Focusing on the Threats to the Detriment of the Vulnerabilities
•
1 like•599 views
Slides from a talk at the NATO Advanced Workshop on Preparedness for Radiological and Nuclear Threats
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Focusing on the Threats to the Detriment of the Vulnerabilities
Similar to Focusing on the Threats to the Detriment of the Vulnerabilities (20)
More from Roger Johnston
More from Roger Johnston (20)
Recently uploaded
Recently uploaded (20)
Focusing on the Threats to the Detriment of the Vulnerabilities
- 1. Talk for the NATO Advanced Workshop on Preparedness for Nuclear and Radiological Threats Focusing on the Threats to the Detriment of the Vulnerabilities: A Vulnerability Assessor’s Perspective Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne Na=onal Laboratory 630-‐252-‐6168 rogerj@anl.gov hJp://www.ne.anl.gov/capabili=es/vat
- 2. This is a plea for more, earlier, better, and more imaginative vulnerability assessments for nuclear and radiological security/safeguards and emergency response.
- 3. Argonne Vulnerability Assessment Team The VAT has done vulnerability assessments on over 1000 different security and safeguards devices, systems, & programs. Sponsors • DOE • DoD • DOS • IAEA • NNSA • private companies • intelligence agencies • public interest organiza:ons
- 4. Argonne Vulnerability Assessment Team • biometrics • courier bags • GPS spoofing • access control • cargo security • reverse engineering • warehouse security • product tampering • product counterfei=ng • medical device security • consul=ng & training • physical security R&D • security guard turnover • insider threat mi=ga=on • security of sealed sources • security of drug test kits • human factors in security • vulnerability assessments • tamper/intrusion detec=on • RFID spoofing/counterfei=ng • tags & tamper-‐indica=ng seals • microprocessor & wireless systems • elec=on & vo=ng machine security • countermeasures to security theater • countermeasures to perceptual blindness • nuclear safeguards & monitoring equipment • countermeasures to sleight-‐of-‐hand & misdirec=on
- 5. Definitions Threat: Who might attack, why, when, and how, and with what resources and probabilities. Threat Assessment (TA): Attempting to identify threats.
- 6. Definitions Vulnerability: A security weakness that can be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Discovering and demonstrating ways to defeat a security device, system, or program. Often includes suggesting countermeasures and security improvements.
- 7. Things That Often Get Confused with Vulnerabilities ² Assets ² Threats ² Attack Scenarios ² Delay Paths ² Features
- 8. Threats vs. Vulnerabilities Threat Assessments (TAs) are speculations about groups and people who may or may not exist, their goals, motivations, and resources. TAs are often reactive in nature, i.e., focused on past incidents. Vulnerabilities are right in front of you (if you will open your eyes and mind), and are often testable. VAs are typically proactive in nature. Oddly, however, TAs are usually much more reproducible than VAs!
- 9. Purpose The purpose of a VA is to: 1. Improve security or emergency response. 2. Serve as one of the inputs to overall Risk Management.
- 10. • list of assets to protect • asset valua=on/priori=za=on • overall security goals • consequences of successful aJack(s) • threat assessment • vulnerability assessment • available resources & possible security measures • general security philosophy/strategy • psychological tolerance for risk • various es=mated/guessed probabili=es • acceptable tradeoffs in produc=vity vs. security, reputa=on vs. security, morale vs. security, safety vs. security, and liberty/privacy vs. security Modern Risk Management • What INPUT PARAMETERS OUTPUT PARAMETERS: to protect • How to protect it • How à to deploy security resources op=mally DECISION MAKING PROCESS Value Judgments Objec=ve Analysis Subjec=ve Analysis Experience & Exper=se Intui=on & Hunches
- 11. Not the Purpose The purpose of a VA is not to: • “Validate” • Pass a test • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Test security or do performance testing • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product or program, or certify it as “good” or “ready for use”
- 12. Techniques Often Mistaken for VAs • security survey (walking around with a checklist) • security audit (are the rules being followed?) • feature analysis • threat assessment • Design Basis Threat • fault or event tree analysis (from safety engineering) • Delphi Method (method for getting a decision from a panel of experts)
- 13. Techniques Often Mistaken for VAs • vulnerability “modeling” • software assessment tools • 3D representations of the facility • CARVER Method (DoD & law enforcement) • performance testing • Risk Management • delay path analysis
- 14. Vulnerabilities Are the Threat Maxim: Security (and emergency response) typically fails not because the threats were misunderstood, but because the vulnerabilities were not recognized and/or not mitigated.
