SlideShare a Scribd company logo

How to Think Like a Vulnerability Assessor

Roger Johnston, profile picture
Roger Johnston

The document presents insights from the 58th annual ASIS meeting, focusing on vulnerability assessments (VAs) and their importance in security management. It outlines the differences between threats and vulnerabilities, emphasizes the need for a creative and proactive approach in conducting VAs, and identifies common misconceptions about the assessment process. Additionally, it highlights the need for collaboration with diverse and problem-seeking teams to effectively identify and mitigate security vulnerabilities.

Self Improvement
Related topics:
Cyber-Security Vulnerability AssessmentSecurity Management Risk-Management Risk Assessment
1 of 19
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Roger G. Johnston, Ph.D., CPP Jon S. Warner, Ph.D. Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov Vulnerability Assessment Team (VAT)! Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done detailed vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into 2
2 Terminology! Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats. Terminology! Vulnerability: Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting countermeasures and security improvements.
3 Threat vs. Vulnerability! Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti-malware software up to date. _____________________________________________ Threat: Adversaries could dump toxic chemicals on our property, then blame us to try to get us in trouble with environmental officials and the public. Vulnerability: We don’t have good access control or video monitoring of our grounds. 5 Why VAs Trump TAs! (especially for catastrophic security incidents)! 6 Threats Vulnerabilities reactive, focused on the past proactive, focused on the future speculative right in front of you (if you’re willing to see them) hard to test testable not usually fixable often easy to fix often generic specific to the ground level details If you get the threats wrong but understand and (at least partially) fix the vulnerabilities, you may be ok. If you get the vulnerabilities wrong (or ignore them), you are probably in trouble despite how well you understand the threats.
4 Security Risk Management - An Optimization Problem! Inputs: ü assets to protect ü overall security goals ü asset valuation/prioritization ü consequences of successful attack(s) ü threat assessment ü vulnerability assessment ü available resources & possible security measures ü general security philosophy/strategy ü various estimated/guessed probabilities *often vague, incomplete, or missing **often under-estimated * Outputs: Ø What to protect and at what level Ø How to deploy resources optimally ** * * ** ** 7 * Purpose! The purpose of a VA is to improve security & minimize risk, not to: • Pass a test • Test security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 8
5 A VA is Not…! § auditing § quality control § reliability testing § efficiency testing § compliance testing § acceptance testing § ergonomics testing § performance testing § response time testing § operational assessment § environmental robustness testing 9 Techniques Often Confused with VAs! q feature analysis q threat assessment q Design Basis Threat q CARVER Method (DoD) q software assessment tools q security survey (walking around with a checklist) q security audit (are the rules known & being followed?) q fault or event tree analysis (from safety engineering) q Delphi Method (method for getting a decision from a panel of experts) 10
6 Vulnerability Assessment (VA) Blunders! These assumptions are wrong: • A vulnerability assessment should be done at the end. • There are a small number of vulnerabilities. • Most or all can be found & eliminated. • A VA should ideally find zero vulnerabilities. • Vulnerabilities are bad news. Vulnerability Assessment (VA) Blunders! • Not using creative people with a hacker mentality who want to find problems and suggest solutions • Conflicts of interest (economic & psychological) • Shooting the messenger • Sham rigor • The fallacy of precision • Fear of NORQ analysis 12 NORQ = Non-Objective Non-Reproducible Non-Quantifiable
7 Vulnerability Assessment (VA) Blunders! • Focusing on high-tech attacks • Letting attack methods define the vulnerabilities, not the other way around • Arbitrarily constrained VAs (scope, time, effort, by modules or components) • Limiting the VA to the lower part of the Vulnerability Pyramid Where Vulnerability Ideas Come From! The Vulnerability Pyramid 14
8 Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about nefarious adversaries. Safety: No adversaries. 15 16 Working with Outside VAers! • Seek creative, hands-on assessors with a history of finding problems and suggesting solutions, and who are psychologically pre-disposed to doing so. • At least be sure at the end you understand what subtle attacks & insider attacks look like! • You don’t have to mitigate all discovered vulnerabilities or accept all suggestions, but be sure you have good reasons (not just ego, arrogance, denial, laziness, or wishful thinking).
9 17 Assembling Your Own VA Team:! Seek…! q hackers q narcissists q trouble makers q hands-on types q creative people q loop-hole finders q independent thinkers q questioners of authority q people curious about how things work Blunder: Thinking Engineers Understand Security" Engineers... • ...work in solution space, not problem space • …make things work but aren't trained or mentally inclined to figure out how to make things break • ...view Nature or economics as the adversary, not the bad guys • …think of technologies as failing randomly, not by deliberate, intelligent, malicious, opportunistic intent • …are not typically predisposed to think like bad guys • …focus on user friendliness—not making things difficult for the bad guys • ...like to add lots of extra features that open up new attack vectors • …want products to be simple to maintain, repair, and diagnose—which usually makes them easy to attack 18
10 19 “White Box” vs. “Black Box” VA! White Box: Full details, specifications, and technical disclosures are given to the Vulnerability Assessors at the start. [Most time/cost effective & closest to reality.] Black Box: The Vulnerability Assessors reverse engineering or discover all or most of the details on their own. [Interesting & illuminating, but usually not realistic or time/ cost effective.] Adversarial Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them. 20
11 Adversarial Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine. 21 We need to be more like fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law 22
12 * AVA Steps 1. Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users and frontline personnel. 2. Play with it. 3. Brainstorm--anything goes! (Effective brainstorming is the key!) 4. Play with it some more. 23 * AVA Steps 5. Edit & prioritize potential attacks. 6. Partially develop some attacks. 7. Determine feasibility of the attacks. 8. Devise countermeasures. 9. Perfect attacks. 10. Demonstrate attacks. 11. Rigorously test attacks. 12. Rigorously test countermeasures.
13 Delaying Judgment! Nothing can inhibit and stifle the creative process more— and on this there is unanimous agreement among all creative individuals and investigators of creativity—than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge]. -- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963). Keep the possibility phase completely separate from the practicality phase! 25 The Creative VA Process! • Individuals must be given ownership of their original idea & should be personally recognized for their creativity. • The group environment needs to be: + diverse + high-energy + people tired + urgent but not stressful + free of authority figures + humorous, joyful, & fun + cohesive but not too cohesive + competitive in a friendly & respectful way + enthusiastic about individual differences & eccentricities • Every idea, no matter how wacky or seemingly stupid, gets written down & treated as a gem, at least initially. 26
14 The Creative VA Process! Be skeptical! Pay close attention to explicit or unstated assumptions, and to security features that are widely praised or admired. These are often the source of serious vulnerabilities. Concentrate on the 2nd and 3rd best attacks or countermeasures. You are likely overlooking something that would make them the best solutions. If there is widespread agreement about the efficacy of an attack or countermeasure, re-examine. Something important was probably overlooked. The Creative VA Process! Quantity breeds quality. With all ideas: elaborate, expand, modify, subvert, exaggerate, & combine with other ideas. Pursue hunches & intuition. The best ideas come late, and when you are not thinking about the problem. Pursue what is interesting, controversial, contrarian, exciting, or silly. 28
15 The Creative VA Process! Develop and explore models, metaphors, & analogies. Terminology constrains our thinking. Rename everything in your own (and/or silly) words, and think about them in light of the new terminology. Consider different verbs for what the bad guys might want to accomplish: attack, steal, demolish, embarrass, tag, terminate, uncover, purify, whistleblow, poison, etc. Ridicule existing security measures & strategies. Avoid the fear of the NORQ! 29 Video!
16 arrogance * 32
17 Slacker Donuts! 33 You want like…um…a donut, dude?TM 34 Elements of the Slacker Donuts Security Program • No checks • There’s a safe for cash but $50 is immediately available to hand robbers • Cash taken to local bank at 11 AM • Not open 24/7 but bright illumination 24/7 • Periodic rounds by shared private security • Good relations with local community, businesses, police, street people • Shared slacker culture with employees and clientele • Secret recipes known to only a few
18 In Summary! * There are advantages to thinking like a Vulnerability Assessor when you think about your security. * Don’t get confused about what a VA is or its role in overall Risk Management. * To go into “Vulnerability Assessor Mode”, step outside yourself, be creative & irreverent+, and & try humor (which can be very mentally liberating). * You must want to find problems—or else find people who do. 35 * Special Thanks to: * Christopher Folk (for helping to develop the Fear of NORQ model) * Security Theater 3000 “Commercial” * Mitch Farmer.....Investment Banker * Jim Regis…..Former Security Officer * Roy Lindley…..Arthritis Patient * Veronica Manfredi…..Wife (& Tech Support/Graphics) * Christopher Folk…..Husband * Marrissa Faler…..Homemaker (& Tech Support) * Buddy the Dog…..As Himself * Greg Byslma…..Tech Support 36
19 For More Information...! Additional information is available from: rogerj@anl.gov and http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E

