You are viewing 'physical security'

Late Night Security Program Weaknesses

#WarstoryWednesday

Tim Roberts

April 05, 2017 - Posted by Tim Roberts to Security Insight

Security Guard Asleep Assessment Background

Businesses that are adjacent to hotels are the best…for security consultants. When you have a high-gain wireless antenna, a rogue access point plugged into a network or able to compromise a vulnerable wireless access point, you pretty much don’t have to leave the comfort of your hotel room or parked vehicle for the assessment. I have been on a handful of these fortunate layouts and it certainly helps when staying under the radar. One of my first red team assessments had a hotel right next to the business we were assessing. The only thing separating the extended stay hotel and business was waist-high foliage, with little to no lighting or camera coverage. With this assessment, after hours testing was in scope, thus making the assessment that much easier.

On-site Social Engineering... read more >

The Thief

#WarStoryWednesday

Tim Roberts

November 02, 2016 - Posted by Tim Roberts to Security Insight

Clipboard Assessment Background

Earlier this year, a friend (5tubb0rn) and I toyed around with some ideas at a local hacker workspace. I had been using a Proxmark/BishopFox build to steal proximity badges during some of our Professional Security Services on-site Social Engineering Assessments and covert Physical Security Assessments. The Proxmark/BishopFox build was handy in that I didn’t have to bump into anyone in order to snag their badge for replication. The only problem I’ve had with this device is the size – it is a garage badge reader after all, and about the size of a laptop. There are smaller devices out there but we wanted to create something from scratch, utilizing a Raspberry Pi and some plug-and-play sensors that could be easily hidden by someone in the guise of a contractor. So, the two of us came up with a... read more >

STOP. THINK. FACT CHECK.

#WarStoryWednesday

Brent White

October 05, 2016 - Posted by Brent White to Security Insight

Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.

Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.

Assessment Background

The... read more >

The Challenges with Physical Security - Hard Candy Shell, Soft on the Inside

#WarStoryWednesday

Michael Born

May 11, 2016 - Posted by Michael Born to Security Insight

Physical Security - Hard Candy Shell, Soft on the Inside

I recently had the pleasure of performing a combined Social Engineering and Physical Security Assessment over the course of a national holiday. While my story may not come close to what Solutionary Security Consultants' Tim Roberts or Brent White have enlightened you with, I must say this assessment certainly opens one’s eyes to the challenges that an organization, similar in size to the assessed business, faces when growing rapidly and trying to fit in an Information Security program.

Top Takeaways

While there are many lessons learned, two top takeaways stand out:

  1. Having the proper corporate structure is one of the most important components in standing up a successful information security program.
  2. Perceived security is just that – perceived. As my co-worker Andrew Weed put it: “This is like an M&M – a hard candy shell, soft on the inside.” To some extent he is correct. The amount...
read more >

The Key

#WarStoryWednesday

Tim Roberts

November 04, 2015 - Posted by Tim Roberts to Security Insight

Assessment Background

On nearly every assessment I have performed, I have been able to piggyback my way into target buildings and sensitive areas. If you walk in with confidence and even attempt to “badge in,” most employees will pay little attention to the error sound or the red light of an illegitimate swipe. So, to the unaware, you can easily pass as an authentic employee as long as you look the part and appear to have the right badge; especially at a facility with a large employee body.

Using this technique, it is often inevitable that you will encounter a security guard, especially in the lobby area. If an area with a guard is unavoidable, I will wait for a guard to become engaged in conversation with another employee, receive a phone call sign for a delivery or become distracted in some other way in order to take advantage of the distraction. In my experience, a security guard will also pay little attention to the color of the light or... read more >

1 | 2 | 3 | 4 | 5 | 6 | Older Entries >>

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS