Title: Show Your Vulnerable Side: How to do a Vulnerability Assessment
1Show Your Vulnerable SideHow to do a
Vulnerability Assessment
Talk for the 50th Annual ASIS Conference, Sept
26-30, 2004 (Dallas, TX)
- Roger G. Johnston, Ph.D., CPP
- Vulnerability Assessment Team
- Los Alamos National Laboratory
- 505-667-7414 rogerj_at_lanl.gov
- http//pearl1.lanl.gov/seals.default.htm
LAUR-04-4147
2 LANL Vulnerability Assessment Team
- Physical Security
- consulting
- cargo security
- tamper detection
- nuclear safeguards
- training curricula
- vulnerability assessments
- novel security approaches
- new tags seals (patents)
- unique vuln. assessment lab
The VAT has done detailed vulnerability
assessments on hundreds of different security
devices, systems, programs.
The greatest of faults, I should say, is to be
conscious of none. -- Thomas Carlyle
(1795-1881)
3Physical Security
This talk will focus primarily on vulnerability
assessments of physical security, but presumably
many of the ideas and principles also apply to
other types of security such as
- computer security
- network Internet security
- intellectual property security
- information records security
- communications security
Better be despised for too anxious
apprehensions, than ruined by too confident
security. -- Edmund Burke (1729-1797)
4Definitions
physical security trying to protect valuable,
tangible assets from harm. Examples of
assets needing protection
Security Guard Don't make me take off my
sunglasses! -- From the movie Bringing Out the
Dead (1999)
5Definitions (cont)
The harm that we wish to avoid might involve
The ultimate security is your understanding of
reality. -- H. Stanley Judd
6Definitions (cont)
VAs
vulnerability assessment (VA) discovering and
demonstrating ways to defeat a security device,
system, or program. Should include suggesting
counter-measures and security improvements.
He that wrestles with us strengthens our skill.
Our antagonist is our helper. -- Edmund
Burke (1729-1797)
7Physical Security is Difficult!
Before thinking about how to assess physical
security, we need to recognize that it is
difficult and there are no guarantees of
success. Especially because complacency,
over-confidence, wishful thinking, and arrogance
are not compatible with good security.
Danger breeds best on too much confidence. --
Pierre Corneille (1606-1684)
8Why Physical Security is So Difficult
- The traditional performance measure for security
is pathological success is often defined as
nothing happening. - Cost/Benefit analysis is difficult.
- There are few meaningful standards, fundamental
principles, models, or theories. - Everything is a compromise a tradeoff.
There is always more spirit in attack than in
defense. -- Titus Livius (59 BC)
9Why Physical Security is So Difficult (cont)
- Objectives are often remarkably vague.
- Security managers personnel arent always
creative or proactive, but
adversaries may be. - Adversaries and their resources are usually
unknown to security managers, yet the adversaries
understand the security systems. - Society employees often do not like security.
We spend all our time searching for security, and
then we hate it when we get it --
John Steinbeck (1902-1968)
10Why Physical Security is So Difficult (cont)
- Effective security management is highly
multi-disciplinary engineering, computer
science, psychology, sociology, management,
economics, communication, law. - Adversaries can attack at one point, but security
managers may need to protect extended assets. - Adversaries need exploit only one or a small
number of vulnerabilities, but security mangers
must identify, prioritize, manage many
vulnerabilities, including unknown ones.
We have to get it right every day and the
terrorists only have to get it right once. So we
have to be ahead of the game. --TSA
Spokeswoman Lauren Stover
11Why Physical Security is So Difficult (cont)
- Security functions are often tedious.
- Security personnel have trouble identifying
security vulnerabilities because they dont want
them to exist. - (Its hard to think like the bad guys if you
devote your career to being a good guy.)
No problem can be solved from the same
consciousness that created it. --
Albert Einstein (1879-1955)
12Why Physical Security is So Difficult (cont)
- Physical Security scarcely a field at all!
- - You cant (for the most part) get a degree
in it. - - Not widely attracting young people, females,
the best
and the brightest. - - Few peer-review, scholarly journals or RD
conferences. - - Lots of snake oil salesmen.
- - Shortage of models, fundamental principles,
metrics, rigor, standards, - guidelines, critical thinking,
creativity. - - Overly macho and often dominated by
bureaucrats, committees, groupthink, old boys
networks, linear/concrete/wishful thinkers.
The only security is the constant practice of
critical thinking. -- William Graham Sumner
(1840-1910)
13Major Tools for Improving Security
- Security Survey
- Risk Management (Design Basis Threat)
- Vulnerability Assessment
If we don't succeed, we run the risk of
failure. -- Dan Quayle
14Security Surveys vs. Risk Management vs. VAs
- Not really the same thing because they produce
different results. - The task of identifying Threats
Vulnerabilities, done as part of Risk Management
(or DBT), is too often not really a Vulnerability
Assessment. - Security Surveys and Risk Management/DBT were
major breakthroughs are still useful But
they are not enough!
Men do not like to admit to even momentary
imperfection. My husband forgot the code to turn
off the alarm. When the police came, he
wouldn't admit he'd forgotten he code... he
turned himself in. --Rita Rudner
15Security Survey
- Basically a management walk around.
- Walk the spaces, looking for security problems.
- A checklist is often used.
We made too many wrong mistakes. --
Yogi Berra
16Limitations of Security Surveys
- Binary
- Close-ended
- Often unimaginative
- Not focused on adversaries
- Overly focused on the check list
- Does not encourage new countermeasures
- Expectation that problems will leap out at you
0 1
It's better to be looked over than overlooked.
-- Mae West, Belle of the Nineties, 1934
17Risk Management
- Similar to Risk Management Techniques in other
fields. - Identify Assets, Threats Vulnerabilities,
Adversaries, Consequences, Safeguards
Countermeasures. - Assign relative priorities and probabilities.
(Generate lots of tables.) - Field your resources appropriately.
The first step in the risk management process is
to acknowledge the reality of risk. Denial is a
common tactic that substitutes deliberate
ignorance for thoughtful planning. --
Charles Tremper
18Design Basis Threat (DBT)
- Design Basis Threat is similar to Risk
Management. - DBT basically means design your security to deal
with the current real-world threats. - In practice, DBT tends to focus more on hardware
and infrastructure than Risk Management does.
A hypothetical paradox what would happen in a
battle between an Enterprise security team, who
always get killed soon after appearing, and a
squad of Imperial Stormtroopers, who can't hit
the broad side of a planet? -- Tom
Galloway
19Limitations of Conventional Risk Management (or
DBT)
- There is rarely any guidance on how to determine
the Threats Vulnerabilities other than looking
at past security incidents. But that is being
reactive, not proactive. Not good enough
post-9/11, in a rapidly changing world, or for
dealing with rare catastrophic events. - Still binary close-ended
You can never plan the future by the past.
-- Edmund Burke (1729-1797)
20More Limitations of ConventionalRisk Management
(or DBT)
- Often done unimaginatively
- The attack probabilities are usually a fantasy
- Suffers from overconfidence in tables and the
- fallacy of precision
- Not done from the perspective of the adversaries
The time to repair the roof is when the sun is
shining. -- John F. Kennedy (1917-1963)
3.14159265359
21More Limitations of ConventionalRisk Management
(or DBT)
- Tendency to let the good guys and existing
security measures define the adversaries attack
modes - Often used to justify the status quo--typically
does not encourage new countermeasures - Ignores simple/cheap countermeasures when the
attack probabilities are judged (rightly or
wrongly) to be low or zero
It isn't that they can't see the solution. It
is that they can't see the problem. -- G.K.
Chesterton, The Scandal of Father Brown
(1935)
22Vulnerability Assessment
- Perform a mental coordinate transformation
and pretend to be the bad guys. (This is
a lot harder to do than one might
think.) - Gleefully look for trouble, rather than seeking
to reassure yourself that everything is fine. - Unlike Security Surveys or Risk Management,
dont let the good guys define the problem or its
parameters.
