show your vulnerable side: how to do a vulnerability assessment roger g. johnston, ph.d., cpp...

Show Your Vulnerable Side:How to do a Vulnerability Assessment

Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment Team

Los Alamos National Laboratory

505-667-7414 [email protected]

http://pearl1.lanl.gov/seals.default.htm

LAUR-04-4147

Talk for the 50th Annual ASIS Conference, Sept 26-30, 2004 (Dallas, TX)

mailto:[email protected]

Physical Security• consulting• cargo security • tamper detection• nuclear safeguards• training & curricula• vulnerability assessments• novel security approaches• new tags & seals (patents)• unique vuln. assessment lab

The VAT has done detailed vulnerability assessments on hundreds of different security devices, systems, & programs.

LANL Vulnerability Assessment Team

The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881)

This talk will focus primarily on vulnerability assessments of physical security, but presumably many of the ideas and principles also apply to other types of security such as:

Physical Security

• computer security

• network & Internet security

• intellectual property security

• information & records security

• communications security

Better be despised for too anxious apprehensions,than ruined by too confident security. -- Edmund Burke (1729-1797)

physical security: trying to protect valuable, tangible assets from harm.

Examples of assets needing protection:

Definitions

people buildings materials

equipment products chemicals

documents money weapons

drugs, food, & drink

museum artifacts

hazardous waste

Security Guard: “Don't make me take off my sunglasses!”-- From the movie Bringing Out the Dead (1999)

The “harm” that we wish to avoid might involve:

Definitions (con’t)

theft destruction sabotage

vandalism terrorism espionage

counterfeitingunauthorized

access

tampering

The ultimate security is your understanding of reality. -- H. Stanley Judd

vulnerability assessment (VA): discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting counter-measures and security improvements.

Definitions (con’t)

He that wrestles with us strengthens our skill. Our antagonist is our helper. -- Edmund Burke (1729-1797)

Before thinking about how to assess physical security, we need to recognize that it is difficult and there are no guarantees of success.

Especially because complacency, over-confidence, wishful thinking, and arrogance are not compatible with good security.

Physical Security is Difficult!

Danger breeds best on too much confidence.-- Pierre Corneille (1606-1684)

Why Physical Security is So Difficult

• The traditional performance measure for security is pathological: success is often defined as nothing happening.

• Cost/Benefit analysis is difficult.

• There are few meaningful standards, fundamental principles, models, or theories.

• Everything is a compromise & a tradeoff.

There is always more spirit in attack than in defense.-- Titus Livius (59 BC)

Why Physical Security is So Difficult (con’t)

• Objectives are often remarkably vague.

• Security managers & personnel aren’t always creative or proactive, but adversaries may be.

• Adversaries and their resources are usually unknown to security managers, yet the adversaries understand the security systems.

• Society & employees often do not like security.

We spend all our time searching for security, and then we hate it when we get it -- John Steinbeck (1902-1968)

• Effective security management is highly multi-disciplinary: engineering, computer science, psychology, sociology, management, economics, communication, & law.

• Adversaries can attack at one point, but security managers may need to protect extended assets.

• Adversaries need exploit only one or a small number of vulnerabilities, but security mangers must identify, prioritize, & manage many vulnerabilities, including unknown ones.

We have to get it right every day and the terrorists only have to get it right once. So we have to be ahead of the game. --TSA Spokeswoman Lauren Stover


• Security functions are often tedious.

• Security personnel have trouble identifying security vulnerabilities because they don’t want them to exist.

(It’s hard to think like the bad guys if you devote your career to being a good guy.)


No problem can be solved from the same consciousness that created it. -- Albert Einstein (1879-1955)

• Physical Security scarcely a “field” at all!

- You can’t (for the most part) get a degree in it.

- Not widely attracting young people, females, the best and the brightest.

- Few peer-review, scholarly journals or R&D conferences.

- Lots of snake oil salesmen.

- Shortage of models, fundamental principles, metrics, rigor, standards,

guidelines, critical thinking, & creativity.

- Overly macho and often dominated by bureaucrats, committees, groupthink, “old boys” networks, linear/concrete/wishful thinkers.

