18
10 19 “White Box” vs. “Black Box” VA! White Box: Full details, specifications, and technical disclosures are given to the Vulnerability Assessors at the start. [Most time/cost effective & closest to reality.] Black Box: The Vulnerability Assessors reverse engineering or discover all or most of the details on their own. [Interesting & illuminating, but usually not realistic or time/ cost effective.] Adversarial Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them. 20
11 Adversarial Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine. 21 We need to be more like fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law 22
12 * AVA Steps 1. Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users and frontline personnel. 2. Play with it. 3. Brainstorm--anything goes! (Effective brainstorming is the key!) 4. Play with it some more. 23 * AVA Steps 5. Edit & prioritize potential attacks. 6. Partially develop some attacks. 7. Determine feasibility of the attacks. 8. Devise countermeasures. 9. Perfect attacks. 10. Demonstrate attacks. 11. Rigorously test attacks. 12. Rigorously test countermeasures.
13 Delaying Judgment! Nothing can inhibit and stifle the creative process more— and on this there is unanimous agreement among all creative individuals and investigators of creativity—than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge]. -- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963). Keep the possibility phase completely separate from the practicality phase! 25 The Creative VA Process! • Individuals must be given ownership of their original idea & should be personally recognized for their creativity. • The group environment needs to be: + diverse + high-energy + people tired + urgent but not stressful + free of authority figures + humorous, joyful, & fun + cohesive but not too cohesive + competitive in a friendly & respectful way + enthusiastic about individual differences & eccentricities • Every idea, no matter how wacky or seemingly stupid, gets written down & treated as a gem, at least initially. 26
14 The Creative VA Process! Be skeptical! Pay close attention to explicit or unstated assumptions, and to security features that are widely praised or admired. These are often the source of serious vulnerabilities. Concentrate on the 2nd and 3rd best attacks or countermeasures. You are likely overlooking something that would make them the best solutions. If there is widespread agreement about the efficacy of an attack or countermeasure, re-examine. Something important was probably overlooked. The Creative VA Process! Quantity breeds quality. With all ideas: elaborate, expand, modify, subvert, exaggerate, & combine with other ideas. Pursue hunches & intuition. The best ideas come late, and when you are not thinking about the problem. Pursue what is interesting, controversial, contrarian, exciting, or silly. 28
15 The Creative VA Process! Develop and explore models, metaphors, & analogies. Terminology constrains our thinking. Rename everything in your own (and/or silly) words, and think about them in light of the new terminology. Consider different verbs for what the bad guys might want to accomplish: attack, steal, demolish, embarrass, tag, terminate, uncover, purify, whistleblow, poison, etc. Ridicule existing security measures & strategies. Avoid the fear of the NORQ! 29 Video!
16 arrogance * 32
17 Slacker Donuts! 33 You want like…um…a donut, dude?TM 34 Elements of the Slacker Donuts Security Program • No checks • There’s a safe for cash but $50 is immediately available to hand robbers • Cash taken to local bank at 11 AM • Not open 24/7 but bright illumination 24/7 • Periodic rounds by shared private security • Good relations with local community, businesses, police, street people • Shared slacker culture with employees and clientele • Secret recipes known to only a few
18 In Summary! * There are advantages to thinking like a Vulnerability Assessor when you think about your security. * Don’t get confused about what a VA is or its role in overall Risk Management. * To go into “Vulnerability Assessor Mode”, step outside yourself, be creative & irreverent+, and & try humor (which can be very mentally liberating). * You must want to find problems—or else find people who do. 35 * Special Thanks to: * Christopher Folk (for helping to develop the Fear of NORQ model) * Security Theater 3000 “Commercial” * Mitch Farmer.....Investment Banker * Jim Regis…..Former Security Officer * Roy Lindley…..Arthritis Patient * Veronica Manfredi…..Wife (& Tech Support/Graphics) * Christopher Folk…..Husband * Marrissa Faler…..Homemaker (& Tech Support) * Buddy the Dog…..As Himself * Greg Byslma…..Tech Support 36
19 For More Information...! Additional information is available from: rogerj@anl.gov and http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Sexy defense
Sexy defenseSexy defense
Sexy defenseIftach Ian Amit
 
Is it Security Theater?
Is it Security Theater?Is it Security Theater?
Is it Security Theater?Roger Johnston
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
The Ins and Outs of Accident Investigation
The Ins and Outs of Accident InvestigationThe Ins and Outs of Accident Investigation
The Ins and Outs of Accident InvestigationKPADealerWebinars
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line grFrancisco Anastácio
 

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Sexy defense
Sexy defenseSexy defense
Sexy defenseIftach Ian Amit
 
Is it Security Theater?
Is it Security Theater?Is it Security Theater?
Is it Security Theater?Roger Johnston
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
The Ins and Outs of Accident Investigation
The Ins and Outs of Accident InvestigationThe Ins and Outs of Accident Investigation
The Ins and Outs of Accident InvestigationKPADealerWebinars
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line grFrancisco Anastácio
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
EESS Day 1 - Justin Ludcke
EESS Day 1 - Justin LudckeEESS Day 1 - Justin Ludcke
EESS Day 1 - Justin LudckeNSW Environment and Planning
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14fahadansari131
 
Engineers responsibility for safety and risk
Engineers responsibility for safety and riskEngineers responsibility for safety and risk
Engineers responsibility for safety and riskStudent
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesChris Nickerson
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101Felipe Prado
 
Return Home Interviews and Safety
Return Home Interviews and Safety Return Home Interviews and Safety
Return Home Interviews and Safety Claudia Megele
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Slide set 4 safety and risk
Slide set 4 safety and riskSlide set 4 safety and risk
Slide set 4 safety and riskAbdel Salam Sayyad
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability AssessmentsRoger Johnston
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringPoornachanranKV
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 
In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 

More Related Content

Similar to How to Think Like a Vulnerability Assessor

Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14fahadansari131
 
Engineers responsibility for safety and risk
Engineers responsibility for safety and riskEngineers responsibility for safety and risk
Engineers responsibility for safety and riskStudent
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesChris Nickerson
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101Felipe Prado
 
Return Home Interviews and Safety
Return Home Interviews and Safety Return Home Interviews and Safety
Return Home Interviews and Safety Claudia Megele
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability AssessmentsRoger Johnston
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringPoornachanranKV
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 

Similar to How to Think Like a Vulnerability Assessor (20)

Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
EESS Day 1 - Justin Ludcke
EESS Day 1 - Justin LudckeEESS Day 1 - Justin Ludcke
EESS Day 1 - Justin Ludcke
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
 
Engineers responsibility for safety and risk
Engineers responsibility for safety and riskEngineers responsibility for safety and risk
Engineers responsibility for safety and risk
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
 
Return Home Interviews and Safety
Return Home Interviews and Safety Return Home Interviews and Safety
Return Home Interviews and Safety
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Slide set 4 safety and risk
Slide set 4 safety and riskSlide set 4 safety and risk
Slide set 4 safety and risk
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability Assessments
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineering
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 

More from Roger Johnston

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyRoger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Roger Johnston
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Roger Johnston
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020Roger Johnston
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentRoger Johnston
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Roger Johnston
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments Roger Johnston
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Roger Johnston
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Roger Johnston
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Roger Johnston
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Roger Johnston
 

More from Roger Johnston (20)

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
 
Security Audits.pdf
Security Audits.pdfSecurity Audits.pdf
Security Audits.pdf
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
 
Want seals with that?
Want seals with that?Want seals with that?
Want seals with that?
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020
 
Security Assurance
Security AssuranceSecurity Assurance
Security Assurance
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical Security
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security Devices
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
 
Journal of Physical Security 10(1)
Journal of Physical Security 10(1)Journal of Physical Security 10(1)
Journal of Physical Security 10(1)
 

Recently uploaded

CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female serviceanilsa9823
 
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service DhuleDhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhulesrsj9000
 
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...anilsa9823
 
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfBreath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfJess Walker
 
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfREFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfssusere8ea60
 
Postal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilisePostal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utiliseccsubcollector
 
Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666nishakur201
 
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual serviceanilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual serviceanilsa9823
 
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,dollysharma2066
 
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual serviceanilsa9823
 
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Lilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxLilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxABMWeaklings
 
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改atducpo
 
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girlsPooja Nehwal
 
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonCheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonDelhi Call girls
 
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...ur8mqw8e
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭o8wvnojp
 

Recently uploaded (20)

CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Adil Nagar Lucknow best Female service
 
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service DhuleDhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
 
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
 
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfBreath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
 
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfREFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
 
escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
 
Postal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilisePostal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilise
 
Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666
 
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
 
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Aliganj Lucknow best sexual service
 
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Rajajipuram Lucknow best sexual service
 
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
 
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Mahanagar Lucknow best sexual service
 
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Lilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxLilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptx
 
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
 
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
 
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonCheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
 
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭
 

How to Think Like a Vulnerability Assessor

  • 1. 1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Roger G. Johnston, Ph.D., CPP Jon S. Warner, Ph.D. Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov Vulnerability Assessment Team (VAT)! Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done detailed vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into 2
  • 2. 2 Terminology! Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats. Terminology! Vulnerability: Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting countermeasures and security improvements.
  • 3. 3 Threat vs. Vulnerability! Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti-malware software up to date. _____________________________________________ Threat: Adversaries could dump toxic chemicals on our property, then blame us to try to get us in trouble with environmental officials and the public. Vulnerability: We don’t have good access control or video monitoring of our grounds. 5 Why VAs Trump TAs! (especially for catastrophic security incidents)! 6 Threats Vulnerabilities reactive, focused on the past proactive, focused on the future speculative right in front of you (if you’re willing to see them) hard to test testable not usually fixable often easy to fix often generic specific to the ground level details If you get the threats wrong but understand and (at least partially) fix the vulnerabilities, you may be ok. If you get the vulnerabilities wrong (or ignore them), you are probably in trouble despite how well you understand the threats.
  • 4. 4 Security Risk Management - An Optimization Problem! Inputs: ü assets to protect ü overall security goals ü asset valuation/prioritization ü consequences of successful attack(s) ü threat assessment ü vulnerability assessment ü available resources & possible security measures ü general security philosophy/strategy ü various estimated/guessed probabilities *often vague, incomplete, or missing **often under-estimated * Outputs: Ø What to protect and at what level Ø How to deploy resources optimally ** * * ** ** 7 * Purpose! The purpose of a VA is to improve security & minimize risk, not to: • Pass a test • Test security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 8
  • 5. 5 A VA is Not…! § auditing § quality control § reliability testing § efficiency testing § compliance testing § acceptance testing § ergonomics testing § performance testing § response time testing § operational assessment § environmental robustness testing 9 Techniques Often Confused with VAs! q feature analysis q threat assessment q Design Basis Threat q CARVER Method (DoD) q software assessment tools q security survey (walking around with a checklist) q security audit (are the rules known & being followed?) q fault or event tree analysis (from safety engineering) q Delphi Method (method for getting a decision from a panel of experts) 10
  • 6. 6 Vulnerability Assessment (VA) Blunders! These assumptions are wrong: • A vulnerability assessment should be done at the end. • There are a small number of vulnerabilities. • Most or all can be found & eliminated. • A VA should ideally find zero vulnerabilities. • Vulnerabilities are bad news. Vulnerability Assessment (VA) Blunders! • Not using creative people with a hacker mentality who want to find problems and suggest solutions • Conflicts of interest (economic & psychological) • Shooting the messenger • Sham rigor • The fallacy of precision • Fear of NORQ analysis 12 NORQ = Non-Objective Non-Reproducible Non-Quantifiable
  • 7. 7 Vulnerability Assessment (VA) Blunders! • Focusing on high-tech attacks • Letting attack methods define the vulnerabilities, not the other way around • Arbitrarily constrained VAs (scope, time, effort, by modules or components) • Limiting the VA to the lower part of the Vulnerability Pyramid Where Vulnerability Ideas Come From! The Vulnerability Pyramid 14
  • 8. 8 Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about nefarious adversaries. Safety: No adversaries. 15 16 Working with Outside VAers! • Seek creative, hands-on assessors with a history of finding problems and suggesting solutions, and who are psychologically pre-disposed to doing so. • At least be sure at the end you understand what subtle attacks & insider attacks look like! • You don’t have to mitigate all discovered vulnerabilities or accept all suggestions, but be sure you have good reasons (not just ego, arrogance, denial, laziness, or wishful thinking).
