Show Your Vulnerable Side: How to do a Vulnerability Assessment

1
Show Your Vulnerable SideHow to do a
Vulnerability Assessment
Talk for the 50th Annual ASIS Conference, Sept
26-30, 2004 (Dallas, TX)

• Roger G. Johnston, Ph.D., CPP
• Vulnerability Assessment Team
• Los Alamos National Laboratory
• 505-667-7414 rogerj_at_lanl.gov
• http//pearl1.lanl.gov/seals.default.htm

LAUR-04-4147
2
LANL Vulnerability Assessment Team

• Physical Security
• consulting
• cargo security
• tamper detection
• nuclear safeguards
• training curricula
• vulnerability assessments
• novel security approaches
• new tags seals (patents)
• unique vuln. assessment lab

The VAT has done detailed vulnerability
assessments on hundreds of different security
devices, systems, programs.
The greatest of faults, I should say, is to be
conscious of none. -- Thomas Carlyle
(1795-1881)
3
Physical Security
This talk will focus primarily on vulnerability
assessments of physical security, but presumably
many of the ideas and principles also apply to
other types of security such as

• computer security
• network Internet security
• intellectual property security
• information records security
• communications security

Better be despised for too anxious
apprehensions, than ruined by too confident
security. -- Edmund Burke (1729-1797)
4
Definitions
physical security trying to protect valuable,
tangible assets from harm. Examples of
assets needing protection
Security Guard Don't make me take off my
sunglasses! -- From the movie Bringing Out the
Dead (1999)
5
Definitions (cont)
The harm that we wish to avoid might involve
The ultimate security is your understanding of
reality. -- H. Stanley Judd
6
Definitions (cont)
VAs
vulnerability assessment (VA) discovering and
demonstrating ways to defeat a security device,
system, or program. Should include suggesting
counter-measures and security improvements.
He that wrestles with us strengthens our skill.
Our antagonist is our helper. -- Edmund
Burke (1729-1797)
7
Physical Security is Difficult!
Before thinking about how to assess physical
security, we need to recognize that it is
difficult and there are no guarantees of
success. Especially because complacency,
over-confidence, wishful thinking, and arrogance
are not compatible with good security.
Danger breeds best on too much confidence. --
Pierre Corneille (1606-1684)
8
Why Physical Security is So Difficult

• The traditional performance measure for security
  is pathological success is often defined as
  nothing happening.
• Cost/Benefit analysis is difficult.
• There are few meaningful standards, fundamental
  principles, models, or theories.
• Everything is a compromise a tradeoff.

There is always more spirit in attack than in
defense. -- Titus Livius (59 BC)
9
Why Physical Security is So Difficult (cont)

• Objectives are often remarkably vague.
• Security managers personnel arent always
  creative or proactive, but
  adversaries may be.
• Adversaries and their resources are usually
  unknown to security managers, yet the adversaries
  understand the security systems.
• Society employees often do not like security.

We spend all our time searching for security, and
then we hate it when we get it --
John Steinbeck (1902-1968)
10
Why Physical Security is So Difficult (cont)

• Effective security management is highly
  multi-disciplinary engineering, computer
  science, psychology, sociology, management,
  economics, communication, law.
• Adversaries can attack at one point, but security
  managers may need to protect extended assets.
• Adversaries need exploit only one or a small
  number of vulnerabilities, but security mangers
  must identify, prioritize, manage many
  vulnerabilities, including unknown ones.

We have to get it right every day and the
terrorists only have to get it right once. So we
have to be ahead of the game. --TSA
Spokeswoman Lauren Stover
11
Why Physical Security is So Difficult (cont)

• Security functions are often tedious.
• Security personnel have trouble identifying
  security vulnerabilities because they dont want
  them to exist.
• (Its hard to think like the bad guys if you
  devote your career to being a good guy.)

No problem can be solved from the same
consciousness that created it. --
Albert Einstein (1879-1955)
12
Why Physical Security is So Difficult (cont)

• Physical Security scarcely a field at all!
• - You cant (for the most part) get a degree
  in it.
• - Not widely attracting young people, females,
  the best
  and the brightest.
• - Few peer-review, scholarly journals or RD
  conferences.
• - Lots of snake oil salesmen.
• - Shortage of models, fundamental principles,
  metrics, rigor, standards,
• guidelines, critical thinking,
  creativity.
• - Overly macho and often dominated by
  bureaucrats, committees, groupthink, old boys
  networks, linear/concrete/wishful thinkers.

The only security is the constant practice of
critical thinking. -- William Graham Sumner
(1840-1910)
13
Major Tools for Improving Security

• Security Survey
• Risk Management (Design Basis Threat)
• Vulnerability Assessment

If we don't succeed, we run the risk of
failure. -- Dan Quayle
14
Security Surveys vs. Risk Management vs. VAs

• Not really the same thing because they produce
  different results.
• The task of identifying Threats
  Vulnerabilities, done as part of Risk Management
  (or DBT), is too often not really a Vulnerability
  Assessment.
• Security Surveys and Risk Management/DBT were
  major breakthroughs are still useful But
  they are not enough!

Men do not like to admit to even momentary
imperfection. My husband forgot the code to turn
off the alarm. When the police came, he
wouldn't admit he'd forgotten he code... he
turned himself in. --Rita Rudner
15
Security Survey

• Basically a management walk around.
• Walk the spaces, looking for security problems.
• A checklist is often used.

We made too many wrong mistakes. --
Yogi Berra
16
Limitations of Security Surveys

• Binary
• Close-ended
• Often unimaginative
• Not focused on adversaries
• Overly focused on the check list
• Does not encourage new countermeasures
• Expectation that problems will leap out at you

0 1
It's better to be looked over than overlooked.
-- Mae West, Belle of the Nineties, 1934
17
Risk Management

• Similar to Risk Management Techniques in other
  fields.
• Identify Assets, Threats Vulnerabilities,
  Adversaries, Consequences, Safeguards
  Countermeasures.
• Assign relative priorities and probabilities.
  (Generate lots of tables.)
• Field your resources appropriately.

The first step in the risk management process is
to acknowledge the reality of risk. Denial is a
common tactic that substitutes deliberate
ignorance for thoughtful planning. --
Charles Tremper
18
Design Basis Threat (DBT)

• Design Basis Threat is similar to Risk
  Management.
• DBT basically means design your security to deal
  with the current real-world threats.
• In practice, DBT tends to focus more on hardware
  and infrastructure than Risk Management does.

A hypothetical paradox what would happen in a
battle between an Enterprise security team, who
always get killed soon after appearing, and a
squad of Imperial Stormtroopers, who can't hit
the broad side of a planet? -- Tom
Galloway
19
Limitations of Conventional Risk Management (or
DBT)

• There is rarely any guidance on how to determine
  the Threats Vulnerabilities other than looking
  at past security incidents. But that is being
  reactive, not proactive. Not good enough
  post-9/11, in a rapidly changing world, or for
  dealing with rare catastrophic events.
• Still binary close-ended

You can never plan the future by the past.
-- Edmund Burke (1729-1797)
20
More Limitations of ConventionalRisk Management
(or DBT)

• Often done unimaginatively
• The attack probabilities are usually a fantasy
• Suffers from overconfidence in tables and the
• fallacy of precision
• Not done from the perspective of the adversaries

The time to repair the roof is when the sun is
shining. -- John F. Kennedy (1917-1963)
3.14159265359
21
More Limitations of ConventionalRisk Management
(or DBT)

• Tendency to let the good guys and existing
  security measures define the adversaries attack
  modes
• Often used to justify the status quo--typically
  does not encourage new countermeasures
• Ignores simple/cheap countermeasures when the
  attack probabilities are judged (rightly or
  wrongly) to be low or zero

It isn't that they can't see the solution. It
is that they can't see the problem. -- G.K.
Chesterton, The Scandal of Father Brown
(1935)
22
Vulnerability Assessment

• Perform a mental coordinate transformation
  and pretend to be the bad guys. (This is
  a lot harder to do than one might
  think.)
• Gleefully look for trouble, rather than seeking
  to reassure yourself that everything is fine.
• Unlike Security Surveys or Risk Management,
  dont let the good guys define the problem or its
  parameters.