The only security is the constant practice of critical thinking.-- William Graham Sumner (1840-1910)


Major Tools for Improving Security

• Security Survey

• Risk Management (“Design Basis Threat”)

• Vulnerability Assessment

If we don't succeed, we run the risk of failure.-- Dan Quayle

Security Surveys vs. Risk Management vs. VAs

• Not really the same thing because they produce different results.

• The task of identifying Threats & Vulnerabilities, done as part of Risk Management (or DBT), is too often not really a Vulnerability Assessment.

• Security Surveys and Risk Management/DBT were major breakthroughs & are still useful… But they are not enough!

Men do not like to admit to even momentary imperfection. My husband forgot the code to turn off the alarm. When the police came, he wouldn't admit he'd forgotten he code...he turned himself in. --Rita Rudner

Security Survey

• Basically a management walk around.

• Walk the spaces, looking for security problems.

• A checklist is often used.

We made too many wrong mistakes. -- Yogi Berra

Limitations of Security Surveys

• Binary

• Close-ended

• Often unimaginative

• Not focused on adversaries

• Overly focused on the check list

• Does not encourage new countermeasures

• Expectation that problems will leap out at you

It's better to be looked over than overlooked. -- Mae West, Belle of the Nineties, 1934

Risk Management

• Similar to Risk Management Techniques in other fields.

• Identify Assets, Threats & Vulnerabilities, Adversaries, Consequences, Safeguards & Countermeasures.

• Assign relative priorities and probabilities. (Generate lots of tables.)

• Field your resources appropriately.

The first step in the risk management process is to acknowledge the reality of risk. Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning. -- Charles Tremper

Design Basis Threat (DBT)

• “Design Basis Threat” is similar to Risk Management.

• DBT basically means “design your security to deal with the current real-world threats”.

• In practice, DBT tends to focus more on hardware and infrastructure than Risk Management does.

A hypothetical paradox: what would happen in a battle between an Enterprise security team, who always get killed soon after appearing, and a squad of Imperial Stormtroopers, who can't hit the broad side of a planet? -- Tom Galloway

Limitations of Conventional Risk Management (or DBT)

• There is rarely any guidance on how to determine the Threats & Vulnerabilities other than looking at past security incidents. But that is being reactive, not proactive. Not good enough post-9/11, in a rapidly changing world, or for dealing with rare catastrophic events.

• Still binary & close-ended

You can never plan the future by the past. -- Edmund Burke (1729-1797)

More Limitations of ConventionalRisk Management (or DBT)

• Often done unimaginatively

• The attack probabilities are usually a fantasy

• Suffers from overconfidence in tables and the“fallacy of precision”

• Not done from the perspective of the adversaries

The time to repair the roof is whenthe sun is shining. -- John F. Kennedy (1917-1963)

More Limitations of ConventionalRisk Management (or DBT)

• Tendency to let the good guys and existing security measures define the adversaries & attack modes

• Often used to justify the status quo--typically does not encourage new countermeasures

• Ignores simple/cheap countermeasures when the attack probabilities are judged (rightly or wrongly) to be low or zero

It isn't that they can't see the solution. It is that they can't see the problem.

-- G.K. Chesterton, The Scandal of Father Brown (1935)

Vulnerability Assessment

• Perform a mental coordinate transformation and pretend to be the bad guys. (This is a lot harder to do than one might think.)

• Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine.

• Unlike Security Surveys or Risk Management, don’t let the good guys define the problem or its parameters.

It is sometimes expedient to forget who we are. -- Publilius Syrus (~42 BC)

security survey: issue orders to close & lock window!

risk management: ignore if not envisioned as part of a specific threat or attack from a likely adversary; otherwise, design procedure to close & lock window.

VA: Oh boy, an open window! What mischief can this lead to?

Example: Open Window

You can observe a lot by just watching. -- Yogi Berra

Vulnerability Assessment Steps

1. Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users.

2. Play with it.

3. Brainstorm--anything goes!

4. Play with it some more.

Scientists are the easiest to fool. They think in straight, predictable, directable, and therefore misdirectable, lines. The only world they know is the one where everything has a logical explanation and things are what they appear to be. Children and conjurors--they terrify me. Scientists are no problem; against them I feel quite confident. -- Spoken by Zambendorf in Code of the Lifemaker, (James Hogan, 1987)


5. Edit & prioritize potential attacks.

6. Partially develop some attacks.

7. Determine feasibility of the attacks.

8. Devise countermeasures.

It's awful hard to get people interested in corruption unless they can get some of it. -- Will Rogers (1879-1935)


9. Perfect attacks.

10. Demonstrate attacks.

11. Rigorously test attacks.

12. Rigorously test countermeasures.

A thing may look specious in theory, and yet be ruinous in practice; a thing may look evil in theory, and yet be in practice excellent.

-- Edmund Burke (1729-1797)

Brain StormingNothing can inhibit and stifle the creative process more--and on this there is unanimous agreement among all creative individuals and investigators of creativity--than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge].

-- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963).

In theory there is no difference between theory and practice. In practice there is.

-- Yogi Berra

What if you can’t have or afford outside vulnerability assessors?

Use smart, hands-on, creative people inside your organization who are not associated with security.

Seek: wise guys, trouble makers, smart alecks, schemers, organizational critics, loophole finders, questioners of tradition and authority, outside-the-box thinkers, artists, hackers, tinkerers, problem solvers, & techno-nerds.

Could Hamlet have been written by committee, or the Mona Lisa painted by a club? Could the New Testament have been composed as a conference report? Creative ideas don't spring from groups. They spring from individuals. -- Alfred Whitney Griswold (1885-1959)

Vulnerabilities are often obvious to outsiders…

To see what is in front of one's nose needs a constant struggle. -- George Orwell (1903-1950)

Other Reasons for Doing a Vulnerability Assessment

• mental rehearsal • fresh perspectives• fun/relieves tedium• increased alertness• bluffing (don’t underestimate) • enhanced sense of professionalism • educational/professional development for security staff • can involve other members of the organization, thus increasing employees’ security awareness• can help justify additional resources for security

Without deviation from the norm, progress is not possible. -- Frank Zappa (1940-1993)

Tricky Aspects of Vulnerability Assessments (VAs)

• No meaningful standards or underlying theory

• Defeats are a matter of degree & probability

• No clear endpoint

• Wishful thinking is hard to avoid.

Nothing is easier than self-deceit. For what each man wishes, that he also believes to be true.

-- Demosthenes (382-322 BC)

Tricky Aspects of VAs (con’t)

• Recursion (chasing a moving target)

• Most security failures are due to human error, which is hard to model and predict.

• Testing/Demonstration realism can be difficult to achieve.

We are never deceived; we deceive ourselves. -- Johann Wolfgang von Goethe (1749-1832)

General Attributes of Effective VAs

1. No conflicts of interest or wishful thinking.

2. No “Shoot the Messenger” Syndrome. No retaliation or punishment against security personnel or

managers when vulnerabilities are found.

3. Use of independent, imaginative assessors who are psychologically predisposed to finding problems and suggesting solutions, and who (ideally) have a

history of doing so.When people are engaged in something they are not proud of, they do not welcome witnesses. In fact, they come to believe the witness causes the trouble.

-- John Steinbeck (1902-1968)

Attributes of Effective VAs

4. No binary view of security.

5. Rejection of a finding of zero vulnerabilities.

6. Rejection of the idea of “passing” the VA, or of VAs as “certification”.

7. Discovering vulnerabilities is viewed as good (not bad) news.

When we were children, we used to think that when we were grown-up we would no longer be vulnerable. But to grow up is to accept vulnerability... To be alive is to be vulnerable.

-- Madeleine L'Engle


8. Done early, iteratively, and periodically .

9. Done holistically, not by component, sub-system, function, or layer. (Attacks often occur at interfaces.)

10. No unrealistic time or budget constraints on the VA, or on what attacks or adversaries can be considered.

11. Done in context.

He that will not apply new remedies must expect new evils;for time is the greatest innovator.

-- Francis Bacon (1561-1626)


12. No underestimation of the cleverness, knowledge, skills, dedication, or resources of adversaries.

13. The good guys don’t get to define the problem, the bad guys do.

14. Simple, low-tech attacks are examined first.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

-- Douglas Adams (1952-2001)


15. Findings are reported to the highest appropriate level without editing, interpretation, or censorship by middle managers.

16. No confusion about the difference between VAs and other kinds of hardware testing (materials, environ-mental, ergonomic, field readiness) or personnel testing.

