By Roger Johnston and Jon Warner
Roger Johnston and Jon Warner have done vulnerability assessments on more than 1,000 physical security and nuclear safeguards devices, systems, and programs. This includes high-tech and low-tech, Government and commercial. This work was done for more than 50 Government and international agencies, private companies, and NGOs. This article explains some of the things they learned.
First off, security managers and others often don’t seem to understand what a vulnerability assessment (VA) is, or what it is for. The purpose of a VA is to improve security by finding and demonstrating security weaknesses, and perhaps suggesting possible countermeasures. A VA also often serves as one of the inputs to modern Risk Management.
A VA is not a test you ‘pass’ or some kind of ‘certification’. (You no more pass a VA than you pass marriage counselling.) A VA is not performance, compliance, readiness, ergonomics, or quality testing (though these things may have a bearing on vulnerabilities). It’s not a threat assessment. Don’t do a VA to justify the status quo, praise or criticise anybody, rationalise the research and development expenditures, endorse a product or security strategy, or apply a mindless stamp of approval. The ideal outcome of a VA is not to find zero or just a few vulnerabilities. If this happens, the VA should be redone by personnel who are competent, diligent, and honest.
The common idea that vulnerabilities are bad news is, we firmly believe, quite incorrect. Vulnerabilities are always present in large numbers; when you find one, that means you can do something about it. Admittedly, however, it is difficult to convince security managers that, ‘hey, we found another hole in the fence, isn’t that great news!’
Indeed, it’s a mistake to think that there are just a small number of vulnerabilities. There are usually a very large number, even for a simple security device, much less a complex security program. You will never know about many (perhaps most) of your vulnerabilities, but hopefully a good VA can find the most obvious and serious vulnerabilities, and the ones most likely to be exploited by adversaries.
Another serious security problem has to do with undue faith in security devices and high tech. For example, contrary to popular opinion, biometric signatures can usually be cloned fairly easily, but an adversary rarely needs to bother because biometric devices are usually so poorly designed, to-date, that they can be easily compromised. Read More