RE: physical security pentesting procedures, tips, audit programs?

From: Frank Knobbe (frank@knobbe.us)
Date: Thu Dec 09 2004 - 15:05:21 EST


On Tue, 2004-12-07 at 14:56, Todd Towles wrote:
> Very good idea xyberpix, I like the business card idea.
>
> Growing off of xyberpix's idea - If you have time...write the date and
> the time on the back of the card while placing it. The dates could be
> written on the cards beforehand to reduce the time it takes. Then you
> will have a written account of time you were in a area.

Uhm, very bad idea in my opinion. I do not believe that your sponsor
(usually management) would appreciate if you let the employees, or even
public, know how far you compromised the security and how weak it looks.

Imagine doctors and/or patients spreading the story of janitors going
around leaving calling card that "they were there". You might as well
put up posters that say "Your security sucks". Would have the same
effect on your sponsor, which will undoubtedly "shorten your final
engagement".

Instead of leaving cards/clues that you were there, I recommend you take
pictures with a digital camera. When we do physical security checks, we
document the violations in the report with the pictures as proof (like a
stack of sensitive documents sitting unguarded in the hallway, unlocked
cabinets, or the all time favorite, logged-in administrator/supervisor
workstations :)

A picture speaks more than a thousand words. But you should keep your
findings confidential and only disclose it to your sponsor. You owe him
that much at least.

Regards,
Frank





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT