2KKUU7ita

Chapter 6: Physical Security
A Q&A on physical security with Jack Wiles
In this Q&A session, Jack Wiles, an information
security pioneer with over 30 years of experience,
answers several questions on physical
security and how a lack of it often leads to information
insecurity.
How important do you think physical security
is in relation to technical-security issues?
JW: I’ve been asked that question many times in
the past, and from decades of experience with
both physical and technical security, I have a
standard answer. Without question, many of the
most expensive technical-security countermeasures
and tools often become worthless when
physical security is weak. If I can get my team
into your building(s) and walk up to someone’s
desk and log in as that person, I have bypassed
all your technical-security systems. In past security
assessments, after my team and I entered a
building, we always found that people simply
thought that we belonged there — that we were
employees. We were always friendly and helpful
when we came in contact with real employees.
They would often return the kindness by helping
us with whatever we asked for.
How were you able to get into most of the
buildings when you conducted “red team”
penetration tests for companies?
JW: In many cases, we just boldly walked into
the building and went up the elevator in multistory
buildings. If we were challenged, we
always had a story ready. Our typical story was
that we thought that this was the HR department,
and we were there to apply for a job. If
we were stopped at the door and told which
building to go to for HR, we simply left and
then looked for other entrances to that same
building. If we found an outside smoking area
at a different door, we attempted tailgating
and simply walked in behind other employees
who were reentering the building after finishing
their breaks. Tailgating also worked at most
entrances that required card access. In my
career as a red-team leader, we were never
stopped and questioned. We simply said “thank
you” as we walked in and compromised the
entire building.
What kinds of things would you bring out of a
building?
JW: It was always easy to get enough important
documentation to prove that we were there. In
many cases, the documentation was sitting in a
recycle box next to someone’s desk (especially
if that person was someone important). To us,
that really said, “Steal me first!” We found it
interesting that many companies just let their
recycle boxes fill up before emptying them.
We would also look for a room where strip-cut
shredders were used. The documents that were
shredded were usually stored in clear plastic
bags. We loaded these bags into our cars and
had many of the shredded documents put back
together in a few hours. We found that if we
pasted the strips from any page on cardboard
with as much as an inch of space between the
strips, the final document was still readable.
Jack Wiles is president of TheTrainingCo.
(www.thetrainingco.com) and promotes
the annual information security conference
Techno Security.
83