Perimeter

8/14/2009
03:51 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Physical Penetration Testing Tells All

Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the mo

Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the most unintelligent criminal -- let alone experienced penetration testers like Johnny Long and Chris Nickerson.The motives behind most of the physical security installs I've seen were either the threat of vandalism, or there was an item on a checklist that had to be checked off to meet some sort of compliance requirement. Very few of them were concerned with the sensitivity of data on the systems, and were instead more worried about downtime caused by theft of equipment.

A recent physical security audit I performed involved two server rooms that both had keypads on the door. After talking with the head sysadmin, I learned that the keypads weren't even being used--which was obvious after a bit of recon where I could see that every one who entered had used a key. The keypads were there because of a checklist that was being followed when the server rooms were installed. The funny thing is that I don't think they've ever been programmed, but I've not confirmed that--yet.

A similar audit was being conducted by a team who invited me to tag along to see a few of their tricks and techniques. After bypassing a motion sensor activated door using a coat hangar and sheet of paper, we were in the "clinic" area that had a poorly locked door (unlocked with a Leatherman) leading straight into the server room. Quick inspection revealed that even if the door had been secured with biometrics, RFID, and a keypad, the drop ceiling was a shared space that would have allowed us to climb right over the wall and bypass any security on the door.

But hey -- at least they could get a check mark saying they had an auditable security mechanism in place. The first group had auditable keypads, while the other required ID cards with a magnetic strip to be swiped before entering the area where the "locked" door to the server room was located.

For a fun crash course in physical penetration testing, watch the first episode of Tiger Team available at the TruTV website featuring Chris Nickerson (one of the hosts from the Exotic Liability Podcast), Luke McOmie, and Ryan Jones. And for interesting ways to bypass security systems using low-tech or no-tech methods, watch Johnny Long's "No-Tech Hacking" presentation at DefCon 15 and pick up his book of the same name. Now how safe is your company really?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...