It is sometimes expedient to forget who we are.
-- Publilius Syrus (42 BC)
23Example Open Window
security survey issue orders to close lock
window! risk management ignore if not
envisioned as part of a specific threat or attack
from a likely adversary otherwise, design
procedure to close lock window. VA Oh boy,
an open window! What mischief can
this lead to?
You can observe a lot by just watching.
-- Yogi Berra
24Vulnerability Assessment Steps
- Fully understand the device, system, or program
and how it is REALLY used. Talk to the low-level
users. - Play with it.
- Brainstorm--anything goes!
- Play with it some more.
Scientists are the easiest to fool. They think in
straight, predictable, directable, and therefore
misdirectable, lines. The only world they know is
the one where everything has a logical
explanation and things are what they appear to
be. Children and conjurors--they terrify me.
Scientists are no problem against them I feel
quite confident. -- Spoken by Zambendorf in
Code of the Lifemaker, (James Hogan, 1987)
25Vulnerability Assessment Steps
- Edit prioritize potential attacks.
- Partially develop some attacks.
- Determine feasibility of the attacks.
- Devise countermeasures.
It's awful hard to get people interested in
corruption unless they can get some of it.
-- Will Rogers (1879-1935)
26Vulnerability Assessment Steps
- Perfect attacks.
- Demonstrate attacks.
- Rigorously test attacks.
- Rigorously test countermeasures.
A thing may look specious in theory, and yet be
ruinous in practice a thing may look evil in
theory, and yet be in practice excellent. --
Edmund Burke (1729-1797)
27Brain Storming
Nothing can inhibit and stifle the creative
process more--and on this there is unanimous
agreement among all creative individuals and
investigators of creativity--than critical
judgment applied to the emerging idea at the
beginning stages of the creative process. ...
More ideas have been prematurely rejected by a
stringent evaluative attitude than would be
warranted by any inherent weakness or absurdity
in them. The longer one can linger with the idea
with judgment held in abeyance, the better the
chances all its details and ramifications can
emerge. -- Eugene Raudsepp, Managing
Creative Scientists and Engineers (1963).
In theory there is no difference between theory
and practice. In practice there is. -- Yogi
Berra
28What if you cant have or afford outside
vulnerability assessors?
Use smart, hands-on, creative people inside your
organization who are not
associated with security. Seek wise guys,
trouble makers, smart alecks, schemers,
organizational critics, loophole finders,
questioners of tradition and authority,
outside-the-box thinkers, artists, hackers,
tinkerers, problem solvers, techno-nerds.
Could Hamlet have been written by committee, or
the Mona Lisa painted by a club? Could the New
Testament have been composed as a conference
report? Creative ideas don't spring from groups.
They spring from individuals. --
Alfred Whitney Griswold (1885-1959)
29Vulnerabilities are often obvious to outsiders
To see what is in front of one's nose needs a
constant struggle. -- George Orwell (1903-1950)
30Other Reasons for Doing a Vulnerability Assessment
- mental rehearsal
- fresh perspectives
- fun/relieves tedium
- increased alertness
- bluffing (dont underestimate)
- enhanced sense of professionalism
- educational/professional development for
security staff - can involve other members of the organization,
thus - increasing employees security awareness
- can help justify additional resources for
security
Without deviation from the norm, progress is not
possible. -- Frank Zappa (1940-1993)
31Tricky Aspects of Vulnerability Assessments (VAs)
- No meaningful standards or underlying theory
- Defeats are a matter of degree probability
- No clear endpoint
- Wishful thinking is hard to avoid.
Nothing is easier than self-deceit. For what
each man wishes, that he also believes to be
true. -- Demosthenes (382-322 BC)
32Tricky Aspects of VAs (cont)
- Recursion (chasing a moving target)
- Most security failures are due to human error,
which is hard to model and predict. - Testing/Demonstration realism can be difficult
to achieve.
We are never deceived we deceive ourselves.
-- Johann Wolfgang von Goethe (1749-1832)
33General Attributes of Effective VAs
- No conflicts of interest or wishful thinking.
- No Shoot the Messenger Syndrome. No
retaliation or punishment against security
personnel or managers when vulnerabilities are
found. - Use of independent, imaginative assessors who
are psychologically predisposed to finding
problems and suggesting solutions, and who
(ideally) have a history of doing so.
When people are engaged in something they are not
proud of, they do not welcome witnesses. In fact,
they come to believe the witness causes the
trouble. -- John Steinbeck (1902-1968)
34Attributes of Effective VAs
- No binary view of security.
- Rejection of a finding of zero vulnerabilities.
- Rejection of the idea of passing the VA,
or of VAs as certification. - Discovering vulnerabilities is viewed as good
(not bad) news.
When we were children, we used to think that when
we were grown-up we would no longer be
vulnerable. But to grow up is to accept
vulnerability... To be alive is to be
vulnerable. -- Madeleine L'Engle
35Attributes of Effective VAs
- Done early, iteratively, and periodically .
- Done holistically, not by component, sub-system,
function, or layer. (Attacks often occur at
interfaces.) - No unrealistic time or budget constraints on the
VA, or on what attacks or adversaries can be
considered. - Done in context.
He that will not apply new remedies must expect
new evils for time is the greatest innovator.
-- Francis Bacon (1561-1626)
36Attributes of Effective VAs
- No underestimation of the cleverness, knowledge,
skills, dedication, or resources of
adversaries. - The good guys dont get to define the problem,
the bad guys do. - Simple, low-tech attacks are examined first.
A common mistake that people make when trying to
design something completely foolproof is to
underestimate the ingenuity of complete fools.
-- Douglas Adams (1952-2001)
37Attributes of Effective VAs
- Findings are reported to the highest appropriate
level without editing, interpretation, or
censorship by middle managers. - No confusion about the difference between VAs and
other kinds of hardware testing (materials,
environ-mental, ergonomic, field readiness) or
personnel testing.
The first principle is that you must not fool
yourself-- and you are the easiest person to
fool. -- Richard Feynman (1918-1988)
38Attributes of Effective VAs
- The following attacks are all considered
- fault analysis
- false alarming
- poke the system
- wait pounce
- backdoor attacks
- impersonation
- social engineering
- tampering with security training
- insiders, outsiders, insiders outsiders
Evil is easy, and has infinite forms.
-- Blaise Pascal (1623-1662)
39Attributes of Effective VAs
- Rohrbachs Maxim must be considered No security
system will ever be used properly (the way it was
designed) all the time. - Shannons Maxim must be considered The
adversaries know and understand the security
systems, strategies, and hardware being used.
Inanimate objects can be classified
scientifically into three major categories
those that don't work, those that break down and
those that get lost. -- Russell Baker
Everything secret degenerates nothing is safe
that does not show how it can bear discussion and
publicity. -- attributed to Lord Action
(1834-1902)
40Attributes of Effective VAs
- The vulnerability assessors need to praise the
good things because - We want the good things to be recognized and
to continue. - Security managers need to be willing to
arrange for future VAs. - Discussing the good things will make security
managers more willing to hear about potential
problems. - It should be clear up front that the
vulnerability assessment will produce more
suggestions and countermeasures than are likely
to be implemented. Security mangers (not the
assessors) should ultimately decide which (if
any) make sense to employ.
Our only security is our ability to change.
-- John Lilly
41Dont Overlook the Insider Threat!
- The insider threat is often overlooked or
underestimated, and can be very difficult to
deal with. - Disgruntled employees are a particular
insider threat.
We have met the enemy and he is us.
-- Walt Kelly, the words of Pogo in Earth Day
1971 cartoon strip
42Disgruntled Workers
- Research shows that employee disgruntlement
- is associated with perceptions of unfairness
- inequity, not necessarily objective conditions.
- Disgruntled employees are known to be a risk
for - workplace violence, espionage, theft,
sabotage. -
What has posterity ever done for me?
