How to Conduct a Vulnerability Assessment
Los Alamos National Laboratory's Roger Johnston talks about how aliens, Elvis impersonators and your worst security users can help you find and fix security problems.
Tue, June 05, 2007
CSO — Roger Johnston knows about security vulnerabilities, and not only because he works for the Los Alamos National Laboratory, which has experienced more than its share of security problems of late (including the loss of classified materials last autumn). As leader of the laboratory's Vulnerability Assessment Team, a research group devoted to improving physical security, Johnston is the guy who gets brought in to find security problems, not only at his own agency, but also at other agencies and at private companies. His team has been hired to conduct vulnerability assessments at government agencies with such high security stakes as the International Atomic Energy Agency, the Department of State and the Department of Defense, as well as at private companies that are developing or considering the use of high-tech security devices.
Senior Editor Sarah D. Scalet recently spoke with Johnston about strategies for running an effective vulnerability assessment and then communicating the results without also putting your job on the line. To help security leaders identify specific areas that need improvement, Johnston also developed a quiz that identifies the 28 attributes of a flawed security system. "We see the same things over and over," he says. "These are the common unifying themes." Find out how you rate. (Note: Johnston emphasized that his statements here are his own opinions and do not necessarily reflect the official position of the Los Alamos National Laboratory or the U.S. Department of Energy, its parent organization.)
CSO: You basically spend your days finding problems with things. Are people afraid to cook for you?
ROGER JOHNSTON: Yeah, well, we always try to have an upbeat message. There are often very simple fixes to problems. Say you're using a tamper-indicating seal for cargo security. When you inspect the seal, maybe you simply spend an extra second or two looking for a little scratch in the upper right-hand corner to discover an attack.
CSO: So training is a key to that upbeat message?
JOHNSTON: Right. We're very strong believers in showing security personnel a lot of vulnerability information. Often, low-level security people aren't given the information they need to do a good job. If they know what they're supposed to be looking for, instead of just turned loose and told to report "anomalous incidents," they generally will do a lot better. You really haven't spent a lot of extra money, and it doesn't necessarily take a great deal of time.
CSO: When you're doing a vulnerability assessment, what's the best way to get into the mind-set of the adversary?