How to Conduct a Vulnerability Assessment

Roger Johnston talks about how aliens, Elvis impersonators and your worst security users can help you find and fix security problems.

CSO: When the CSO tells his or her company about a vulnerability, we've seen that there can be a kind of "shoot the messenger" effect. What are ways they can avoid that or at least mitigate the effect?

ROGER JOHNSTON OF THE LOS ALAMOS NATIONAL LABORATORY'S VULNERABILITY ASSESSMENT TEAM: We try to encourage people think about a vulnerability not as bad news. It's great news. When you find a vulnerability, you can do something about it.

CSO: But you still have to take people down the path of, something terrible could happen.

JOHNSTON: All our vulnerability assessment reports start out by pointing to the good things. There are always good things. Sometimes they're an accident, but by pointing them out, you get them recognized. Also, at the very beginning we always point out that we're going to find more vulnerabilities than they can possibly mitigate. We're going to make more suggestions for changes than you can possibly implement. That's OK. The bottom line is, vulnerability assessors are not here to tell you what changes to make. We're here to point out what we think are problems and what we think may be solutions. It's up to you to decide what you do with the findings.

This binary thinking about securitythat something is either secure or not secure, or that we have to have all the vulnerabilities covered or we're not doing our jobis really nonsense. Security is a continuum, and there are always going to be vulnerabilities you can't do anything about. That doesn't mean anybody is screwing up. That's just the way security works.

CSO: In coming up with this laundry list of problems and possible solutions, is there oftentimes an 80/20 thing at play, where you can solve 80 percent of the problems with 20 percent of the solutions?

JOHNSTON: It does work that way. People say, "Gee, you're telling me I need to make this one little change, and this attack and this attack and this attack and this other attack basically go away?" It's really quite surprising. Sometimes the vulnerabilities are extraordinarily complex, and the solutions, while they may not be 100 percent perfect, are often really painless. We don't always have the most realistic viewwe work for the governmentabout what's economically viable to implement. Sometimes what we think is simple isn't really simple in the real world. But that's OK too. Sometimes our suggestions get the end users thinking, and then maybe they come up with their own solution.