-- Groucho Marx (1890-1977)
Honesty may be the best policy, but it's
important to remember that apparently, by
elimination, dishonesty is the second-best
policy. -- George Carlin
43Workplace Violence (USA)
- 1 million victims of workplace violence
- each year
- gt1000 workers killed each year due to
- workplace homicide
- Homicide is the number one cause of
- on-the-job deaths for female employees
- Source NIOSH
Always go to other peoples funerals.
Otherwise they might not come to yours. --Yogi
Berra
44Causes of Increasing Worldwide Employee
Disgruntlement
- global downsizing outsourcing
- weakening of labor unions collective
bargaining - increased use of temp limited-term employees
- the disappearance of lifetime employment
- increased workforce diversity
We have to distrust each other. It's our only
defense against betrayal. -- Tennessee Williams
(1911-1983)
45Causes of Increasing World-Wide Employee
Disgruntlement (cont)
- technical obsolescence
- the rapid pace of organizational change
- increased whistle-blowing
- depersonalization caused by increased
- urbanization, expanding bureaucracy, the
- growth of multinational corporations, and
- the increased use of email virtual meetings
No one can build his security upon the nobleness
of another person. -- Willa Cather (1873-1947)
46Disgruntled Americans
- American employees are particularly at risk
- for disgruntlement due to characteristic
traits - identity is based on work
- work long hours
- strong individualism
- traditional belief in fairness
- traditional belief in American Dream
Americans do not abide very quietly the evils of
life. -- Richard Hofstadter
In every American there is an air of incorrigible
innocence, which seems to conceal a diabolical
cunning. -- A. E. Housman (1859-1936)
47Disgruntlement Countermeasures
- Listen, acknowledge, validate, empathize with
employees. - Allow employees to freely offer suggestions
concerns. - Have legitimate complaint resolution processes.
Too often these are non-existent, ineffective,
adversarial, or fraudulent, especially in large
or bureaucratic organizations. This is very
dangerous (and bad for productivity). - Be aware that employee perceptions about
fairness - are the only reality.
- Treat departing employees retirees well.
Sincerity is everything. If you can fake
that, you've got it made. -- Comedian
George Burns (1896-1996)
48 Also, Dont Forget About
Computer Computer Media physical
security! Relations with public, neighbors,
local authorities Effective security awareness
training for all employees
Even if you're on the right track, you'll get
run over if you just sit there. -- Will Rogers
(1879-1935)
49Or about having plans to deal with
Espionage Sabotage Terrorism Natural
Disasters War Civil Unrest Product
Tampering Illness Epidemics Industrial
Accidents Strikes Labor Unrest
When choosing between two evils, I always pick
the one I never tried before. -- Mae
West (1893-1980)
50Product Tampering
Tamper-Evident Packaging
Model of how to effectively deal with product
tampering JJ
On a bag of Fritos You could be a winner! No
purchase necessary. Details inside.
51 Warnings
- high tech ? high security
- inventory function ? security function
If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology.
-- Bruce Schneier
52Why High-Tech Devices Systems Are Usually
Vulnerable To Simple Attacks
- Still must be physically coupled to the real
world - Still depend on the loyalty effectiveness of
users personnel - The increased standoff distance decreases the
users attention to detail - Many more legs to attack
53Why High-Tech Devices Systems Are Usually
Vulnerable To Simple Attacks (cont)
- The high-tech features often fail to address the
critical vulnerability issues - Users dont understand the device
- Developers users have the wrong expertise
- and focus on the wrong issues
- The Titanic Effect high-tech arrogance
54Inventory
- Counting and locating our stuff.
- No nefarious adversary.
- Will detect innocent errors by insiders,
but not surreptitious attacks by insiders or
outsiders.
55Security
- Meant to counter nefarious adversaries,
typically both insiders outsiders. - Watch out for mission creep inventory
systems that come to be viewed as security
systems!
