<strong>Journal</strong> <strong>of</strong> <strong>Physical</strong> <strong>Security</strong> 4(2), 30‐34 (2010)employees, legitimate complaint resolution processes, employee assistanceprograms, no tolerance for bully bosses, etc.)Threat: Extremists want to discredit our organization.Vulnerability: It is easy for them to dump hazardous chemicals on our propertyor pour them down our drains, and then fraudulently report us to the authoritiesas polluters.With these definitions, it should be clear that myth #1 above (“a Threatwithout a mitigation is a Vulnerability”) makes no sense because (a) a Threat isnot a Vulnerability, (b) security is a continuum and 100% elimination <strong>of</strong> aVulnerability is rarely possible, (c) adversaries may not automatically recognizea Vulnerability so mitigating it may be irrelevant for that specific Threat, and (d)Vulnerabilities don’t define Threats, i.e., terrorists don’t exist because buildingsand people can be blown up.<strong>The</strong> commonly held myth #2 (TAs are VAs) is untrue because Threats arenot the same thing as Vulnerabilities. Both TAs and VAs are needed, however,for good Risk Management, and they both depend on each other to someextent. Adversaries typically seek to exploit Vulnerabilities. Indeed, if therewere no Vulnerabilities, the adversaries won’t succeed. And if there were noThreats, any existing security Vulnerabilities would be irrelevant.Note that Vulnerabilities don’t map one-to-one onto Threats. Many differentkinds <strong>of</strong> adversaries with very different agendas can potentially exploit the sameVulnerability for very different reasons. Thus a lock that is easy to pick permitsattacks involving theft, espionage, or vandalism. Computers lacking up to datevirus checkers can be exploited for lots <strong>of</strong> different nefarious purposes. Ofcourse, Threats don’t map one-to-one onto Vulnerabilities, either. An adversarycan potentially pick and choose which Vulnerability or Vulnerabilities to exploitfor any given goal.In thinking about Myth #3 (Threats are more important than Vulnerabilities)we need to consider that a TA involves mostly speculating about people whoare not in front <strong>of</strong> us, and who might not even exist, but who have complexmotivations, goals, mindsets, and resources if they do exist. Vulnerabilities aremore concrete and right in front <strong>of</strong> us (if we’re clever and imaginative enoughto see them). <strong>The</strong>y are discovered by doing an analysis <strong>of</strong> actual infrastructureand its security—not speculating about people. Thus, getting Threats right istypically a lot harder than getting Vulnerabilities right. [Some people claim that32
<strong>Journal</strong> <strong>of</strong> <strong>Physical</strong> <strong>Security</strong> 4(2), 30‐34 (2010)past security incidents can tell us all we need to know about Threats, but that isjust being reactive, not proactive, and misses rare but very catastrophicattacks.]I would go even further and argue that understanding Vulnerabilities is morepowerful than understanding Threats—regardless <strong>of</strong> the relative difficulty <strong>of</strong>TAs vs. VAs. If you understand and take some reasonable effort to mitigateyour security Vulnerabilities, you are probably in fairly good shape regardless <strong>of</strong>the Threats (which you are likely to get wrong anyway). On the other hand, ifyou understand the Threats but are ignorant <strong>of</strong> the Vulnerabilities, you are notlikely to be very secure because the adversaries will have many different waysin.Myth #4 (existing tools are effective at finding Vulnerabilities) is quiteprevalent, especially for infrastructure security. This is perhaps because thereare such a staggering number <strong>of</strong> Vulnerabilities in any large, complex system(especially compared to Threats) that dealing with the Vulnerabilities isdaunting. Also, finding Vulnerabilities takes a lot <strong>of</strong> careful thinking, on theground investigation, hands-on analysis, and imagination/creativity. ThreatAssessments, in contrast, <strong>of</strong>ten (unfortunately) involve relatively easy andsimple-minded use <strong>of</strong> check lists, security surveys, compliance audits,guidelines, s<strong>of</strong>tware programs, boilerplates, compliance requirements, databases<strong>of</strong> past security incidents, and “cookie cutter” approaches. <strong>The</strong>re is, <strong>of</strong> course,no reason why a TA can’t or shouldn’t involve pr<strong>of</strong>ound, critical, original, andcreative thinking about security issues, it’s just that is so <strong>of</strong>ten does not.I break down the so-called “Vulnerability Assessment” methods into 4 generalcategories:1. Tools that can help find vulnerabilities but aren’t typically very good at itbecause they do not encourage thinking creatively like the bad guys aboutactual, local vulnerabilities and/or they make invalid assumptions: <strong>Security</strong>Surveys, Compliance Audits, boilerplate S<strong>of</strong>tware Programs, Tree Analysis, “RedTeam” exercises.2. Tools that are good at finding Vulnerability Assessments: AdversarialVulnerability Assessments (thinking about the security problem from theperspective <strong>of</strong> the bad guys, not the good guys and the existing securityimplementation), intrusion testing programs (for cyber security), criticalsecurity design reviews early in the design process for new security devices,systems, or programs.33
- Page 2 and 3: Table of ContentsJournal of Physica
- Page 4 and 5: The Journal of Physical Security 4(
- Page 6 and 7: The Journal of Physical Security 4(
- Page 8 and 9: The Journal of Physical Security 4(
- Page 10 and 11: The Journal of Physical Security 4(
- Page 12 and 13: Journal of Physical Security 4(2),
- Page 14 and 15: Journal of Physical Security 4(2),
- Page 16 and 17: Journal of Physical Security 4(2),
- Page 18 and 19: Journal of Physical Security 4(2),
- Page 20 and 21: Journal of Physical Security 4(2),
- Page 22 and 23: Journal of Physical Security 4(2),
- Page 24 and 25: Journal of Physical Security 4(2),
- Page 26 and 27: Journal of Physical Security 4(2),
- Page 28 and 29: Journal of Physical Security 4(2),
- Page 30 and 31: Journal of Physical Security 4(2),
- Page 33 and 34: Journal of Physical Security 4(2),
- Page 35 and 36: Journal of Physical Security 4(2),
- Page 37 and 38: Journal of Physical Security 4(2),
- Page 39 and 40: Journal of Physical Security 4(2),
- Page 41: Journal of Physical Security 4(2),
- Page 45 and 46: Journal of Physical Security 4(2),
- Page 47 and 48: Journal of Physical Security 4(2),
- Page 49 and 50: Journal of Physical Security 4(2),
- Page 51 and 52: Journal of Physical Security 4(2),
- Page 53 and 54: Journal of Physical Security 4(2),
- Page 55 and 56: Journal of Physical Security 4(2),
- Page 57: Journal of Physical Security 4(2),