Roger Johnston, head of Argonne National Laboratory's vulnerability assessment team, shared some creative techniques at CSO's Confab event this morning. His first piece of advice: Start thinking like the bad guys and be creative about it.
"Some of the biggest impediments to good security are a lack of imagination, cognitive dissonance, a weak security culture and poor insider threat mitigation. If you're in charge of security and you're not particularly imaginative, bring in people who are."
Next, he said, don't let the good guys define the problem. Gleefully look for trouble. Be the fault finders.
"Assemble your own team of people with a hacker mentality," he said. "You need the hackers, narcissists, troublemakers, loop-hole finders, and those who question authority."
Creative thinking is one of the attributes that made the laboratory a CSO40 Winner organization for 2013, and it has helped uncover some zany flaws in the security world. I clearly remember Johnston giving examples during the 2010 USENIX Security Symposium in Washington DC. In a talk called, "Security blunders dumber than dog snot," he mentioned:
- Security cameras that mostly fail to prevent crime because they have poor resolution that cause security personnel to miss things.
- Electronic voting machines easily tampered with on the voter's end. Voters can easily remove the panel with candidate names and can then tamper with the electronics. Just swap four wires and you can switch the votes for two candidates, Johnston said. You can also use a radio frequency device to turn the cheating on and off from a half-mile away. It's also stupidly easy to pick the locks on the voting machines. Johnston showed a video of a colleague doing just that.
- Overlooked insider threats that are usually sparked by bad HR policies. "There are things you can do about disgruntlement but instead companies feed the problem," Johnston said. "We've seen phony or nonexistent grievance and compliance resolution procedures, no constraints on bully bosses, failure to manage expectations, watching for sudden behavioral changes in employees & it all contributes to the problem."
- Failing to see if employees and contractors can be bribed by offering them money to do bad things.
- Assuming that low-level employees are harmless and never asking what they are up to.
At the time, he offered this bit of outside-the-box thinking: "You should try to bribe employees and contractors. If they're honest and refuse the bribe, let them keep the money and hail them publicly for their honesty and integrity."