SlideShare a Scribd company logo

Understanding Vulnerability Assessments

Roger Johnston, profile picture
Roger Johnston

Vulnerability assessments (VAs) focus on identifying security weaknesses by thinking like attackers, distinguishing themselves from other techniques such as threat or risk assessments. They are superior in uncovering vulnerabilities and potential countermeasures because they employ imaginative and critical thinking. The confusion around the term 'vulnerabilities' can hinder discussions about security issues, underscoring the importance of clear terminology.

Business
Related topics:
Security Management Vulnerability Assessment Risk Assessment Information Security
1 of 1
Download to read offline
1
Vulnerability Assessments Roger G. Johnston Right Brain Sekurity http://rbsekurity.com The idea behind Vulnerability Assessments (VAs) is that we cannot prevent or test what we haven’t envisioned. Vulnerability Assessments (VAs) involve imaginatively thinking like the bad guys to discover security weaknesses (i.e., “vulnerabilities”), attack scenarios, and potential countermeasures. VAs are often confused with other security analysis techniques like threat assessments, risk assessments, security surveys, security audits, DBT, CARVER, pen testing, “red teaming”, etc. These other techniques may well be worth doing, but they commonly suffer from a number of problems: 1. They aren’t as good as VAs at finding vulnerabilities, attack scenarios, and countermeasures, often because they are focused on other things. 2. They are rarely done in an imaginative manner by creative people using critical thinking skills. 3. Unlike VAs, they don’t mimic the thought processes of the bad guys. If we want to predict what the bad guys may do, we need to think like them! 4. These (often formalistic) methods typically suffer from the Fallacy of Precision and/or claims of exactness, objectivity, and reproducibility that—upon close examination—are merely sham rigor. One of the problems is that the term “vulnerabilities” often gets hijacked so that it becomes confused in people’s minds with threats, risks, assets that we need to protect, features of our facility or security program, or attack scenarios. When this happens, it becomes difficult to think and talk about the problems with our security. Sloppy terminology does have consequences! https://www.amazon.com/dp/B08C9D73Z9

More Related Content

PDF
Vulnerability Assessment Myths
Roger Johnston
 
PDF
How to Think Like a Vulnerability Assessor
Roger Johnston
 
DOC
Adversarial Safety Analysis
Roger Johnston
 
PDF
Threats vs. Vulnerabilities
Roger Johnston
 
PDF
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
PDF
Design Reviews Versus Vulnerability Assessments for Physical Security
Roger Johnston
 
DOCX
Security Assurance
Roger Johnston
 
PDF
Understanding Information Security Assessment Types
HackerOne
 
Vulnerability Assessment Myths
Roger Johnston
 
How to Think Like a Vulnerability Assessor
Roger Johnston
 
Adversarial Safety Analysis
Roger Johnston
 
Threats vs. Vulnerabilities
Roger Johnston
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Roger Johnston
 
Security Assurance
Roger Johnston
 
Understanding Information Security Assessment Types
HackerOne
 

Similar to Understanding Vulnerability Assessments (19)

PPTX
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
PPTX
Economically driven Cyber Risk Management
Osama Salah
 
PDF
Relating Risk to Vulnerability
Resolver Inc.
 
PPTX
Increasing Value Of Security Assessment Services
Chris Nickerson
 
PPTX
Risk identification
sapna moodautia
 
DOCX
Explain the differences between a threat assessment- a vulnerability a.docx
james876543264
 
PDF
The Russell Realty Group SWOT Analysis
The Russell Realty Group
 
PDF
Scenario Planning- Psychological Perspective
azizali
 
PDF
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
PDF
Insider Threat Mitigation
Roger Johnston
 
PPTX
Semi-quantitative approach to risk analysis
RiskTracer
 
PDF
cybersecurity-series-2019-threat-hunting.pdf
CecilSu
 
PPTX
Red Teaming and the Supply Chain
Ollie Whitehouse
 
PDF
Step Into Security Webinar - Threat Assessments in Schools
Keith Harris
 
PDF
Step Into Security Webinar - Threat Assessments for K-12 & University Campuses
Keith Harris
 
