“Bringing You the Science in Security”

Piece of (i) Proprietary – Do Not Distribute

Women in Cybersecurity Panel

Connie VaughnCvaughn@pieceofi.com

916-472-5614

InfraGard11th Annual Security Symposium

November 17, 2015Rancho Cordova, California

Piece of (i) Security Solutions

Piece of (i) Proprietary – Do Not Distribute

Outline

• Define the Terms used for Vulnerability and Risk Assessments

• Discuss Analysis Approaches• Discuss Future Threats and Challenges• References• Question & Answers

2

Piece of (i) Proprietary – Do Not Distribute

Definitions

• Vulnerability Assessment– A systematic evaluation process in which qualitative

and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a security system to protect specific targets from specific adversaries and their acts

3

Piece of (i) Proprietary – Do Not Distribute

Definitions (cont’d)

• Risk Assessment– A process of analyzing threats and vulnerabilities of a

facility, determining the potential for losses, and identifying cost-effective corrective measures and residual risk

4

Piece of (i) Proprietary – Do Not Distribute

Physical and Cyber Consequences

8

Physical Attack Cyber Attack

Piece of (i) Proprietary – Do Not Distribute

“The Science in Security”

10

R = PA * [ 1 – PE ] * CR = PA * [ 1 – PE ] * C

Frequency of EventFrequency of Event Impact of EventImpact of Event

Security Risk

Probability ofAdversary Success

Probability of NeutralizationProbability of Neutralization

PNPNProbability of InterruptionProbability of Interruption

PIPI

Probability “Options to Mitigate” will Prevent EventProbability “Options to Mitigate” will Prevent Event

What Your System Can DoAnd More Importantly

What Your System Can Not Do!

Piece of (i) Proprietary – Do Not Distribute

Adversary Task Time

T0T0

Detection

Alarm

Assessed

TATA

Response

Adversary

Interrup

ted

TITI

System Delay

PPS Time Required

Begin Action Task Complete

Adversary Task  Time

FirstSystemAlarm

TCTCTime

DelayDelay

11

Piece of (i) Proprietary – Do Not Distribute

Recent Physical Security Examples

• Man Enters White House• Two NY Prisoners Escape• El Chapo Prison Escape• Smugglers Tried Selling Nuclear Material to

ISIS• London Jewelry Theft• Pedophiles Finding a Safe Haven on the Dark

Net• Russian Plane Bombing• Unmanned Aircraft Systems (UAS) Events

(airports, fire zones, White House, etc.)

15

Piece of (i) Proprietary – Do Not Distribute

Key Steps

• Establish a team• Define or characterize objectives of PPS• Analyze PPS• Redesign if necessary• Conduct performance tests• Determine risk level

16

Piece of (i) Proprietary – Do Not Distribute

Security Management• Who has the Chief Security Officer Responsibilities

– Devise policies and procedures• Loss & fraud prevention• Privacy

– Oversee and coordinate security efforts• Information technology• Human resources• Communications• Legal• Facilities

– Develop procedures to ensure physical safety• Management• Employees• Visitors

– Maintain relationships with local, state and federal law enforcement

– Develop emergency procedures and incident responses– Conduct risk management assessments

18

Piece of (i) Proprietary – Do Not Distribute

Emerging Threats & Challenges

• Unmanned Aircraft Systems (UAS)– Government policies?– Enforcement?

• Lone Wolf– Anti-government– Economic disparity– Increase in violence– Attracted to soft targets

• History of Low Crime– I can’t believe it happened here!

19

Piece of (i) Proprietary – Do Not Distribute

UAS Challenges

• Over 1 Million Expected Sells this Year• Lack of Regulations and Laws• Detecting and Assessment

– Many sizes, shapes, payloads, and materials– Determining intent (commercial delivers vs malicious)

• Tracking– High speeds (over 70mph)

• Neutralization– Kinetic or passive– Unintended consequences

20

Piece of (i) Proprietary – Do Not Distribute

Wireless Technology Challenges

• Evolving Smart Technologies– Smart homes– Smart cars– Baby monitors

21

Piece of (i) Proprietary – Do Not Distribute

Reference Material• ASIS International Risk Assessment Standard (2015)• Design and Evaluation of Physical Protection Systems

(2007), Mary Lynn Garcia, CPP - Butterworth Heinemann -ISBN 978-0-7506-8352-X

• Vulnerability Assessment of Physical Protection Systems (2006), Mary Lynn Garcia, CPP - Butterworth Heinemann-ISBN 0-7506-7788-0

• Security Risk Assessment and Management (2007), Betty Biringer - John Wiley & Sons, Inc. - ISBN 978-0-471-79352-6

22

Piece of (i) Proprietary – Do Not Distribute

Questions/Answers

23

WWW.pieceofi.com