The first principle is that you must not fool yourself--and you are the easiest person to fool.

-- Richard Feynman (1918-1988)


17. The following attacks are all considered:

• fault analysis• false alarming• poke the system• wait & pounce• backdoor attacks• impersonation• social engineering• tampering with security training• insiders, outsiders, insiders + outsiders

Evil is easy, and has infinite forms. -- Blaise Pascal (1623-1662)


18. Rohrbach’s Maxim must be considered: No security system will ever be used properly (the way it was designed) all the time.

19. Shannon’s Maxim must be considered: The adversaries know and understand the security systems, strategies, and hardware being used.

Inanimate objects can be classified scientifically into three major categories; those that don't work, those that break down and those that get lost.

-- Russell Baker

Everything secret degenerates … nothing is safe that does not show how it can bear discussion and publicity.

-- attributed to Lord Action (1834-1902)


20. The vulnerability assessors need to praise the good things because:+ We want the good things to be recognized and to continue.+ Security managers need to be willing to arrange for future VAs.+ Discussing the good things will make security managers more

willing to hear about potential problems.

21. It should be clear up front that the vulnerability assessment will produce more suggestions and countermeasures than are likely to be implemented. Security mangers (not the assessors) should ultimately decide which (if any) make sense to employ.

Our only security is our ability to change.

-- John Lilly

Don’t Overlook the Insider Threat!

• The insider threat is often overlooked or underestimated, and can be verydifficult to deal with.

• Disgruntled employees are a particular insider threat.

We have met the enemy and he is us. -- Walt Kelly, the words of Pogo

in Earth Day 1971 cartoon strip

Disgruntled Workers

• Research shows that employee disgruntlementis associated with perceptions of unfairness & inequity, not necessarily objective conditions.

• Disgruntled employees are known to be a risk forworkplace violence, espionage, theft, & sabotage.

What has posterity ever done for me? -- Groucho Marx (1890-1977)

Honesty may be the best policy, but it's important to remember that apparently, by elimination, dishonesty is the second-best policy.

-- George Carlin

Workplace Violence (USA)

• ~ 1 million victims of workplace violence each year

• >1000 workers killed each year due to workplace homicide

• Homicide is the number one cause of on-the-job deaths for female employees

Source: NIOSHAlways go to other people’s funerals. Otherwisethey might not come to yours. --Yogi Berra

Causes of Increasing Worldwide Employee

Disgruntlement

• global downsizing & outsourcing

• weakening of labor unions & collective bargaining

• increased use of temp & limited-term employees

• the disappearance of lifetime employment

• increased workforce diversity

We have to distrust each other. It's our only defense against betrayal.

-- Tennessee Williams (1911-1983)

Causes of Increasing World-

Wide Employee Disgruntlement (con’t)

• technical obsolescence

• the rapid pace of organizational change

• increased whistle-blowing

• depersonalization caused by increased urbanization, expanding bureaucracy, the

growth of multinational corporations, and the increased use of email & virtual meetings

No one can build his security upon the nobleness of another person.

-- Willa Cather (1873-1947)

Disgruntled Americans

American employees are particularly at risk for disgruntlement due to characteristic traits:

• identity is based on work• work long hours• strong individualism• traditional belief in fairness• traditional belief in “American Dream”

Americans do not abide very quietly the evils of life. -- Richard Hofstadter

In every American there is an air of incorrigible innocence, which seems to conceal a diabolical cunning.

-- A. E. Housman (1859-1936)

Disgruntlement Countermeasures

• Listen, acknowledge, validate, & empathize with employees.

• Allow employees to freely offer suggestions & concerns.

• Have legitimate complaint resolution processes. Too often these are non-existent, ineffective, adversarial, or fraudulent, especially in large or bureaucratic organizations. This is very dangerous (and bad for productivity).

• Be aware that employee perceptions about fairnessare the only reality.

• Treat departing employees & retirees well.

Sincerity is everything. If you can fake that,you've got it made. -- Comedian George Burns (1896-1996)

Also, Don’t Forget About…

Computer & Computer Media physical security!

Relations with public, neighbors, & local authorities

Effective security awareness training for all employees

Even if you're on the right track, you'll get run over if you just sit there.

