SlideShare a Scribd company logo

Physical Security In The Workplace

Download as PPTX, PDF
D
dougfarre

Physical Security In the Workplace presentation given at Hacker Halted Miami 2008 by Doug Farre and Mitch Capper.

1 of 41
Avoiding getting owned without knowing it Physical Security in the Workplace By: Mitch Capper and Doug Farre
This Presentation We only have 45 minutes Won’t be covering: Mechanical lock details High security mechanical lock details Latest high security exploits details Goal is to help you evaluate a ‘secure’ area to see possible holes in security
What is most important to you? Your Data Your Contacts Your Customers Confidence Your Inventory Your Employees
Security Budget Virtual Security: Firewalls Anti-virus IDSs VPNs System administrators Auditing and review Segmented networks Encryption and training Software Updates and Group Policies
Your Virtual Security Setup IS GREAT Keeps the virtual bad guys out Stops drive by and 0 day exploits like no others Has kept your company secrets secure for many years
Compromising Virtual Security Physical key loggers Bios level rootkits with FDE and virtualization Live malware Cold boot attacks
Physical Security is Trump Most virtual security monitors the border Secure data can only be defined as offline and encrypted At the end of the day there is only one undeniable fact: Physical Access means 100% data vulnerability
Why don’t people think about Physical Security? Don’t think it’s a threat Impossible to secure Not enough resources or knowledge Haven’t got around to it
Espionage Frequently use physical attacks Over 100 billion annually in cost Large attacks can be “game over” Social Engineering w/ minimal physical attacks have accomplished most large attacks
Social Engineering and Information Gathering Social Engineering Co-worker Salesman Interviews Reference checks Impersonation Information Gathering Interviews Prospective clients Public tours Dumpster diving Off-site observation Internet
Lets Talk Physical Security Breaks down to 5 main areas: Mechanical Access Control Electronic Access Control Alarm Systems Surveillance Egress Devices
Egress Devices: Latches Latches Guards Deadlatches
Egress Devices: Continued Push Bars Button Releases Infrared/Motion Sensors
Alarm Systems Must be hardwired Expensive Install 4 main sensor connection types: Trip on fail Circuit always connected ‘Constant Monitoring’ Magnetic Coupling Use GSM or Phone for reporting Spend most of their time off Response Time
Alarm Systems:Considerations Take advantage of unconventional technologies Alarmed glass Photoelectric controls Pull-trip switches Stress detectors Vibration sensors Sound monitoring sensors Ultrasonic motion sensors
Surveillance CCTV Primarily Forensic tool Partial Deterrent ID Cards Only good for casual ID Guards Response Two person rule
Surveillance
Electronic Access Control Handling of lost keys/terminated employees Easy to reprogram/rekey Advanced control (blackout times, use counts etc…) Provides AUDITING
EAC: Keypads ,[object Object]
Scramble Pads can be good,[object Object]
EAC: BiometricsBehavioral Characteristics Voice mapping VoiceVault – phone verification Keystroke biometrics BioPassword – keystroke behavior Think Morse Code during WWII Signature Dynamics
EAC: Cards Barcode/ Concealed Barcode Cards Mag Stripe Cards RFID / Prox Cards Smart Cards
EAC: Fail Most devices/systems use Weigand Protocol, think clear text over hard wire Mechanical Lock Backup No destructive attack resistance
Mechanical Locks: Attacks Key Duplication Bumping Picking Impressioning Rights Escalation in Master Key Systems Bypass
MLA: Key Duplication All non high security locks Some high security locks Key duplicators Clay Molding Silicon Casting
MLA: Bumping Requires a bump key A blank or key in the system A file Can be purchased online for under $5 a key All non high security Some high security Low barrier to entry
MLA: Picking Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction Within months of casual practice most can open most non-high security locks both pin tumbler and wafer. Large picking community www.lockpicking101.com
MLA: Bypass - Shimming Padlock Shimming Handcuff Shimming
MLA: Lock Bypasses Medeco Deadbolts Master lock 175 American Padlocks
MLA: Adam Rite Wires Effected huge numbers of locks Lock/Egress combined attack
MLA: Impressioning Key from the lock Key Blanks, File Skilled Attack The art of a locksmith
MLA: Rights Escalation in MK Systems Matt Blaze from AT&T Labs -2002 No technical skill required One key to the system, one lock, 5-7 key blanks, and a file Under desk attack
High Security Locks Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus) Should be: bump resistant hard to pick hard to duplicate keys hard to drill Industrial Locks
HSL: Problems Changing Keys is a pain Even some high security locks suffer from varying degrees of standard attacks (bumping, rights amplification, key duplication) Getting unique blanks very hard for anyone short of the largest companies
HSL: Ground Zero Mechanical locks usually are what is in-between the outside world and the sensitive data One of few Active Preventions Low investment can greatly enhance security Frequently Overlooked
Electronic vs Mechanical
Proper Physical Security Layers Look not just at how you are supposed to enter, but alternate methods/exit ways Dual authentication separate electronic with mechanical authentication
Combined Physical/Electronic Locks Combined cylinders (Say AssaAbloy Brand’s Cliq) try to bridge gaps and minimize costs Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised AbloyProtecCliq still safe (also only mechanical lock for that matter)
Closing Points Use your imagination! Never underestimate the attacker!
Questions? Our email is at @SecuritySnobsdot com (first name @) Mitch Capper Doug Farre
MLA: Rights Escalation – The How File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key Put non working key in door try it If doesn’t work file the one unfiled position Try again until works If works and is same height as normal key keep filing, otherwise the key is done Once all keys are done, compare each to the original and make the GMK of different heights