  • 9. 9 17 Assembling Your Own VA Team:! Seek…! q hackers q narcissists q trouble makers q hands-on types q creative people q loop-hole finders q independent thinkers q questioners of authority q people curious about how things work Blunder: Thinking Engineers Understand Security" Engineers... • ...work in solution space, not problem space • …make things work but aren't trained or mentally inclined to figure out how to make things break • ...view Nature or economics as the adversary, not the bad guys • …think of technologies as failing randomly, not by deliberate, intelligent, malicious, opportunistic intent • …are not typically predisposed to think like bad guys • …focus on user friendliness—not making things difficult for the bad guys • ...like to add lots of extra features that open up new attack vectors • …want products to be simple to maintain, repair, and diagnose—which usually makes them easy to attack 18
  • 10. 10 19 “White Box” vs. “Black Box” VA! White Box: Full details, specifications, and technical disclosures are given to the Vulnerability Assessors at the start. [Most time/cost effective & closest to reality.] Black Box: The Vulnerability Assessors reverse engineering or discover all or most of the details on their own. [Interesting & illuminating, but usually not realistic or time/ cost effective.] Adversarial Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them. 20
  • 11. 11 Adversarial Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine. 21 We need to be more like fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law 22
  • 12. 12 * AVA Steps 1. Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users and frontline personnel. 2. Play with it. 3. Brainstorm--anything goes! (Effective brainstorming is the key!) 4. Play with it some more. 23 * AVA Steps 5. Edit & prioritize potential attacks. 6. Partially develop some attacks. 7. Determine feasibility of the attacks. 8. Devise countermeasures. 9. Perfect attacks. 10. Demonstrate attacks. 11. Rigorously test attacks. 12. Rigorously test countermeasures.
  • 13. 13 Delaying Judgment! Nothing can inhibit and stifle the creative process more— and on this there is unanimous agreement among all creative individuals and investigators of creativity—than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge]. -- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963). Keep the possibility phase completely separate from the practicality phase! 25 The Creative VA Process! • Individuals must be given ownership of their original idea & should be personally recognized for their creativity. • The group environment needs to be: + diverse + high-energy + people tired + urgent but not stressful + free of authority figures + humorous, joyful, & fun + cohesive but not too cohesive + competitive in a friendly & respectful way + enthusiastic about individual differences & eccentricities • Every idea, no matter how wacky or seemingly stupid, gets written down & treated as a gem, at least initially. 26
  • 14. 14 The Creative VA Process! Be skeptical! Pay close attention to explicit or unstated assumptions, and to security features that are widely praised or admired. These are often the source of serious vulnerabilities. Concentrate on the 2nd and 3rd best attacks or countermeasures. You are likely overlooking something that would make them the best solutions. If there is widespread agreement about the efficacy of an attack or countermeasure, re-examine. Something important was probably overlooked. The Creative VA Process! Quantity breeds quality. With all ideas: elaborate, expand, modify, subvert, exaggerate, & combine with other ideas. Pursue hunches & intuition. The best ideas come late, and when you are not thinking about the problem. Pursue what is interesting, controversial, contrarian, exciting, or silly. 28
  • 15. 15 The Creative VA Process! Develop and explore models, metaphors, & analogies. Terminology constrains our thinking. Rename everything in your own (and/or silly) words, and think about them in light of the new terminology. Consider different verbs for what the bad guys might want to accomplish: attack, steal, demolish, embarrass, tag, terminate, uncover, purify, whistleblow, poison, etc. Ridicule existing security measures & strategies. Avoid the fear of the NORQ! 29 Video!
  • 17. 17 Slacker Donuts! 33 You want like…um…a donut, dude?TM 34 Elements of the Slacker Donuts Security Program • No checks • There’s a safe for cash but $50 is immediately available to hand robbers • Cash taken to local bank at 11 AM • Not open 24/7 but bright illumination 24/7 • Periodic rounds by shared private security • Good relations with local community, businesses, police, street people • Shared slacker culture with employees and clientele • Secret recipes known to only a few
  • 18. 18 In Summary! * There are advantages to thinking like a Vulnerability Assessor when you think about your security. * Don’t get confused about what a VA is or its role in overall Risk Management. * To go into “Vulnerability Assessor Mode”, step outside yourself, be creative & irreverent+, and & try humor (which can be very mentally liberating). * You must want to find problems—or else find people who do. 35 * Special Thanks to: * Christopher Folk (for helping to develop the Fear of NORQ model) * Security Theater 3000 “Commercial” * Mitch Farmer.....Investment Banker * Jim Regis…..Former Security Officer * Roy Lindley…..Arthritis Patient * Veronica Manfredi…..Wife (& Tech Support/Graphics) * Christopher Folk…..Husband * Marrissa Faler…..Homemaker (& Tech Support) * Buddy the Dog…..As Himself * Greg Byslma…..Tech Support 36
  • 19. 19 For More Information...! Additional information is available from: rogerj@anl.gov and http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E