Physical Penetration Testing Tells All

Physical Penetration Testing Tells All
Physical Penetration Testing Tells All 

By John Sawyer
Dark Reading
Aug 14, 2009

Rob Enderle had a great post here on Dark Reading on the discrepancies 
between physical and system security and what happens when they don't 
match up. The problem is most companies just don't understand physical 
security and how it can fail. They often think they do, but then they 
end up putting in flawed physical security controls that can't keep out 
even the most unintelligent criminal -- let alone experienced 
penetration testers like Johnny Long and Chris Nickerson.

The motives behind most of the physical security installs I've seen were 
either the threat of vandalism, or there was an item on a checklist that 
had to be checked off to meet some sort of compliance requirement. Very 
few of them were concerned with the sensitivity of data on the systems, 
and were instead more worried about downtime caused by theft of 

A recent physical security audit I performed involved two server rooms 
that both had keypads on the door. After talking with the head sysadmin, 
I learned that the keypads weren't even being used--which was obvious 
after a bit of recon where I could see that every one who entered had 
used a key. The keypads were there because of a checklist that was being 
followed when the server rooms were installed. The funny thing is that I 
don't think they've ever been programmed, but I've not confirmed 

A similar audit was being conducted by a team who invited me to tag 
along to see a few of their tricks and techniques. After bypassing a 
motion sensor activated door using a coat hangar and sheet of paper, we 
were in the "clinic" area that had a poorly locked door (unlocked with a 
Leatherman) leading straight into the server room. Quick inspection 
revealed that even if the door had been secured with biometrics, RFID, 
and a keypad, the drop ceiling was a shared space that would have 
allowed us to climb right over the wall and bypass any security on the 


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods