A recent physical security audit I performed involved two server rooms that both had keypads on the door. After talking with the head sysadmin, I learned that the keypads weren't even being used--which was obvious after a bit of recon where I could see that every one who entered had used a key. The keypads were there because of a checklist that was being followed when the server rooms were installed. The funny thing is that I don't think they've ever been programmed, but I've not confirmed that--yet.
A similar audit was being conducted by a team who invited me to tag along to see a few of their tricks and techniques. After bypassing a motion sensor activated door using a coat hangar and sheet of paper, we were in the "clinic" area that had a poorly locked door (unlocked with a Leatherman) leading straight into the server room. Quick inspection revealed that even if the door had been secured with biometrics, RFID, and a keypad, the drop ceiling was a shared space that would have allowed us to climb right over the wall and bypass any security on the door.
But hey -- at least they could get a check mark saying they had an auditable security mechanism in place. The first group had auditable keypads, while the other required ID cards with a magnetic strip to be swiped before entering the area where the "locked" door to the server room was located.
For a fun crash course in physical penetration testing, watch the first episode of Tiger Team available at the TruTV website featuring Chris Nickerson (one of the hosts from the Exotic Liability Podcast), Luke McOmie, and Ryan Jones. And for interesting ways to bypass security systems using low-tech or no-tech methods, watch Johnny Long's "No-Tech Hacking" presentation at DefCon 15 and pick up his book of the same name. Now how safe is your company really?
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.