It is sometimes expedient to forget who we are.
-- Publilius Syrus (42 BC)
23
Example Open Window
security survey issue orders to close lock
window! risk management ignore if not
envisioned as part of a specific threat or attack
from a likely adversary otherwise, design
procedure to close lock window. VA Oh boy,
an open window! What mischief can
this lead to?
You can observe a lot by just watching.
-- Yogi Berra
24
Vulnerability Assessment Steps

• Fully understand the device, system, or program
  and how it is REALLY used. Talk to the low-level
  users.
• Play with it.
• Brainstorm--anything goes!
• Play with it some more.

Scientists are the easiest to fool. They think in
straight, predictable, directable, and therefore
misdirectable, lines. The only world they know is
the one where everything has a logical
explanation and things are what they appear to
be. Children and conjurors--they terrify me.
Scientists are no problem against them I feel
quite confident. -- Spoken by Zambendorf in
Code of the Lifemaker, (James Hogan, 1987)
25
Vulnerability Assessment Steps

• Edit prioritize potential attacks.
• Partially develop some attacks.
• Determine feasibility of the attacks.
• Devise countermeasures.

It's awful hard to get people interested in
corruption unless they can get some of it.
-- Will Rogers (1879-1935)
26
Vulnerability Assessment Steps

• Perfect attacks.
• Demonstrate attacks.
• Rigorously test attacks.
• Rigorously test countermeasures.

A thing may look specious in theory, and yet be
ruinous in practice a thing may look evil in
theory, and yet be in practice excellent. --
Edmund Burke (1729-1797)
27
Brain Storming
Nothing can inhibit and stifle the creative
process more--and on this there is unanimous
agreement among all creative individuals and
investigators of creativity--than critical
judgment applied to the emerging idea at the
beginning stages of the creative process. ...
More ideas have been prematurely rejected by a
stringent evaluative attitude than would be
warranted by any inherent weakness or absurdity
in them. The longer one can linger with the idea
with judgment held in abeyance, the better the
chances all its details and ramifications can
emerge. -- Eugene Raudsepp, Managing
Creative Scientists and Engineers (1963).
In theory there is no difference between theory
and practice. In practice there is. -- Yogi
Berra
28
What if you cant have or afford outside
vulnerability assessors?
Use smart, hands-on, creative people inside your
organization who are not
associated with security. Seek wise guys,
trouble makers, smart alecks, schemers,
organizational critics, loophole finders,
questioners of tradition and authority,
outside-the-box thinkers, artists, hackers,
tinkerers, problem solvers, techno-nerds.
Could Hamlet have been written by committee, or
the Mona Lisa painted by a club? Could the New
Testament have been composed as a conference
report? Creative ideas don't spring from groups.
They spring from individuals. --
Alfred Whitney Griswold (1885-1959)
29
Vulnerabilities are often obvious to outsiders
To see what is in front of one's nose needs a
constant struggle. -- George Orwell (1903-1950)
30
Other Reasons for Doing a Vulnerability Assessment

• mental rehearsal
• fresh perspectives
• fun/relieves tedium
• increased alertness
• bluffing (dont underestimate)
• enhanced sense of professionalism
• educational/professional development for
  security staff
• can involve other members of the organization,
  thus
• increasing employees security awareness
• can help justify additional resources for
  security

Without deviation from the norm, progress is not
possible. -- Frank Zappa (1940-1993)
31
Tricky Aspects of Vulnerability Assessments (VAs)

• No meaningful standards or underlying theory
• Defeats are a matter of degree probability
• No clear endpoint
• Wishful thinking is hard to avoid.

Nothing is easier than self-deceit. For what
each man wishes, that he also believes to be
true. -- Demosthenes (382-322 BC)
32
Tricky Aspects of VAs (cont)

• Recursion (chasing a moving target)
• Most security failures are due to human error,
  which is hard to model and predict.
• Testing/Demonstration realism can be difficult
  to achieve.

We are never deceived we deceive ourselves.
-- Johann Wolfgang von Goethe (1749-1832)
33
General Attributes of Effective VAs

• No conflicts of interest or wishful thinking.
• No Shoot the Messenger Syndrome. No
  retaliation or punishment against security
  personnel or managers when vulnerabilities are
  found.
• Use of independent, imaginative assessors who
  are psychologically predisposed to finding
  problems and suggesting solutions, and who
  (ideally) have a history of doing so.

When people are engaged in something they are not
proud of, they do not welcome witnesses. In fact,
they come to believe the witness causes the
trouble. -- John Steinbeck (1902-1968)
34
Attributes of Effective VAs

• No binary view of security.
• Rejection of a finding of zero vulnerabilities.
• Rejection of the idea of passing the VA,
  or of VAs as certification.
• Discovering vulnerabilities is viewed as good
  (not bad) news.

When we were children, we used to think that when
we were grown-up we would no longer be
vulnerable. But to grow up is to accept
vulnerability... To be alive is to be
vulnerable. -- Madeleine L'Engle
35
Attributes of Effective VAs

• Done early, iteratively, and periodically .
• Done holistically, not by component, sub-system,
  function, or layer. (Attacks often occur at
  interfaces.)
• No unrealistic time or budget constraints on the
  VA, or on what attacks or adversaries can be
  considered.
• Done in context.

He that will not apply new remedies must expect
new evils for time is the greatest innovator.
-- Francis Bacon (1561-1626)
36
Attributes of Effective VAs

• No underestimation of the cleverness, knowledge,
  skills, dedication, or resources of
  adversaries.
• The good guys dont get to define the problem,
  the bad guys do.
• Simple, low-tech attacks are examined first.

A common mistake that people make when trying to
design something completely foolproof is to
underestimate the ingenuity of complete fools.
-- Douglas Adams (1952-2001)
37
Attributes of Effective VAs

• Findings are reported to the highest appropriate
  level without editing, interpretation, or
  censorship by middle managers.
• No confusion about the difference between VAs and
  other kinds of hardware testing (materials,
  environ-mental, ergonomic, field readiness) or
  personnel testing.

The first principle is that you must not fool
yourself-- and you are the easiest person to
fool. -- Richard Feynman (1918-1988)
38
Attributes of Effective VAs

• The following attacks are all considered
• fault analysis
• false alarming
• poke the system
• wait pounce
• backdoor attacks
• impersonation
• social engineering
• tampering with security training
• insiders, outsiders, insiders outsiders

Evil is easy, and has infinite forms.
-- Blaise Pascal (1623-1662)
39
Attributes of Effective VAs

• Rohrbachs Maxim must be considered No security
  system will ever be used properly (the way it was
  designed) all the time.
• Shannons Maxim must be considered The
  adversaries know and understand the security
  systems, strategies, and hardware being used.

Inanimate objects can be classified
scientifically into three major categories
those that don't work, those that break down and
those that get lost. -- Russell Baker
Everything secret degenerates nothing is safe
that does not show how it can bear discussion and
publicity. -- attributed to Lord Action
(1834-1902)
40
Attributes of Effective VAs

• The vulnerability assessors need to praise the
  good things because
• We want the good things to be recognized and
  to continue.
• Security managers need to be willing to
  arrange for future VAs.
• Discussing the good things will make security
  managers more willing to hear about potential
  problems.
• It should be clear up front that the
  vulnerability assessment will produce more
  suggestions and countermeasures than are likely
  to be implemented. Security mangers (not the
  assessors) should ultimately decide which (if
  any) make sense to employ.

Our only security is our ability to change.
-- John Lilly
41
Dont Overlook the Insider Threat!

• The insider threat is often overlooked or
  underestimated, and can be very difficult to
  deal with.
• Disgruntled employees are a particular
  insider threat.

We have met the enemy and he is us.
-- Walt Kelly, the words of Pogo in Earth Day
1971 cartoon strip
42
Disgruntled Workers

• Research shows that employee disgruntlement
• is associated with perceptions of unfairness
• inequity, not necessarily objective conditions.
• Disgruntled employees are known to be a risk
  for
• workplace violence, espionage, theft,
  sabotage.

