How to Conduct a Vulnerability Assessment

Roger Johnston talks about how aliens, Elvis impersonators and your worst security users can help you find and fix security problems.

By Sarah D. Scalet

Page 6

CSO: I know you've done a lot of work around what to do once you actually find a vulnerability. Can you tell me about the Vulnerability Disclosure Index that you and your group have created?

ROGER JOHNSTON OF THE LOS ALAMOS NATIONAL LABORATORY'S VULNERABILITY ASSESSMENT TEAM: One of the problems with finding a vulnerability is, exactly who do you tell? We have found vulnerabilities that were specific to the sponsor of the vulnerability assessment, and of course if they pay for the work, they get the findings. No issue there. But we'll find things that have more general applicability. Now the question is, what do you do? A classic example is spoofing a global positioning system. Everyone's focused on jamming GPS devices, but that's not an interesting attack, because the GPS receiver knows it's not getting satellite signals from space. Spoofing, however, turns out to be surprisingly easy. You can feed fake coordinate information to a GPS receiver.

CSO: How could the bad guys use that to their advantage?

JOHNSTON: A lot of national networks, like for financial transactions, get their critical time synchronization from the GPS satellite signals. If someone fed the GPS fake information, the networks could crash within milliseconds. It could potentially be very serious. There's some recognition that jamming might be an issue, but in our view spoofing is the far more serious issue and is not widely recognized. Now, do we discuss this? Do we write papers about this problem? Or do we just keep our mouths shut?

This kind of problem crops up all the time, but there are some fairly straightforward, simple signs you're looking for. If there are a whole lot of good guys who don't seem to be very sophisticated in understanding the vulnerabilities, and there are only a small number of bad guys, you probably ought to just publicize it to the world. If the attack is pretty obviousand I think GPS spoofing isthe bad guys are going to figure it out anyway. So again, you probably ought to just tell the whole world. On the other hand, if it's kind of a specialized security device not being used by very many people, but a whole bunch of potential bad guys might want to exploit it, then maybe you don't need to be publicizing that vulnerability. Instead, you want to seek out the specific end user and point out the potential problem. The Vulnerability Disclosure Index is a sort of semi-quantitative attempt to try to provide some guidance as to whether you should disclose this vulnerability, how publicly, and in how much detail you should go.