More Related Content

PDF
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
PDF
Insider Threat Mitigation
Roger Johnston
 
PPTX
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Steve Werby
 
PDF
Sexy defense
Iftach Ian Amit
 
PDF
Is it Security Theater?
Roger Johnston
 
PPTX
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
PDF
The Ins and Outs of Accident Investigation
KPADealerWebinars
 
PDF
Core define and_win_cmd_line gr
Francisco Anastácio
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Insider Threat Mitigation
Roger Johnston
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Steve Werby
 
Sexy defense
Iftach Ian Amit
 
Is it Security Theater?
Roger Johnston
 
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
The Ins and Outs of Accident Investigation
KPADealerWebinars
 
Core define and_win_cmd_line gr
Francisco Anastácio
 

Similar to How to Think Like a Vulnerability Assessor (20)

PDF
Vulnerability Assessment Myths
Roger Johnston
 
PDF
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
 
PDF
Relating Risk to Vulnerability
Resolver Inc.
 
PDF
Anna University PEE-GE6075_UnitIV_BM.pdf
monicamaheswaran
 
PDF
EESS Day 1 - Justin Ludcke
NSW Environment and Planning
 
PPTX
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
PPTX
Professional Ethics in Engineering UNIT IV.pptx
DrNViniAntonyGrace
 
PPTX
UNIT-2 A Engineers responsibility for safety and risk.pptx
MastanaihnaiduYasam
 
PDF
Threats vs. Vulnerabilities
Roger Johnston
 
PPT
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
fahadansari131
 
PPTX
Engineers responsibility for safety and risk
Student
 
PPTX
Cybersecurity 5 road_blocks
Cyphort
 
PPTX
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
PDF
UNIT III.pdf DSDSDSDSDSDDSDSDSDSDSDSDSDSDS
YashKharera
 
PPTX
Increasing Value Of Security Assessment Services
Chris Nickerson
 
PDF
Understanding Information Security Assessment Types
HackerOne
 
PDF
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
Felipe Prado
 
PDF
Return Home Interviews and Safety
Claudia Megele
 
PPTX
How to assess and manage cyber risk
Stephen Cobb
 
PDF
Slide set 4 safety and risk
Abdel Salam Sayyad
 
Vulnerability Assessment Myths
Roger Johnston
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Roger Johnston
 
Relating Risk to Vulnerability
Resolver Inc.
 
Anna University PEE-GE6075_UnitIV_BM.pdf
monicamaheswaran
 
EESS Day 1 - Justin Ludcke
NSW Environment and Planning
 
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Professional Ethics in Engineering UNIT IV.pptx
DrNViniAntonyGrace
 
UNIT-2 A Engineers responsibility for safety and risk.pptx
MastanaihnaiduYasam
 
Threats vs. Vulnerabilities
Roger Johnston
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
fahadansari131
 
Engineers responsibility for safety and risk
Student
 
Cybersecurity 5 road_blocks
Cyphort
 
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
UNIT III.pdf DSDSDSDSDSDDSDSDSDSDSDSDSDSDS
YashKharera
 
Increasing Value Of Security Assessment Services
Chris Nickerson
 
Understanding Information Security Assessment Types
HackerOne
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
Felipe Prado
 
Return Home Interviews and Safety
Claudia Megele
 
How to assess and manage cyber risk
Stephen Cobb
 
Slide set 4 safety and risk
Abdel Salam Sayyad
 
Ad

More from Roger Johnston (20)

PDF
In Risu Veritas: Humor & Security
Roger Johnston
 
PDF
Journal of Physical Security 15(1)
Roger Johnston
 
PDF
Security Audits.pdf
Roger Johnston
 
PDF
Camera Obscura and Security/Privacy
Roger Johnston
 
PDF
Vulnerability Assessment: The Missing Manual for the Missing Link
Roger Johnston
 
PDF
Journal of Physical Security 14(1)
Roger Johnston
 
PDF
Want seals with that?
Roger Johnston
 
PDF
Journal of Physical Security 13(1)
Roger Johnston
 
DOCX
Election Security 2020
Roger Johnston
 
DOCX
Security Assurance
Roger Johnston
 
PDF
A New Approach to Vulnerability Assessment
Roger Johnston
 
PDF
Understanding Vulnerability Assessments
Roger Johnston
 
PDF
Devil's Dictionary of Security Terms
Roger Johnston
 
PDF
Vulnerability Assessments
Roger Johnston
 
PDF
Design Reviews Versus Vulnerability Assessments for Physical Security
Roger Johnston
 