- 15. Vulnerabilities Trump Threats Maxim: If you understand your threats but are clueless about your vulnerabilities, you’re in trouble. One the other hand, if you understand your vulnerabilities and try to mitigate them, you might be ok, even if you get your threats wrong (which is quite possible).
- 16. Examples of Vulnerabilities Being the Problem • Hurricane Katrina, 2005 • Breach of the Y-‐12 nuclear facility by an 82-‐year-‐old nun and two other protesters, 2012 • Target stores credit card hack, 2013 • White House fence jumper, 2014
- 17. Michener’s Maxim: We are never prepared for what we expect.
- 18. Waylayered Security Maxim: Layered security will fail stupidly.
- 19. For 170 other security maxims: https://www.scribd.com/doc/46333208/Security-Maxims-October-2014
- 20. So why are threats more popular • There than vulnerabilities? are fewer threats than vulnerabili=es • TAs are reproducible & reac=ve • Formalis=c, objec=ve methods work fairly well for TAs • VAs require imagina=on, subjec=ve judgment, and “thinking like the bad guys” • No security or emergency response program claims zero threats, but there is strong cogni=ve dissonance about vulnerabili=es • Vulnerabili=es depend cri=cally on local details
- 21. Thinking Like the Bad Guys Bad Guys Don’t Do: TAs, DBT, security audits, etc. They do something closer to VAs. So if we are going to predict what they might do, we need to do creative VAs as well!
- 22. Creative Vulnerability Assessments! • Perform a mental coordinate transformation and pretend to be the bad guys (or VAers). (This is much harder than you might think.) • Be much more creative than the adversaries. They need only stumble upon 1 vulnerability, the good guys have to worry about all of them.
- 23. Creative Vulnerability Assessments! • Don’t let the good guys & the existing security infrastructure and tactics define the problem. • Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine.
- 24. We need to be more like these expert fault finders. They find problems because they want to find problems, and because they are skeptical: • bad guys • therapists • movie critics • computer hackers • scientific peer reviewers • mothers-in-law
- 25. Where Vulnerability! Ideas Come From! The Vulnerability Pyramid
- 26. Warning! “Fear of NORQ” is not a valid reason to try to force-fit formalistic methods onto VAs! The… Non-‐Objec=ve Non-‐Reproducible Non-‐Quan=fiable NORQ All effec=ve security and risk management is ul=mately subjec=ve, no maJer how much we may wish to pretend it isn’t.
- 27. Emergency Response Two Kinds of Vulnerabilities: - flaws in the response - vulnerability to attacks on the response Are we properly prepared for attacks during emergency response, attacks by the original attackers or by a different set of attackers? (Wait & Pounce is a very effective attack strategy!)
- 28. Nuclear & Radiological Security Problems from a Vulnerability Assessor’s Perspective • Poor tags & seals, poor use protocols, poor tamper detection for monitoring and security devices • Confusing inventory functions with security functions: why GPS, RFIDs, MC&A programs often provide poor security • VAs not done, not done early, not done iteratively, not done well, not done by the right people • VA myths & blunders • Poor or not-existent Chain of Custody for procured hardware & software
- 29. Warning: Chain of Custody The importance of a cradle-‐to-‐grave, secure chain of custody: Most security devices (locks, tags, seals, access control & biometrics devices, monitoring equipment, etc.) can usually be compromised in ~15 seconds, at the factory or vendor, on the loading dock, in transit, in the receiving department, before or aler being installed. Most “security” and nuclear safeguards devices have liJle built-‐in security or significant ability to detect intrusion/tampering.
- 30. Nuclear & Radiological Security Problems from a Vulnerability Assessor’s Perspective • Security as a last-minute “Band-Aid” • Lack of insider threat mitigation • Lack of research-based practice • Few countermeasures for groupthink & cognitive dissonance • Compliance-Based Security and “Security by Obscurity” • Confusing Safety & Security
- 31. Safety & Security are 2 Relatively Unrelated Problems! Example: March 2012 Recall of 900,000 Safety 1st Push N’ Snap Cabinet Locks 140 reports of babies/toddlers defeating the locks, resulting in 3 poisonings Security: All about intentional nefarious adversaries. Safety: No adversaries.
- 32. Problem: Lack of Research-Based Security Practice" The Journal of Physical Security A free, non-profit, online peer-reviewed R&D journal http://jps.anl.gov
- 33. For More Information… rogerj@anl.gov http://www.ne.anl.gov/capabilities/vat