56Example Tags
tag an applied or intrinsic feature that
uniquely identifies an object or container.
types of tags inventory tag (no malicious
adversary) anti-counterfeiting tag
(counterfeiting is an issue) security tag
(counterfeiting lifting are issues) buddy
tag or token (counterfeiting is an
issue) lifting removing a tag from one object
or container and placing it on another, without
being detected.
Never answer an anonymous letter. --
Yogi Berra
57Tags Classic examples of confusing Inventory
Security, High-Tech High-Security
- bar codes
- rf transponders (RFIDs)
- contact memory buttons
- Usually easy to
- lift counterfeit
spoof the reader
Between the idea and the reality, Between the
motion And the act Falls the Shadow. --
T.S. Eliot, The Hollow Men, 1925
58GPS Another classic example of confusing
Inventory Security, High-Tech High-Security
- The private sector, foreigners, and 90 of
the federal - government must use the civilian GPS satellite
signals. - These are unencrypted and unauthenticated.
- They were never meant for critical or security
applications, - yet GPS is being used that way!
If you put tomfoolery into a computer, nothing
comes out of it but tomfoolery. But this
tomfoolery, having passed through a very
expensive machine, is somehow ennobled and
no-one dares criticize it. -- Pierre Gallois
59Attacking GPS Receivers
- Blocking just break off the antenna, or shield
it with metal not surreptitious. - Jamming easy to build a noisy rf transmitter
from plans on the Internet not surreptitious. - Spoofing surreptitious (as weve
demonstrated) surprisingly easy for even
unsophisticated adversaries using widely
available GPS satellite simulators. - Physical attacks appear to be easy, too.
60GPS Cargo Tracking
GPS Satellite
Tracking Information Sent to HQ (perhaps
encrypted/authenticated)
GPS Signal
(vulnerable here)
GPS is great for navigation, but it does not
provide high security.
61 Warnings (cont)
- Dont place undue confidence in data encryption
or authentication! - Dont place undue confidence in biometrics!
- Dont assume counterfeiting is difficult!
Only fools are positive. -- Moe Howard
(1897-1975)
62 Data Encryption/Authentication
Intended for public communication between two
secure points. Provides reliable security if and
only if the sender and the receiver are
physically secure.
The security of a cipher lies less with the
cleverness of the inventor than with the
stupidity of the men who are using it. --
Waldemar Werther
63 Counterfeiting
- Usually easier than developers, vendors
manufacturers claim. - Often overlooked The bad guys usually only
needed to counterfeit the apparent performance
of the security device, not the device itself
or its real performance.
The handwriting on the wall may be a forgery.
-- Ralph Hodgson (1871-1962)
64 Warnings (cont)
- Watch out for the multi-layer fallacy Believing
that multiple layers of bad security equals good
security. - Security managers will usually over-estimate the
difficulty of defeating their security, and
under-estimate the cleverness, determination,
resourcefulness of adversaries. - Adversaries can usually bluff their way into a
facility or organization more easily than might
be imagined.
The simple act of paying attention can take you
a long way. -- Keanu Reeves
65Warnings (cont)
- 9. Watch out for fuzzy thinking
- scapegoating
- wishful thinking
- one-size fits all
- sloppy terminology
- conflicts of interest
- design by committee
- ambiguous functions goals
- failure to understand the end users world
- ignoring changing circumstances adversaries
- lack of periodic, effective vulnerability
assessments - forgetting that security is a probabilistic
compromise - over-confidence in standards, testing,
precedence
Youve got to be very careful if you dont know
where you are going, because you might not get
there. -- Yogi Berra
66 Optimizing Safety
- security survey safety walkaround
- security risk management or design
- basis threat safety what if? exercises
- security vulnerability assessment
- adversarial safety analysis???
In case of contact with this chemical, immediate
ly wash skin with soap and copious amounts of
water. If swallowed, wash out mouth with water
provided the person is conscious, and call a
physician. -- Material Safety Data
Sheet for sucrose (table sugar)
6732 Attributes of Flawed Security Programs
- Widespread arrogance overconfidence.
