Re: [PEN-TEST] Two cents on Phys-Testing

[John <tjm3 () EARTHLINK NET>]

In the Washington D.C. area almost every building has security guards or
receptionists that will assign badges to you. Workers have building badges.
This goes for virtually every agency, small and tiny company, fortune 500
company etc. I am not sure how it is in the rest of the world but just FYI
in D.C., Northern Virginia and Maryland its no longer that easy.  This has
gotten so commonplace as to be done by the most brain dead. We could all
learn from that!

-john

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Missy, E
Sent: Tuesday, August 22, 2000 11:34 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Two cents on Phys-Testing


The easiest penetrations I've ever done were also the most
embarrassingly obvious low-tech kind - the ones people think they'll
*never* fall for - they're too smart, too security-conscious, too
savvy, too many emplacements, too many techgates.  IMO, simple human
manipulation presents nearly as equal
potential for security compromise that default settings et al. do.

The majority of companies with complex dmzs, vpns, cryptocards,
'rottweiler firewalls' and other suite fantasies usually have at least
one great, gaping hole....the receptionist,  the 'security guard', the
smoking entrance (join the group, then walk in through the locked door
with the group) - once in, the
'all-hands staff meeting' where offices are deserted and workstations
left on, the communal printer, stickynotes w/ passwords/file notes, the
trashcan in the (empty)
copy room, the helpful and courteous 'phone call from tech support' -
multiple opportunities presented, and sysadmins can do little or nothing
about them, because these attacks are not detected.

Fundamentally, most people are very trusting.  They claim to be 'worried
about security/privacy', yet continue to give out personal information
freely (online as well as elsewhere).  A pleasant smile, comfortably
appropriate attire, and friendly,
relaxed demeanor plays on basic doubt and insecurity - 'I'm not going to
make a scene/make a fool out
myself and ask this person what he/she is doing here' feelings.  It's
not glamourous or exciting, it doesn't attract IT/infosec vp attention,
it's not nearly as much fun as a pricey suite of software, but it still
has a stunningly high frequency of success.

Sysadmins get to deal with the results of lax/unimplemented/nonexistent
security policies.  IMO a cultural shift (not just corporate) may be
required in order to accept the restrictions
and discipline of living in a world where 'centralized database' is a
(scarily close) reality.  An active security policy/security
consciousness/security culture is part of the chain of implementation.

Just my 2 pennies....

++++++++++++++++++++++++

"I'm not going to discuss what I bring up.  Even if I don't discuss it,
I'm not going to discuss it."

Pres. George Bush, talking about his relationship with the press.