What has posterity ever done for me?
-- Groucho Marx (1890-1977)
Honesty may be the best policy, but it's
important to remember that apparently, by
elimination, dishonesty is the second-best
policy. -- George Carlin
43
Workplace Violence (USA)

• 1 million victims of workplace violence
• each year
• gt1000 workers killed each year due to
• workplace homicide
• Homicide is the number one cause of
• on-the-job deaths for female employees
• Source NIOSH

Always go to other peoples funerals.
Otherwise they might not come to yours. --Yogi
Berra
44
Causes of Increasing Worldwide Employee
Disgruntlement

• global downsizing outsourcing
• weakening of labor unions collective
  bargaining
• increased use of temp limited-term employees
• the disappearance of lifetime employment
• increased workforce diversity

We have to distrust each other. It's our only
defense against betrayal. -- Tennessee Williams
(1911-1983)
45
Causes of Increasing World-Wide Employee
Disgruntlement (cont)

• technical obsolescence
• the rapid pace of organizational change
• increased whistle-blowing
• depersonalization caused by increased
• urbanization, expanding bureaucracy, the
• growth of multinational corporations, and
• the increased use of email virtual meetings

No one can build his security upon the nobleness
of another person. -- Willa Cather (1873-1947)
46
Disgruntled Americans

• American employees are particularly at risk
• for disgruntlement due to characteristic
  traits
• identity is based on work
• work long hours
• strong individualism
• traditional belief in fairness
• traditional belief in American Dream

Americans do not abide very quietly the evils of
life. -- Richard Hofstadter
In every American there is an air of incorrigible
innocence, which seems to conceal a diabolical
cunning. -- A. E. Housman (1859-1936)
47
Disgruntlement Countermeasures

• Listen, acknowledge, validate, empathize with
  employees.
• Allow employees to freely offer suggestions
  concerns.
• Have legitimate complaint resolution processes.
  Too often these are non-existent, ineffective,
  adversarial, or fraudulent, especially in large
  or bureaucratic organizations. This is very
  dangerous (and bad for productivity).
• Be aware that employee perceptions about
  fairness
• are the only reality.
• Treat departing employees retirees well.

Sincerity is everything. If you can fake
that, you've got it made. -- Comedian
George Burns (1896-1996)
48
Also, Dont Forget About
Computer Computer Media physical
security! Relations with public, neighbors,
local authorities Effective security awareness
training for all employees
Even if you're on the right track, you'll get
run over if you just sit there. -- Will Rogers
(1879-1935)
49
Or about having plans to deal with
Espionage Sabotage Terrorism Natural
Disasters War Civil Unrest Product
Tampering Illness Epidemics Industrial
Accidents Strikes Labor Unrest
When choosing between two evils, I always pick
the one I never tried before. -- Mae
West (1893-1980)
50
Product Tampering
Tamper-Evident Packaging
Model of how to effectively deal with product
tampering JJ
On a bag of Fritos You could be a winner! No
purchase necessary. Details inside.
51
Warnings

• high tech ? high security
• inventory function ? security function

If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology.
-- Bruce Schneier
52
Why High-Tech Devices Systems Are Usually
Vulnerable To Simple Attacks

• Still must be physically coupled to the real
  world
• Still depend on the loyalty effectiveness of
  users personnel
• The increased standoff distance decreases the
  users attention to detail
• Many more legs to attack

53
Why High-Tech Devices Systems Are Usually
Vulnerable To Simple Attacks (cont)

• The high-tech features often fail to address the
  critical vulnerability issues
• Users dont understand the device
• Developers users have the wrong expertise
• and focus on the wrong issues
• The Titanic Effect high-tech arrogance

54
Inventory

• Counting and locating our stuff.
• No nefarious adversary.
• Will detect innocent errors by insiders,
  but not surreptitious attacks by insiders or
  outsiders.

55
Security

• Meant to counter nefarious adversaries,
  typically both insiders outsiders.
• Watch out for mission creep inventory
  systems that come to be viewed as security
  systems!