PDF
Journal of Physical Security 12(3)
Roger Johnston
 
PDF
Journal of Physical Security 12(2)
Roger Johnston
 
PDF
Unconventional Security Devices
Roger Johnston
 
PDF
Making the Business Case for Security Investment
Roger Johnston
 
PDF
Journal of Physical Security 11(1)
Roger Johnston
 
In Risu Veritas: Humor & Security
Roger Johnston
 
Journal of Physical Security 15(1)
Roger Johnston
 
Security Audits.pdf
Roger Johnston
 
Camera Obscura and Security/Privacy
Roger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Roger Johnston
 
Journal of Physical Security 14(1)
Roger Johnston
 
Want seals with that?
Roger Johnston
 
Journal of Physical Security 13(1)
Roger Johnston
 
Election Security 2020
Roger Johnston
 
Security Assurance
Roger Johnston
 
A New Approach to Vulnerability Assessment
Roger Johnston
 
Understanding Vulnerability Assessments
Roger Johnston
 
Devil's Dictionary of Security Terms
Roger Johnston
 
Vulnerability Assessments
Roger Johnston
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Roger Johnston
 
Journal of Physical Security 12(3)
Roger Johnston
 
Journal of Physical Security 12(2)
Roger Johnston
 
Unconventional Security Devices
Roger Johnston
 
Making the Business Case for Security Investment
Roger Johnston
 
Journal of Physical Security 11(1)
Roger Johnston
 
Ad

Recently uploaded (20)

PPTX
A portfolio Template for Interior Designer
linomax1993
 
DOCX
Paulo Tuynmam: Nine Timeless Anchors of Authentic Leadership
paulotuynmam
 
PPTX
Arabic Grammar with related Qurani ayat .pptx
ArslanAli301706
 
PDF
Want to Fly Like an Eagle - Leave the Chickens Behind.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
PPTX
show1- motivational ispiring positive thinking
SheKrish1
 
PDF
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
PDF
Why is mindset more important than motivation.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
PDF
Lesson 4 Education for Better Work. Evaluate your training options.
Maria Stella Solon
 
PDF
OneRead_20250728_1807.pdfbdjsajaajjajajsjsj
DivyanshChauhan66
 
PDF
technical writing on emotional quotient ppt
arnavedu258
 
PPTX
THEORIES-PSYCH-3.pptx theory of Abraham Maslow
stodomingoconstructi
 
PPTX
Commmunication in Todays world- Principles and Barriers
MandyBuchanan2
 
PDF
Dominate Her Mind – Make Women Chase, Lust, & Submit
Vikash Gautam
 
PPTX
Unlocking Success Through the Relentless Power of Grit
yasmeenayr
 
PPT
Lesson From Geese! Understanding Teamwork
verczar37
 
PDF
⚡ Prepping for grid failure_ 6 Must-Haves to Survive Blackout!.pdf
BuySmart Advisor
 
PPTX
Emotional Intelligence- Importance and Applicability
MandyBuchanan2
 
PDF
Anxiety Awareness Journal One Week Preview
ShivainSacheti1
 
PDF
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
PDF
The Blogs_ Humanity Beyond All Differences _ Andy Blumenthal _ The Times of I...
Andy (Avraham) Blumenthal
 
A portfolio Template for Interior Designer
linomax1993
 
Paulo Tuynmam: Nine Timeless Anchors of Authentic Leadership
paulotuynmam
 
Arabic Grammar with related Qurani ayat .pptx
ArslanAli301706
 
Want to Fly Like an Eagle - Leave the Chickens Behind.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
show1- motivational ispiring positive thinking
SheKrish1
 
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
Why is mindset more important than motivation.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Lesson 4 Education for Better Work. Evaluate your training options.
Maria Stella Solon
 
OneRead_20250728_1807.pdfbdjsajaajjajajsjsj
DivyanshChauhan66
 
technical writing on emotional quotient ppt
arnavedu258
 
THEORIES-PSYCH-3.pptx theory of Abraham Maslow
stodomingoconstructi
 
Commmunication in Todays world- Principles and Barriers
MandyBuchanan2
 
Dominate Her Mind – Make Women Chase, Lust, & Submit
Vikash Gautam
 
Unlocking Success Through the Relentless Power of Grit
yasmeenayr
 
Lesson From Geese! Understanding Teamwork
verczar37
 
⚡ Prepping for grid failure_ 6 Must-Haves to Survive Blackout!.pdf
BuySmart Advisor
 