PPT
Introduction to unconscious bias
Karen M. Landolt
 
PPTX
Управление рисками: как перестать верить в иллюзии
Positive Hack Days
 
PDF
Beyond Bias
Strategy&, a member of the PwC network
 
PDF
Root Cause Analysis versus Shallow Cause Analysis
Bob Latino
 
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Economically driven Cyber Risk Management
Osama Salah
 
Relating Risk to Vulnerability
Resolver Inc.
 
Increasing Value Of Security Assessment Services
Chris Nickerson
 
Risk identification
sapna moodautia
 
Explain the differences between a threat assessment- a vulnerability a.docx
james876543264
 
The Russell Realty Group SWOT Analysis
The Russell Realty Group
 
Scenario Planning- Psychological Perspective
azizali
 
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Insider Threat Mitigation
Roger Johnston
 
Semi-quantitative approach to risk analysis
RiskTracer
 
cybersecurity-series-2019-threat-hunting.pdf
CecilSu
 
Red Teaming and the Supply Chain
Ollie Whitehouse
 
Step Into Security Webinar - Threat Assessments in Schools
Keith Harris
 
Step Into Security Webinar - Threat Assessments for K-12 & University Campuses
Keith Harris
 
Introduction to unconscious bias
Karen M. Landolt
 
Управление рисками: как перестать верить в иллюзии
Positive Hack Days
 
Beyond Bias
Strategy&, a member of the PwC network
 
Root Cause Analysis versus Shallow Cause Analysis
Bob Latino
 
Ad

More from Roger Johnston (20)

PDF
In Risu Veritas: Humor & Security
Roger Johnston
 
PDF
Journal of Physical Security 15(1)
Roger Johnston
 
PDF
Security Audits.pdf
Roger Johnston
 
PDF
Camera Obscura and Security/Privacy
Roger Johnston
 
PDF
Vulnerability Assessment: The Missing Manual for the Missing Link
Roger Johnston
 
PDF
Journal of Physical Security 14(1)
Roger Johnston
 
PDF
Want seals with that?
Roger Johnston
 
PDF
Journal of Physical Security 13(1)
Roger Johnston
 
DOCX
Election Security 2020
Roger Johnston
 
PDF
A New Approach to Vulnerability Assessment
Roger Johnston
 
PDF
Devil's Dictionary of Security Terms
Roger Johnston
 
PDF
Vulnerability Assessments
Roger Johnston
 
PDF
Journal of Physical Security 12(3)
Roger Johnston
 
PDF
Journal of Physical Security 12(2)
Roger Johnston
 
PDF
Unconventional Security Devices
Roger Johnston
 
PDF
Making the Business Case for Security Investment
Roger Johnston
 
PDF
Journal of Physical Security 11(1)
Roger Johnston
 
PDF
Journal of Physical Security 10(1)
Roger Johnston
 
PDF
How to Remove Voter's Ink
Roger Johnston
 
PDF
Unconventional Security Metrics & Marginal Analysis
Roger Johnston
 
In Risu Veritas: Humor & Security
Roger Johnston
 
Journal of Physical Security 15(1)
Roger Johnston
 
Security Audits.pdf
Roger Johnston
 
Camera Obscura and Security/Privacy
Roger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Roger Johnston
 