56
Example Tags
tag an applied or intrinsic feature that
uniquely identifies an object or container.
types of tags inventory tag (no malicious
adversary) anti-counterfeiting tag
(counterfeiting is an issue) security tag
(counterfeiting lifting are issues) buddy
tag or token (counterfeiting is an
issue) lifting removing a tag from one object
or container and placing it on another, without
being detected.
Never answer an anonymous letter. --
Yogi Berra
57
Tags Classic examples of confusing Inventory
Security, High-Tech High-Security

• bar codes
• rf transponders (RFIDs)
• contact memory buttons

• Usually easy to
• lift counterfeit
  spoof the reader

Between the idea and the reality, Between the
motion And the act Falls the Shadow. --
T.S. Eliot, The Hollow Men, 1925
58
GPS Another classic example of confusing
Inventory Security, High-Tech High-Security

• The private sector, foreigners, and 90 of
  the federal
• government must use the civilian GPS satellite
  signals.
• These are unencrypted and unauthenticated.
• They were never meant for critical or security
  applications,
• yet GPS is being used that way!

If you put tomfoolery into a computer, nothing
comes out of it but tomfoolery. But this
tomfoolery, having passed through a very
expensive machine, is somehow ennobled and
no-one dares criticize it. -- Pierre Gallois
59
Attacking GPS Receivers

• Blocking just break off the antenna, or shield
  it with metal not surreptitious.
• Jamming easy to build a noisy rf transmitter
  from plans on the Internet not surreptitious.
• Spoofing surreptitious (as weve
  demonstrated) surprisingly easy for even
  unsophisticated adversaries using widely
  available GPS satellite simulators.
• Physical attacks appear to be easy, too.
  

60
GPS Cargo Tracking
GPS Satellite
Tracking Information Sent to HQ (perhaps
encrypted/authenticated)
GPS Signal
(vulnerable here)
GPS is great for navigation, but it does not
provide high security.
61
Warnings (cont)

• Dont place undue confidence in data encryption
  or authentication!
• Dont place undue confidence in biometrics!
• Dont assume counterfeiting is difficult!

Only fools are positive. -- Moe Howard
(1897-1975)
62
Data Encryption/Authentication
Intended for public communication between two
secure points. Provides reliable security if and
only if the sender and the receiver are
physically secure.
The security of a cipher lies less with the
cleverness of the inventor than with the
stupidity of the men who are using it. --
Waldemar Werther
63
Counterfeiting

• Usually easier than developers, vendors
  manufacturers claim.
• Often overlooked The bad guys usually only
  needed to counterfeit the apparent performance
  of the security device, not the device itself
  or its real performance.

The handwriting on the wall may be a forgery.
-- Ralph Hodgson (1871-1962)
64
Warnings (cont)

• Watch out for the multi-layer fallacy Believing
  that multiple layers of bad security equals good
  security.
• Security managers will usually over-estimate the
  difficulty of defeating their security, and
  under-estimate the cleverness, determination,
  resourcefulness of adversaries.
• Adversaries can usually bluff their way into a
  facility or organization more easily than might
  be imagined.

The simple act of paying attention can take you
a long way. -- Keanu Reeves
65
Warnings (cont)

• 9. Watch out for fuzzy thinking
• scapegoating
• wishful thinking
• one-size fits all
• sloppy terminology
• conflicts of interest
• design by committee
• ambiguous functions goals
• failure to understand the end users world
• ignoring changing circumstances adversaries
• lack of periodic, effective vulnerability
  assessments
• forgetting that security is a probabilistic
  compromise
• over-confidence in standards, testing,
  precedence

Youve got to be very careful if you dont know
where you are going, because you might not get
there. -- Yogi Berra
66
Optimizing Safety

• security survey safety walkaround
• security risk management or design
• basis threat safety what if? exercises
• security vulnerability assessment
• adversarial safety analysis???

In case of contact with this chemical, immediate
ly wash skin with soap and copious amounts of
water. If swallowed, wash out mouth with water
provided the person is conscious, and call a
physician. -- Material Safety Data
Sheet for sucrose (table sugar)
67
32 Attributes of Flawed Security Programs

• Widespread arrogance overconfidence.
• Security is viewed as binary. (This inhibits
  improvement.)
• Insiders are not viewed as a threat.
• Overly focused on paperwork, auditors,
  regulations, formality.
• Security security managers are micro-
  managed by unqualified business executives.

