You are viewing 'physical security'
Businesses that are adjacent to hotels are the best…for security consultants. When you have a high-gain wireless antenna, a rogue access point plugged into a network or able to compromise a vulnerable wireless access point, you pretty much don’t have to leave the comfort of your hotel room or parked vehicle for the assessment. I have been on a handful of these fortunate layouts and it certainly helps when staying under the radar. One of my first red team assessments had a hotel right next to the business we were assessing. The only thing separating the extended stay hotel and business was waist-high foliage, with little to no lighting or camera coverage. With this assessment, after hours testing was in scope, thus making the assessment that much easier.On-site Social Engineering... read more >
Earlier this year, a friend (5tubb0rn) and I toyed around with some ideas at a local hacker workspace. I had been using a Proxmark/BishopFox build to steal proximity badges during some of our Professional Security Services on-site Social Engineering Assessments and covert Physical Security Assessments. The Proxmark/BishopFox build was handy in that I didn’t have to bump into anyone in order to snag their badge for replication. The only problem I’ve had with this device is the size – it is a garage badge reader after all, and about the size of a laptop. There are smaller devices out there but we wanted to create something from scratch, utilizing a Raspberry Pi and some plug-and-play sensors that could be easily hidden by someone in the guise of a contractor. So, the two of us came up with a... read more >
Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.Assessment Background
The... read more >
I recently had the pleasure of performing a combined Social Engineering and Physical Security Assessment over the course of a national holiday. While my story may not come close to what Solutionary Security Consultants' Tim Roberts or Brent White have enlightened you with, I must say this assessment certainly opens one’s eyes to the challenges that an organization, similar in size to the assessed business, faces when growing rapidly and trying to fit in an Information Security program.
While there are many lessons learned, two top takeaways stand out:
- Having the proper corporate structure is one of the most important components in standing up a successful information security program.
- Perceived security is just that – perceived. As my co-worker Andrew Weed put it: “This is like an M&M – a hard candy shell, soft on the inside.” To some extent he is correct. The amount...
On nearly every assessment I have performed, I have been able to piggyback my way into target buildings and sensitive areas. If you walk in with confidence and even attempt to “badge in,” most employees will pay little attention to the error sound or the red light of an illegitimate swipe. So, to the unaware, you can easily pass as an authentic employee as long as you look the part and appear to have the right badge; especially at a facility with a large employee body.
Using this technique, it is often inevitable that you will encounter a security guard, especially in the lobby area. If an area with a guard is unavoidable, I will wait for a guard to become engaged in conversation with another employee, receive a phone call sign for a delivery or become distracted in some other way in order to take advantage of the distraction. In my experience, a security guard will also pay little attention to the color of the light or... read more >