Emotional Intelligence- Importance and Applicability
MandyBuchanan2
 
Anxiety Awareness Journal One Week Preview
ShivainSacheti1
 
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
The Blogs_ Humanity Beyond All Differences _ Andy Blumenthal _ The Times of I...
Andy (Avraham) Blumenthal
 

How to Think Like a Vulnerability Assessor

  • 1. 1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Roger G. Johnston, Ph.D., CPP Jon S. Warner, Ph.D. Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov Vulnerability Assessment Team (VAT)! Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done detailed vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into 2
  • 2. 2 Terminology! Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats. Terminology! Vulnerability: Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting countermeasures and security improvements.
  • 3. 3 Threat vs. Vulnerability! Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti-malware software up to date. _____________________________________________ Threat: Adversaries could dump toxic chemicals on our property, then blame us to try to get us in trouble with environmental officials and the public. Vulnerability: We don’t have good access control or video monitoring of our grounds. 5 Why VAs Trump TAs! (especially for catastrophic security incidents)! 6 Threats Vulnerabilities reactive, focused on the past proactive, focused on the future speculative right in front of you (if you’re willing to see them) hard to test testable not usually fixable often easy to fix often generic specific to the ground level details If you get the threats wrong but understand and (at least partially) fix the vulnerabilities, you may be ok. If you get the vulnerabilities wrong (or ignore them), you are probably in trouble despite how well you understand the threats.
  • 4. 4 Security Risk Management - An Optimization Problem! Inputs: ü assets to protect ü overall security goals ü asset valuation/prioritization ü consequences of successful attack(s) ü threat assessment ü vulnerability assessment ü available resources & possible security measures ü general security philosophy/strategy ü various estimated/guessed probabilities *often vague, incomplete, or missing **often under-estimated * Outputs: Ø What to protect and at what level Ø How to deploy resources optimally ** * * ** ** 7 * Purpose! The purpose of a VA is to improve security & minimize risk, not to: • Pass a test • Test security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 8
  • 5. 5 A VA is Not…! § auditing § quality control § reliability testing § efficiency testing § compliance testing § acceptance testing § ergonomics testing § performance testing § response time testing § operational assessment § environmental robustness testing 9 Techniques Often Confused with VAs! q feature analysis q threat assessment q Design Basis Threat q CARVER Method (DoD) q software assessment tools q security survey (walking around with a checklist) q security audit (are the rules known & being followed?) q fault or event tree analysis (from safety engineering) q Delphi Method (method for getting a decision from a panel of experts) 10
  • 6. 6 Vulnerability Assessment (VA) Blunders! These assumptions are wrong: • A vulnerability assessment should be done at the end. • There are a small number of vulnerabilities. • Most or all can be found & eliminated. • A VA should ideally find zero vulnerabilities. • Vulnerabilities are bad news. Vulnerability Assessment (VA) Blunders! • Not using creative people with a hacker mentality who want to find problems and suggest solutions • Conflicts of interest (economic & psychological) • Shooting the messenger • Sham rigor • The fallacy of precision • Fear of NORQ analysis 12 NORQ = Non-Objective Non-Reproducible Non-Quantifiable
  • 7. 7 Vulnerability Assessment (VA) Blunders! • Focusing on high-tech attacks • Letting attack methods define the vulnerabilities, not the other way around • Arbitrarily constrained VAs (scope, time, effort, by modules or components) • Limiting the VA to the lower part of the Vulnerability Pyramid Where Vulnerability Ideas Come From! The Vulnerability Pyramid 14
  • 8. 8 Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about nefarious adversaries. Safety: No adversaries. 15 16 Working with Outside VAers! • Seek creative, hands-on assessors with a history of finding problems and suggesting solutions, and who are psychologically pre-disposed to doing so. • At least be sure at the end you understand what subtle attacks & insider attacks look like! • You don’t have to mitigate all discovered vulnerabilities or accept all suggestions, but be sure you have good reasons (not just ego, arrogance, denial, laziness, or wishful thinking).
  • 9. 9 17 Assembling Your Own VA Team:! Seek…! q hackers q narcissists q trouble makers q hands-on types q creative people q loop-hole finders q independent thinkers q questioners of authority q people curious about how things work Blunder: Thinking Engineers Understand Security" Engineers... • ...work in solution space, not problem space • …make things work but aren't trained or mentally inclined to figure out how to make things break • ...view Nature or economics as the adversary, not the bad guys • …think of technologies as failing randomly, not by deliberate, intelligent, malicious, opportunistic intent • …are not typically predisposed to think like bad guys • …focus on user friendliness—not making things difficult for the bad guys • ...like to add lots of extra features that open up new attack vectors • …want products to be simple to maintain, repair, and diagnose—which usually makes them easy to attack 18
  • 10. 10 19 “White Box” vs. “Black Box” VA! White Box: Full details, specifications, and technical disclosures are given to the Vulnerability Assessors at the start. [Most time/cost effective & closest to reality.] Black Box: The Vulnerability Assessors reverse engineering or discover all or most of the details on their own. [Interesting & illuminating, but usually not realistic or time/ cost effective.] Adversarial Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them. 20
  • 11. 11 Adversarial Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine. 21 We need to be more like fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law 22
  • 12. 12 * AVA Steps 1. Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users and frontline personnel. 2. Play with it. 3. Brainstorm--anything goes! (Effective brainstorming is the key!) 4. Play with it some more. 23 * AVA Steps 5. Edit & prioritize potential attacks. 6. Partially develop some attacks. 7. Determine feasibility of the attacks. 8. Devise countermeasures. 9. Perfect attacks. 10. Demonstrate attacks. 11. Rigorously test attacks. 12. Rigorously test countermeasures.
  • 13. 13 Delaying Judgment! Nothing can inhibit and stifle the creative process more— and on this there is unanimous agreement among all creative individuals and investigators of creativity—than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge]. -- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963). Keep the possibility phase completely separate from the practicality phase! 25 The Creative VA Process! • Individuals must be given ownership of their original idea & should be personally recognized for their creativity. • The group environment needs to be: + diverse + high-energy + people tired + urgent but not stressful + free of authority figures + humorous, joyful, & fun + cohesive but not too cohesive + competitive in a friendly & respectful way + enthusiastic about individual differences & eccentricities • Every idea, no matter how wacky or seemingly stupid, gets written down & treated as a gem, at least initially. 26
  • 14. 14 The Creative VA Process! Be skeptical! Pay close attention to explicit or unstated assumptions, and to security features that are widely praised or admired. These are often the source of serious vulnerabilities. Concentrate on the 2nd and 3rd best attacks or countermeasures. You are likely overlooking something that would make them the best solutions. If there is widespread agreement about the efficacy of an attack or countermeasure, re-examine. Something important was probably overlooked. The Creative VA Process! Quantity breeds quality. With all ideas: elaborate, expand, modify, subvert, exaggerate, & combine with other ideas. Pursue hunches & intuition. The best ideas come late, and when you are not thinking about the problem. Pursue what is interesting, controversial, contrarian, exciting, or silly. 28
  • 15. 15 The Creative VA Process! Develop and explore models, metaphors, & analogies. Terminology constrains our thinking. Rename everything in your own (and/or silly) words, and think about them in light of the new terminology. Consider different verbs for what the bad guys might want to accomplish: attack, steal, demolish, embarrass, tag, terminate, uncover, purify, whistleblow, poison, etc. Ridicule existing security measures & strategies. Avoid the fear of the NORQ! 29 Video!
  • 17. 17 Slacker Donuts! 33 You want like…um…a donut, dude?TM 34 Elements of the Slacker Donuts Security Program • No checks • There’s a safe for cash but $50 is immediately available to hand robbers • Cash taken to local bank at 11 AM • Not open 24/7 but bright illumination 24/7 • Periodic rounds by shared private security • Good relations with local community, businesses, police, street people • Shared slacker culture with employees and clientele • Secret recipes known to only a few
  • 18. 18 In Summary! * There are advantages to thinking like a Vulnerability Assessor when you think about your security. * Don’t get confused about what a VA is or its role in overall Risk Management. * To go into “Vulnerability Assessor Mode”, step outside yourself, be creative & irreverent+, and & try humor (which can be very mentally liberating). * You must want to find problems—or else find people who do. 35 * Special Thanks to: * Christopher Folk (for helping to develop the Fear of NORQ model) * Security Theater 3000 “Commercial” * Mitch Farmer.....Investment Banker * Jim Regis…..Former Security Officer * Roy Lindley…..Arthritis Patient * Veronica Manfredi…..Wife (& Tech Support/Graphics) * Christopher Folk…..Husband * Marrissa Faler…..Homemaker (& Tech Support) * Buddy the Dog…..As Himself * Greg Byslma…..Tech Support 36
  • 19. 19 For More Information...! Additional information is available from: rogerj@anl.gov and http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E