-- Will Rogers (1879-1935)

Or about having plans to deal with…

EspionageSabotageTerrorismNatural DisastersWar & Civil UnrestProduct TamperingIllness & EpidemicsIndustrial AccidentsStrikes & Labor Unrest

When choosing between two evils, I always pick the one I never tried before.

-- Mae West (1893-1980)

Product Tampering

On a bag of Fritos: You could be a winner! No purchase necessary. Details inside.

Tamper-Evident Packaging

Model of how to effectively deal with product tampering: J&J

Warnings

1. high tech ≠ high security

2. inventory function ≠ security function

If you think technology can solve your security problems,then you don't understand the problems and you don't understand the technology. -- Bruce Schneier

Why High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks

Still must be physically coupled to the real world

Still depend on the loyalty & effectiveness of user’s personnel

The increased standoff distance decreases the user’s attention to detail

Many more legs to attack

Why High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks (con’t)

The high-tech features often fail to address the critical vulnerability issues

Users don’t understand the device

Developers & users have the wrong expertise and focus on the wrong issues

The “Titanic Effect”: high-tech arrogance

Inventory

• Counting and locating our stuff.

• No nefarious adversary.

• Will detect innocent errors by insiders, but not surreptitious attacks by insiders or outsiders.

• Meant to counter nefarious adversaries, typically both insiders & outsiders.

• Watch out for mission creep: inventory systems that come to be viewed as security systems!

Security

tag: an applied or intrinsic feature that uniquely identifies an object or container.

types of tags

inventory tag (no malicious adversary)

anti-counterfeiting tag (counterfeiting is an issue)

security tag (counterfeiting & lifting are issues)

buddy tag or token (counterfeiting is an issue)

lifting: removing a tag from one object or container and placing it on another, without being detected.

Example: Tags

Never answer an anonymous letter. -- Yogi Berra

• bar codes

• rf transponders (RFIDs)

• contact memory buttons

Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security

Usually easy to:

* lift * counterfeit * spoof the reader

Between the idea and the reality,Between the motionAnd the actFalls the Shadow. -- T.S. Eliot, The Hollow Men, 1925

GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security

• The private sector, foreigners, and 90+% of the federal

government must use the civilian GPS satellite signals.

• These are unencrypted and unauthenticated.

• They were never meant for critical or security applications,

yet GPS is being used that way!

If you put tomfoolery into a computer, nothing comes out of it but tomfoolery. But this tomfoolery, having passed through a very expensive machine, is somehow ennobled and no-one dares criticize it.

-- Pierre Gallois

Attacking GPS Receivers

Blocking: just break off the antenna, or shield it with metal; not surreptitious.

Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious.

Spoofing: surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries using widely available GPS satellite simulators.

Physical attacks: appear to be easy, too.

GPS Cargo Tracking

GPS SatelliteTracking Information Sent to HQ (perhaps encrypted/authenticated)

GPSSignal

(vulnerable here) GPS is great for navigation, but it does not provide high security.

Warnings (con’t)

3. Don’t place undue confidence in data encryption or authentication!

4. Don’t place undue confidence in biometrics!

5. Don’t assume counterfeiting is difficult!

Only fools are positive.-- Moe Howard (1897-1975)

Data Encryption/Authentication

Intended for public communication between two secure points.

Provides reliable security if and only if the sender and the receiver are physically secure.

The security of a cipher lies less with the cleverness of theinventor than with the stupidity of the men who are using it.

-- Waldemar Werther

Counterfeiting

• Usually easier than developers, vendors & manufacturers claim.

• Often overlooked: The bad guys usually only needed to counterfeit the apparent performance of the security device, not the device itself or its real performance.

The handwriting on the wall may be a forgery. -- Ralph Hodgson (1871-1962)

Warnings (con’t)

6. Watch out for the multi-layer fallacy: Believing that multiple layers of bad security equals good security.

7. Security managers will usually over-estimate the difficulty of defeating their security, and under-estimate the cleverness, determination, & resourcefulness of adversaries.

