I'd like to open this episode with a pattern of how not to realize security.
I'd been working at a client site performing a (non-physical) safety audit. Despite the fact that the team
was screened and cleared before being allowed during the door (this was a
government client) we had to sit through four additional hours of screening
procedures. When this was absolute, our electronic paraphernalia (including
laptops and mobile phones) was confiscated and we were locked in the room where
we would be working. By locked, I mean you needed an immediacy badge to get in
and out and we didn't have one among us. If at any time we wished to leave the
room (for instance to use the bathroom), we had to call our Point of Contact
(PoC) on a landline. The problem was he never answered.
Ordinary
Paradigms for Conducting Tests
Broadly speaking, there are three approaches to physical
penetration testing. An impression of each is given in the following sections.
When planning a test it is helpful to draft a test plan after your beginning investigate.
This procedure maximizes the creative process and helps you discover the most feasible
diagram of assault.
There
are no secrets better kept than the secrets that everybody guesses.
—
George Bernard
Shaw
Traits of the Overt Tester
The overt tester makes no attempt to disguise his attendance.
This is not to say that he will make known his intentions, but he makes little effort
to evade safety controls or guards and will work 'within the system' as much as
probable. When testing overtly, you rely on social engineering and flaws in
human safety as much as probable. A camera operator would be unlikely to notice
anything doubtful about a tester as his meaning is to be converted into a part
of his situation.
Conducting Site Examination
No matter
how you gain admission to a objective ability, be sure not to outstay your greeting.
The risk of getting caught becomes exponentially higher the longer you stay on
site. This is not to say that you should rush. Rushing is just as risky, but
you should have a well-thought-out and supple plan and know in progress what
you're looking for. Sometimes this is not probable or the Rules of appointment
are intentionally vague and you have to do a little exploration. The following
areas may be of interest to a infiltration tester.
Sometimes it seems like it's all about reception. The purpose of
reception is not security; that's very much a
secondary function. Reception's main function is to welcome visitors and
provide a face to the building. Who sees that face depends completely on the
nature of the company, but it usually includes clients, salesmen, contractors
and delivery men. It goes without saying that these groups are treated in very similar
ways.
No comments:
Post a Comment