68
Attributes of Flawed Security Programs (cont)

• Security personnel are reluctant to report
  problems or security incidents, or ask
  questions.
• Security problems, vulnerabilities, incidents
  are covered-up.
• Vulnerability assessment are rare security is
  rarely tested.
• What if? mental or walk-through exercises are
  rare, instead of being done daily or weekly.

69
Attributes of Flawed Security Programs (cont)

• 10. Security personnel receive little training
  or
• practice, and are given few opportunities for
• professional advancement.
• 11. Security supervisors managers are not well
  
• respected by subordinates.
• 12. Security managers rarely chat informally
  with
• regular (non-security) employees.
• 13. Security personnel are not well respected by
  
• non-security personnel.

70
Attributes of Flawed Security Programs (cont)
14. The morale and self-esteem of security
personnel is low. Appearance is
poor. 15. Low-level security personnel are
treated poorly. 16. Low-level security
personnel are rarely recognized for good
work. 17. Security training exercises are
unrealistic tedious. 18. Security
personnel have few opportunities to demonstrate
their prowess in contests/exercises.
71
Attributes of Flawed Security Programs (cont)

• 19. Security personnel feel no loyalty or
  connection
• to their employer, or to the employees and the
• organization they are protecting.
• 20. The organization lacks a fair and effective
• grievance or complaint resolution process
• for disgruntled employees (whether security or
• non-security personnel).

72
Attributes of Flawed Security Programs (cont)
21. Security personnel are not briefed at the
start of a shift, nor checked for fitness of
duty. 22. Security personnel are not debriefed
after their shift. 23. No pre-employment
screening of employees no periodic, thorough
background and reliability checks performed on
security and other critical personnel.
73
Attributes of Flawed Security Programs (cont)

• 24. Unexplained or unexpected absences of
• security personnel are not investigated, nor
  are
• sudden outbreaks of widespread illness.
• Critical security personnel accept food and
• drink from colleagues co-workers.
• 26. Rosters, duty assignments, schedules of
  
• authorized work are not well protected from
• tampering. Paper documents and verbal orders
• for security personnel are taken at face value.

74
Attributes of Flawed Security Programs (cont)
27. Security personnel do not know exactly how
and when to summon help or sound an alarm.
28. There are no clear policies on the use of
physical force (including lethal force and
force against coworkers), or else those
policies are largely unknown to security
personnel and rarely discussed in a what
if? format. 29. Security personnel are vague
on exactly what is expected of them.
75
Attributes of Flawed Security Programs (cont)
30. The health and safety of security personnel
is a low priority. Insurance and medical
coverage is absent or poor. 31. VIPs are
allowed to bypass standard security
procedures. 32. Security managers are
automatically fired when there is a major
security incident. Low-level security
personnel are automatically disciplined or
fired when there is a minor security incident.
76
The LANL Vulnerability Assessment Team
We have a CD containing related papers
reports. Available today or request a copy at
rogerj_at_lanl.gov
Ring the bells that still can ring. Forget your
perfect offering. There is a crack in
everything. That's how the light gets in.
-- Anonymous
Roger Johnston, Ph.D., CPP, Ron Martinez, Leon
Lopez, Sonia Trujillo, Adam Pacheco,
Anthony Garcia, Jon Warner, Ph.D., Alicia
Herrera, Eddie Bitzer, M.A.
http//pearl1.lanl.gov/seals/default.htm
77
A new scholarly, non-profit peer review
journal The Journal of Physical
Security http//jps.lanl.gov
Security can only be achieved through constant
change, through discarding old ideas that have
outlived their usefulness and adapting others to
current facts. -- William O. Douglas
(1898-1980)
JPS
78
The End
Security is like liberty in that many are
the crimes that are committed in its name.
-- Robert H. Jackson, dissenting opinion
in U.S. vs Shaughnessy, 1950