8. Adversaries can usually bluff their way into a facility or organization more easily than might be imagined.

The simple act of paying attention can take you a long way. -- Keanu Reeves

9. Watch out for fuzzy thinking:• scapegoating • wishful thinking• “one-size fits all”• sloppy terminology• conflicts of interest• design by committee• ambiguous functions & goals• failure to understand the end user’s world • ignoring changing circumstances & adversaries• lack of periodic, effective vulnerability assessments• forgetting that security is a probabilistic compromise• over-confidence in standards, testing, & precedence

Warnings (con’t)

You’ve got to be very careful if you don’t know where you are going, because you might not get there. -- Yogi Berra

• security survey ≈ safety “walkaround”

• security risk management or “design basis threat” ≈ safety “what if?” exercises

• security vulnerability assessment ≈ “adversarial” safety analysis???

Optimizing Safety

In case of contact [with this chemical],immediately wash skin with soap and copious amounts of water. If swallowed, wash out mouth with water provided the person is conscious, and call a physician. -- Material Safety Data Sheet

for sucrose (table sugar)

32 Attributes of Flawed Security Programs

1. Widespread arrogance & overconfidence.

2. Security is viewed as binary. (This inhibits improvement.)

3. Insiders are not viewed as a threat.

4. Overly focused on paperwork, auditors, regulations, & formality.

5. Security & security managers are micro- managed by unqualified business executives.

Attributes of Flawed Security Programs (con’t)

6. Security personnel are reluctant to report problems or security incidents, or ask questions.

7. Security problems, vulnerabilities, & incidents are covered-up.

8. Vulnerability assessment are rare; security is rarely tested.

9. “What if?” mental or walk-through exercises are rare, instead of being done daily or weekly.


10. Security personnel receive little training or practice, and are given few opportunities for

professional advancement.

11. Security supervisors & managers are not well respected by subordinates.

12. Security managers rarely chat informally with regular (non-security) employees.

13. Security personnel are not well respected by non-security personnel.


14. The morale and self-esteem of security personnel

is low. Appearance is poor.

15. Low-level security personnel are treated poorly.

16. Low-level security personnel are rarely recognized for good work.

17. Security training exercises are unrealistic & tedious.

18. Security personnel have few opportunities todemonstrate their prowess in

contests/exercises.


19. Security personnel feel no loyalty or connection to their employer, or to the employees and the organization they are protecting.

20. The organization lacks a fair and effective grievance or complaint resolution processfor disgruntled employees (whether security or non-security personnel).


21. Security personnel are not briefed at the startof a shift, nor checked for fitness of duty.

22. Security personnel are not debriefed after theirshift.

23. No pre-employment screening of employees; no periodic, thorough background and reliability checks performed on security and other critical personnel.


24. Unexplained or unexpected absences ofsecurity personnel are not investigated, nor are sudden outbreaks of widespread illness.

25. Critical security personnel accept food and drink from colleagues & co-workers.

26. Rosters, duty assignments, & schedules of authorized work are not well protected from tampering. Paper documents and verbal orders for security personnel are taken at face value.


27. Security personnel do not know exactly how and

when to summon help or sound an alarm.

28. There are no clear policies on the use of physical force (including lethal force and force against coworkers), or else those policies are largely unknown to security personnel and

rarely discussed in a “what if?” format.

29. Security personnel are vague on exactly what is expected of them.


30. The health and safety of security personnel is a low priority. Insurance and medical coverage is absent or poor.

31. VIPs are allowed to bypass standard security procedures.

32. Security managers are automatically fired when there is a major security incident. Low-level security personnel are automatically disciplined or fired when there is a minor security incident.

We have a CD containing related papers & reports.

Available today or request a copy at [email protected]

The LANLVulnerability Assessment Team

http://pearl1.lanl.gov/seals/default.htm

Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia, Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A.

Ring the bells that still can ring.Forget your perfect offering.There is a crack in everything.That's how the light gets in. -- Anonymous

mailto:[email protected]

A new scholarly, non-profit peer review journal:

The Journal of Physical Security

http://jps.lanl.gov

Security can only be achieved through constant change, through discarding old ideas that have outlived their usefulness and adapting others to current facts. -- William O. Douglas (1898-1980)

Security is like liberty in that many are thecrimes that are committed in its name. -- Robert H. Jackson, dissenting

opinion in U.S. vs Shaughnessy, 1950

show your vulnerable side: how to do a vulnerability assessment roger g. johnston, ph.d., cpp...

Documents

ultimate security

security improvements

good security

types of security

confident security

tx slide

bc slide

vulnerability assessment