1. 1
Talk for the 58th Annual ASIS Meeting
Philadelphia, PA, September 10-13, 2012
Roger G. Johnston, Ph.D., CPP
Jon S. Warner, Ph.D.
Vulnerability Assessment Team
Argonne National Laboratory
630-252-6168 rogerj@anl.gov
Vulnerability Assessment Team (VAT)!
Sponsors
• DHS
• DoD
• DOS
• IAEA
• Euratom
• DOE/NNSA
• private companies
• intelligence agencies
• public interest organizations
The VAT has done detailed
vulnerability assessments on
over 1000 different security
devices, systems, & programs.
The greatest of faults, I should say,
is to be conscious of none.
-- Thomas Carlyle (1795-1881)
A multi-disciplinary team of physicists,
engineers, hackers, & social scientists.
Check us out on YouTube: keywords = argonne break into 2
2. 2
Terminology!
Threat: Who might attack, why, when, how, with
what probability, and with what resources. (Includes
information on goals and attack modes.)
Threat Assessment (TA): Attempting to identify
threats.
Terminology!
Vulnerability: Flaw or weakness that could be
exploited to cause undesirable consequences.
Vulnerability Assessment (VA): Discovering and
demonstrating ways to defeat a security device,
system, or program. Should include suggesting
countermeasures and security improvements.
3. 3
Threat vs. Vulnerability!
Threat: Adversaries might try to steal PII information
(SSNs, credit card numbers, etc.) from our computer
systems to commit crimes.
Vulnerability: We don’t keep our anti-malware software
up to date.
_____________________________________________
Threat: Adversaries could dump toxic chemicals on our
property, then blame us to try to get us in trouble with
environmental officials and the public.
Vulnerability: We don’t have good access control or
video monitoring of our grounds.
5
Why VAs Trump TAs!
(especially for catastrophic security incidents)!
6
Threats Vulnerabilities
reactive, focused on the past proactive, focused on the future
speculative right in front of you
(if you’re willing to see them)
hard to test testable
not usually fixable often easy to fix
often generic specific to the ground level details
If you get the threats wrong
but understand and (at least
partially) fix the vulnerabilities,
you may be ok.
If you get the vulnerabilities
wrong (or ignore them), you are
probably in trouble despite how
well you understand the threats.
4. 4
Security Risk Management - An Optimization Problem!
Inputs:
ü assets to protect
ü overall security goals
ü asset valuation/prioritization
ü consequences of successful attack(s)
ü threat assessment
ü vulnerability assessment
ü available resources & possible security measures
ü general security philosophy/strategy
ü various estimated/guessed probabilities
*often vague, incomplete, or missing
**often under-estimated
*
Outputs:
Ø What to protect and at what level
Ø How to deploy resources optimally
**
*
*
**
**
7
*
Purpose!
The purpose of a VA is to improve security &
minimize risk, not to:
• Pass a test
• Test security
• Generate metrics
• Justify the status quo
• Praise or accuse anybody
• Check against some standard
• Claim there are no vulnerabilities
• Engender warm & happy feelings
• Determine who gets salary increases
• Rationalize the research & development
• Apply a mindless, bureaucratic stamp of approval
• Endorse a security product/program or Certify it as “good” or “ready to use”
8
5. 5
A VA is Not…!
§ auditing
§ quality control
§ reliability testing
§ efficiency testing
§ compliance testing
§ acceptance testing
§ ergonomics testing
§ performance testing
§ response time testing
§ operational assessment
§ environmental robustness testing
9
Techniques Often Confused with VAs!
q feature analysis
q threat assessment
q Design Basis Threat
q CARVER Method (DoD)
q software assessment tools
q security survey (walking around with a checklist)
q security audit (are the rules known & being followed?)
q fault or event tree analysis (from safety engineering)
q Delphi Method (method for getting a decision from a
panel of experts)
10
6. 6
Vulnerability Assessment (VA) Blunders!
These assumptions are wrong:
• A vulnerability assessment should be done at the end.
• There are a small number of vulnerabilities.