- Security is viewed as binary. (This inhibits
improvement.) - Insiders are not viewed as a threat.
- Overly focused on paperwork, auditors,
regulations, formality. - Security security managers are micro-
managed by unqualified business executives.
68Attributes of Flawed Security Programs (cont)
- Security personnel are reluctant to report
problems or security incidents, or ask
questions. - Security problems, vulnerabilities, incidents
are covered-up. - Vulnerability assessment are rare security is
rarely tested. - What if? mental or walk-through exercises are
rare, instead of being done daily or weekly.
69Attributes of Flawed Security Programs (cont)
- 10. Security personnel receive little training
or - practice, and are given few opportunities for
- professional advancement.
- 11. Security supervisors managers are not well
- respected by subordinates.
- 12. Security managers rarely chat informally
with - regular (non-security) employees.
- 13. Security personnel are not well respected by
- non-security personnel.
70Attributes of Flawed Security Programs (cont)
14. The morale and self-esteem of security
personnel is low. Appearance is
poor. 15. Low-level security personnel are
treated poorly. 16. Low-level security
personnel are rarely recognized for good
work. 17. Security training exercises are
unrealistic tedious. 18. Security
personnel have few opportunities to demonstrate
their prowess in contests/exercises.
71Attributes of Flawed Security Programs (cont)
- 19. Security personnel feel no loyalty or
connection - to their employer, or to the employees and the
- organization they are protecting.
- 20. The organization lacks a fair and effective
- grievance or complaint resolution process
- for disgruntled employees (whether security or
- non-security personnel).
72Attributes of Flawed Security Programs (cont)
21. Security personnel are not briefed at the
start of a shift, nor checked for fitness of
duty. 22. Security personnel are not debriefed
after their shift. 23. No pre-employment
screening of employees no periodic, thorough
background and reliability checks performed on
security and other critical personnel.
73Attributes of Flawed Security Programs (cont)
- 24. Unexplained or unexpected absences of
- security personnel are not investigated, nor
are - sudden outbreaks of widespread illness.
- Critical security personnel accept food and
- drink from colleagues co-workers.
- 26. Rosters, duty assignments, schedules of
- authorized work are not well protected from
- tampering. Paper documents and verbal orders
- for security personnel are taken at face value.
74Attributes of Flawed Security Programs (cont)
27. Security personnel do not know exactly how
and when to summon help or sound an alarm.
28. There are no clear policies on the use of
physical force (including lethal force and
force against coworkers), or else those
policies are largely unknown to security
personnel and rarely discussed in a what
if? format. 29. Security personnel are vague
on exactly what is expected of them.
75Attributes of Flawed Security Programs (cont)
30. The health and safety of security personnel
is a low priority. Insurance and medical
coverage is absent or poor. 31. VIPs are
allowed to bypass standard security
procedures. 32. Security managers are
automatically fired when there is a major
security incident. Low-level security
personnel are automatically disciplined or
fired when there is a minor security incident.
76The LANL Vulnerability Assessment Team
We have a CD containing related papers
reports. Available today or request a copy at
rogerj_at_lanl.gov
Ring the bells that still can ring. Forget your
perfect offering. There is a crack in
everything. That's how the light gets in.
-- Anonymous
Roger Johnston, Ph.D., CPP, Ron Martinez, Leon
Lopez, Sonia Trujillo, Adam Pacheco,
Anthony Garcia, Jon Warner, Ph.D., Alicia
Herrera, Eddie Bitzer, M.A.
http//pearl1.lanl.gov/seals/default.htm
77A new scholarly, non-profit peer review
journal The Journal of Physical
Security http//jps.lanl.gov
Security can only be achieved through constant
change, through discarding old ideas that have
outlived their usefulness and adapting others to
current facts. -- William O. Douglas
(1898-1980)
JPS
78The End
Security is like liberty in that many are
the crimes that are committed in its name.
-- Robert H. Jackson, dissenting opinion
in U.S. vs Shaughnessy, 1950