Penetration Testing mailing list archives
RE: physical security pentesting procedures, tips, audit programs?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 9 Dec 2004 14:12:22 -0600
Frank, If I remember correctly Xyberpix stated that they should be hidden. St8r from his e-mail " be allowed, stick a business card somewhere out of site, and make a note of it." Therefore I understand your point but fail to see the bad idea. You need to prove you were in a area...I could walk in your office and tell you that I was in a area but wouldn't it be better to take a member of management around with you as you pick the cards up? The general staff wouldn't know what is going on...and sorry to say it but the test is designed to find the sorry security, not hide it. Just my 2 cents.
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Thursday, December 09, 2004 2:05 PM To: Todd Towles Cc: xyberpix; Vic N; Pen-Test[List] Subject: RE: physical security pentesting procedures, tips, audit programs? On Tue, 2004-12-07 at 14:56, Todd Towles wrote:Very good idea xyberpix, I like the business card idea. Growing off of xyberpix's idea - If you have time...writethe date andthe time on the back of the card while placing it. Thedates could bewritten on the cards beforehand to reduce the time ittakes. Then youwill have a written account of time you were in a area.Uhm, very bad idea in my opinion. I do not believe that your sponsor (usually management) would appreciate if you let the employees, or even public, know how far you compromised the security and how weak it looks. Imagine doctors and/or patients spreading the story of janitors going around leaving calling card that "they were there". You might as well put up posters that say "Your security sucks". Would have the same effect on your sponsor, which will undoubtedly "shorten your final engagement". Instead of leaving cards/clues that you were there, I recommend you take pictures with a digital camera. When we do physical security checks, we document the violations in the report with the pictures as proof (like a stack of sensitive documents sitting unguarded in the hallway, unlocked cabinets, or the all time favorite, logged-in administrator/supervisor workstations :) A picture speaks more than a thousand words. But you should keep your findings confidential and only disclose it to your sponsor. You owe him that much at least. Regards, Frank
Current thread:
- Re: physical security pentesting procedures, tips, audit programs?, (continued)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Eric Greenberg (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Vic N (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Don Lord (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Jose Maria Lopez (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- Re: physical security pentesting procedures, tips, audit programs? nicola (Dec 12)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)