• Most or all can be found & eliminated.
• A VA should ideally find zero vulnerabilities.
• Vulnerabilities are bad news.
Vulnerability Assessment (VA) Blunders!
• Not using creative people with a hacker mentality
who want to find problems and suggest solutions
• Conflicts of interest (economic & psychological)
• Shooting the messenger
• Sham rigor
• The fallacy of precision
• Fear of NORQ analysis
12
NORQ =
Non-Objective
Non-Reproducible
Non-Quantifiable
7. 7
Vulnerability Assessment (VA) Blunders!
• Focusing on high-tech attacks
• Letting attack methods define the vulnerabilities,
not the other way around
• Arbitrarily constrained VAs (scope, time, effort, by
modules or components)
• Limiting the VA to the lower part of the Vulnerability
Pyramid
Where Vulnerability Ideas Come From!
The Vulnerability Pyramid
14
8. 8
Safety & Security are 2 Relatively Unrelated Problems!
Example: March 2012 Recall of 900,000
Safety 1st Push N’ Snap Cabinet Locks
140 reports of babies/toddlers defeating
the locks, resulting in 3 poisonings
Security: All about nefarious adversaries.
Safety: No adversaries.
15
16
Working with Outside VAers!
• Seek creative, hands-on assessors with a history of finding
problems and suggesting solutions, and who are
psychologically pre-disposed to doing so.
• At least be sure at the end you understand what subtle
attacks & insider attacks look like!
• You don’t have to mitigate all discovered vulnerabilities
or accept all suggestions, but be sure you have good
reasons (not just ego, arrogance, denial, laziness, or
wishful thinking).
9. 9
17
Assembling Your Own VA Team:!
Seek…!
q hackers
q narcissists
q trouble makers
q hands-on types
q creative people
q loop-hole finders
q independent thinkers
q questioners of authority
q people curious about how things work
Blunder: Thinking Engineers Understand Security"
Engineers...
• ...work in solution space, not problem space
• …make things work but aren't trained or mentally inclined to
figure out how to make things break
• ...view Nature or economics as the adversary, not the bad guys
• …think of technologies as failing randomly, not by deliberate, intelligent, malicious,
opportunistic intent
• …are not typically predisposed to think like bad guys
• …focus on user friendliness—not making things difficult for the bad guys
• ...like to add lots of extra features that open up new attack vectors
• …want products to be simple to maintain, repair, and diagnose—which usually
makes them easy to attack
18
10. 10
19
“White Box” vs. “Black Box” VA!
White Box: Full details, specifications, and
technical disclosures are given to the Vulnerability
Assessors at the start.
[Most time/cost effective & closest to reality.]
Black Box: The Vulnerability Assessors reverse
engineering or discover all or most of the details on
their own.
[Interesting & illuminating, but usually not realistic or time/
cost effective.]
Adversarial Vulnerability Assessments!
• Perform a mental coordinate transformation
and pretend to be the bad guys (or VAers).
(This is much harder than you might think.)
• Be much more creative than the
adversaries. They need only stumble upon
1 vulnerability, the good guys have to
worry about all of them.
20
11. 11
Adversarial Vulnerability Assessments!
• Don’t let the good guys & the existing
security infrastructure and tactics define the
problem.
• Gleefully look for trouble, rather than
seeking to reassure yourself that everything
is fine.
21
We need to be more like fault finders. They
find problems because they want to find
problems, and because they are skeptical:
• bad guys
• therapists
• movie critics
• computer hackers
• scientific peer reviewers
• mothers-in-law
22
12. 12
* AVA Steps
1. Fully understand the device, system, or
program and how it is REALLY used.
Talk to the low-level users and frontline
personnel.
2. Play with it.
3. Brainstorm--anything goes!
(Effective brainstorming is the key!)
4. Play with it some more.
23
* AVA Steps
5. Edit & prioritize potential attacks.
6. Partially develop some attacks.
7. Determine feasibility of the attacks.
8. Devise countermeasures.
9. Perfect attacks.
10. Demonstrate attacks.
11. Rigorously test attacks.
12. Rigorously test countermeasures.
13. 13
Delaying Judgment!
Nothing can inhibit and stifle the creative process more—
and on this there is unanimous agreement among all creative
individuals and investigators of creativity—than critical
judgment applied to the emerging idea at the beginning stages
of the creative process. ... More ideas have been prematurely
rejected by a stringent evaluative attitude than would be
warranted by any inherent weakness or absurdity in them.
The longer one can linger with the idea with judgment held in
abeyance, the better the chances all its details and
ramifications [can emerge].
-- Eugene Raudsepp, Managing Creative Scientists
and Engineers (1963).
Keep the possibility phase
completely separate from
the practicality phase!
25
The Creative VA Process!
• Individuals must be given ownership of their original idea
& should be personally recognized for their creativity.
• The group environment needs to be:
+ diverse
+ high-energy
+ people tired
+ urgent but not stressful
+ free of authority figures
+ humorous, joyful, & fun
+ cohesive but not too cohesive
+ competitive in a friendly & respectful way
+ enthusiastic about individual differences & eccentricities
• Every idea, no matter how wacky
or seemingly stupid, gets written down
& treated as a gem, at least initially.
26
14. 14
The Creative VA Process!
Be skeptical! Pay close attention to explicit or unstated
assumptions, and to security features that are widely
praised or admired. These are often the source of
serious vulnerabilities.
Concentrate on the 2nd and 3rd best attacks or
countermeasures. You are likely overlooking
something that would make them the best solutions.
If there is widespread agreement about the efficacy of an
attack or countermeasure, re-examine. Something
important was probably overlooked.
The Creative VA Process!
Quantity breeds quality.
With all ideas: elaborate, expand, modify, subvert,
exaggerate, & combine with other ideas. Pursue
hunches & intuition.
The best ideas come late, and when you are not thinking
about the problem.
Pursue what is interesting, controversial,
contrarian, exciting, or silly.
28
15. 15
The Creative VA Process!
Develop and explore models, metaphors, & analogies.
Terminology constrains our thinking. Rename
everything in your own (and/or silly) words, and
think about them in light of the new terminology.
Consider different verbs for what the bad guys might
want to accomplish: attack, steal, demolish,
embarrass, tag, terminate, uncover, purify,
whistleblow, poison, etc.
Ridicule existing security measures & strategies.
Avoid the fear of the NORQ!
29
Video!
17. 17
Slacker Donuts!
33
You want like…um…a donut, dude?TM
34
Elements of the Slacker Donuts
Security Program
• No checks
• There’s a safe for cash but $50 is
immediately available to hand robbers
• Cash taken to local bank at 11 AM
• Not open 24/7 but bright illumination
24/7
• Periodic rounds by shared private
security
• Good relations with local community,
businesses, police, street people
• Shared slacker culture with
employees and clientele
• Secret recipes known to only a few
18. 18
In Summary!
* There are advantages to thinking like a Vulnerability
Assessor when you think about your security.
* Don’t get confused about what a VA is or its role in
overall Risk Management.
* To go into “Vulnerability Assessor Mode”, step
outside yourself, be creative & irreverent+, and & try
humor (which can be very mentally liberating).
* You must want to find problems—or else find people
who do.
35
* Special Thanks to:
* Christopher Folk (for helping to develop the Fear of NORQ model)
* Security Theater 3000 “Commercial”
* Mitch Farmer.....Investment Banker
* Jim Regis…..Former Security Officer
* Roy Lindley…..Arthritis Patient
* Veronica Manfredi…..Wife (& Tech Support/Graphics)
* Christopher Folk…..Husband
* Marrissa Faler…..Homemaker (& Tech Support)
* Buddy the Dog…..As Himself
* Greg Byslma…..Tech Support
36
19. 19
For More Information...!
Additional information is
available from:
rogerj@anl.gov
and
http://www.ne.anl.gov/capabilities/vat
http://www.youtube.com/watch?v=frBBGJqkz9E