Journal of Physical Security 14(1)
Roger Johnston
 
Want seals with that?
Roger Johnston
 
Journal of Physical Security 13(1)
Roger Johnston
 
Election Security 2020
Roger Johnston
 
A New Approach to Vulnerability Assessment
Roger Johnston
 
Devil's Dictionary of Security Terms
Roger Johnston
 
Vulnerability Assessments
Roger Johnston
 
Journal of Physical Security 12(3)
Roger Johnston
 
Journal of Physical Security 12(2)
Roger Johnston
 
Unconventional Security Devices
Roger Johnston
 
Making the Business Case for Security Investment
Roger Johnston
 
Journal of Physical Security 11(1)
Roger Johnston
 
Journal of Physical Security 10(1)
Roger Johnston
 
How to Remove Voter's Ink
Roger Johnston
 
Unconventional Security Metrics & Marginal Analysis
Roger Johnston
 
Ad

Recently uploaded (20)

PDF
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
PDF
Module 3 - Functions of the Supervisor - Part 1 - Student Resource (1).pdf
OmoobaOrun1
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
PPTX
sales presentation، Training Overview.pptx
hamdullahazimi3
 
PDF
How to Get Approval for Business Funding
Jake Thornhill
 
PPTX
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
PDF
Introduction to Generative Engine Optimization (GEO)
seoplus+
 
PPTX
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
PDF
ANALYZING THE OPPORTUNITIES OF DIGITAL MARKETING IN BANGLADESH TO PROVIDE AN ...
IJMIT JOURNAL
 
PDF
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
PDF
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
PDF
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
PDF
Blood Collected straight from the donor into a blood bag and mixed with an an...
UsamaJaved91
 
PPTX
Negotiation and Persuasion Skills: A Shrewd Person's Perspective
smartanimesh2710
 
PPTX
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
PPT
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PPTX
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 
PDF
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Family Law: The Role of Communication in Mediation (www.kiu.ac.ug)
publication11
 
Module 3 - Functions of the Supervisor - Part 1 - Student Resource (1).pdf
OmoobaOrun1
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
sales presentation، Training Overview.pptx
hamdullahazimi3
 
How to Get Approval for Business Funding
Jake Thornhill
 
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
Introduction to Generative Engine Optimization (GEO)
seoplus+
 
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
ANALYZING THE OPPORTUNITIES OF DIGITAL MARKETING IN BANGLADESH TO PROVIDE AN ...
IJMIT JOURNAL
 
Booking.com The Global AI Sentiment Report 2025
agatadrynko
 
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
Blood Collected straight from the donor into a blood bag and mixed with an an...
UsamaJaved91
 
Negotiation and Persuasion Skills: A Shrewd Person's Perspective
smartanimesh2710
 
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
IFRS Notes in your pocket for study all the time
jjj81507
 
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 

Understanding Vulnerability Assessments

  • 1. Vulnerability Assessments Roger G. Johnston Right Brain Sekurity http://rbsekurity.com The idea behind Vulnerability Assessments (VAs) is that we cannot prevent or test what we haven’t envisioned. Vulnerability Assessments (VAs) involve imaginatively thinking like the bad guys to discover security weaknesses (i.e., “vulnerabilities”), attack scenarios, and potential countermeasures. VAs are often confused with other security analysis techniques like threat assessments, risk assessments, security surveys, security audits, DBT, CARVER, pen testing, “red teaming”, etc. These other techniques may well be worth doing, but they commonly suffer from a number of problems: 1. They aren’t as good as VAs at finding vulnerabilities, attack scenarios, and countermeasures, often because they are focused on other things. 2. They are rarely done in an imaginative manner by creative people using critical thinking skills. 3. Unlike VAs, they don’t mimic the thought processes of the bad guys. If we want to predict what the bad guys may do, we need to think like them! 4. These (often formalistic) methods typically suffer from the Fallacy of Precision and/or claims of exactness, objectivity, and reproducibility that—upon close examination—are merely sham rigor. One of the problems is that the term “vulnerabilities” often gets hijacked so that it becomes confused in people’s minds with threats, risks, assets that we need to protect, features of our facility or security program, or attack scenarios. When this happens, it becomes difficult to think and talk about the problems with our security. Sloppy terminology does have consequences! https://www.amazon.com/dp/B08C9D73Z9