How to Conduct a Vulnerability Assessment

Roger Johnston talks about how aliens, Elvis impersonators and your worst security users can help you find and fix security problems.

You want to look around your organization and find people who are outside-the-box thinkers. They don't have to be in the field of security. You're looking for people who would normally be your worst security nightmarepeople who are loophole finders, smart alecks, kind of skeptical. They're people who have to prove things for themselves and aren't sure they buy everything they hear from authority.

CSO: So you're looking for people who've been in trouble for violating some security policy?

ROGER JOHNSTON OF THE LOS ALAMOS NATIONAL LABORATORY'S VULNERABILITY ASSESSMENT TEAM: I don't want to push it too far. If they're wanted in 35 states for felonies, maybe that's not exactly who you want looking at your critical security vulnerabilities. It's more about finding the people who won't automatically toe the party line. These are people in your organization who are already thinking about how they could beat your security. They're probably not going to do it, but that's just the way they think. They may be graphic artist types; they may be the smart aleck on the loading dock who's always questioning the boss.

CSO: There's more of that ethos in the information security culture than in the physical security culture.

JOHNSTON: Absolutely. There's a huge cultural gap, of course, between IT security and physical security, and that's much of the problem of convergence, trying to bring the two together. I think IT is better off in this regard. A lot of the people who work on computers automatically think that way.

CSO: What's the risk of conducting a vulnerability assessment from the point of a good guy?

JOHNSTON: When vulnerability assessments are done by good guys thinking like good guys, number one, they let the existing security infrastructure and hardware and strategies define the vulnerability issues. For example, if there's a fence, they'll think about ways the bad guys might get over the fence. But of course that's all backwards. We need to think about what the bad guys want to accomplish and then decide if we even need a fence. Number two, there's that tendency not to want to try to find problems.

CSO: Not only are they possibly making themselves look bad if they find a problem, they're also creating more work for themselves, right?

JOHNSTON: Absolutely. In many cases when the fix is very simple, organizations are very reluctant to do it, because that is sometimes thought of as saying, "We've been screwing up all these years." So you don't want to go with people who have a history of doing a vulnerability assessment and then telling you everything is swell. There are always vulnerabilities, and they are always present in very large numbers. Any vulnerabilities assessment that finds zero vulnerabilities is completely useless.