Recommended

Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
Tom Eston
 
Physical access control
Physical access controlPhysical access control
Physical access control
Ahsin Yousaf
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
Gary Bahadur
 
Physical Security
Physical SecurityPhysical Security
Physical Security
Kriscila Yumul
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Securityleminhvuong
 

Recommended

Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
Tom Eston
 
Physical access control
Physical access controlPhysical access control
Physical access control
Ahsin Yousaf
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
Gary Bahadur
 
Physical Security
Physical SecurityPhysical Security
Physical Security
Kriscila Yumul
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Securityleminhvuong
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
novemberchild
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
BiggBoss4Unseen
 
Security Presentation
Security PresentationSecurity Presentation
Security PresentationGerhard Peens
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
Alfred Ouyang
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
7. physical sec
7. physical sec7. physical sec
7. physical sec7wounders
 
Physical Security
Physical SecurityPhysical Security
Physical Security
kavitha muneeshwaran
 
General Security Order For Office or Facilities
General Security Order For Office or FacilitiesGeneral Security Order For Office or Facilities
General Security Order For Office or Facilities
Sunjib Anwar
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
Faheem Ul Hasan
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
amiable_indian
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.
Ankur Kumar
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Securitysatyakam_biswas
 

More Related Content

What's hot

Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
novemberchild
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
BiggBoss4Unseen
 
Security Presentation
Security PresentationSecurity Presentation
Security PresentationGerhard Peens
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
Alfred Ouyang
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
7. physical sec
7. physical sec7. physical sec
7. physical sec7wounders
 
Physical Security
Physical SecurityPhysical Security
Physical Security
kavitha muneeshwaran
 
General Security Order For Office or Facilities
General Security Order For Office or FacilitiesGeneral Security Order For Office or Facilities
General Security Order For Office or Facilities
Sunjib Anwar
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
Faheem Ul Hasan
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
amiable_indian
 

What's hot (20)

Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
 
Security Presentation
Security PresentationSecurity Presentation
Security Presentation
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Physical security
Physical securityPhysical security
Physical security
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
7. physical sec
7. physical sec7. physical sec
7. physical sec
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
General Security Order For Office or Facilities
General Security Order For Office or FacilitiesGeneral Security Order For Office or Facilities
General Security Order For Office or Facilities
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
 

Viewers also liked

Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.
Ankur Kumar
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Securitysatyakam_biswas
 
C:\fakepath\security training
C:\fakepath\security trainingC:\fakepath\security training
C:\fakepath\security trainingmikeapitre
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
emmoncata
 
Top 7 hotel receptionist interview questions answers
Top 7 hotel receptionist interview questions answersTop 7 hotel receptionist interview questions answers
Top 7 hotel receptionist interview questions answersjob-interview-questions
 
frankfinn Grooming 1
frankfinn Grooming 1frankfinn Grooming 1
frankfinn Grooming 1Pramod Raj
 
Physical security
Physical securityPhysical security
Physical security
Ferdinand Camilo Kimura
 
Grooming attire hygiene
Grooming attire hygieneGrooming attire hygiene
Grooming attire hygiene
OTAInterns
 
Personality development
Personality developmentPersonality development
Personality development
Hanan Iftekhar
 
Design for the World
Design for the WorldDesign for the World
Design for the World
Gustavo Machado
 
Social networking present 5 20
Social networking present 5 20Social networking present 5 20
Social networking present 5 20
Victor Hurdle
 
FEMA - Workplace Violence Awareness
FEMA - Workplace Violence AwarenessFEMA - Workplace Violence Awareness
FEMA - Workplace Violence Awareness
beff57
 
Personal Hygiene and Grooming
Personal Hygiene and GroomingPersonal Hygiene and Grooming
Personal Hygiene and GroomingSanjay Patil
 
Webinar - Preventing Workplace Bullying with Timothy Dimoff
Webinar - Preventing Workplace Bullying with Timothy DimoffWebinar - Preventing Workplace Bullying with Timothy Dimoff
Webinar - Preventing Workplace Bullying with Timothy Dimoff
Case IQ
 
Education and Awareness in the Workplace: A Key to a Dementia Friendly Community
Education and Awareness in the Workplace: A Key to a Dementia Friendly CommunityEducation and Awareness in the Workplace: A Key to a Dementia Friendly Community
Education and Awareness in the Workplace: A Key to a Dementia Friendly Community
TheChamber
 

Viewers also liked (16)

Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Security
 
C:\fakepath\security training
C:\fakepath\security trainingC:\fakepath\security training
C:\fakepath\security training
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
 
Top 7 hotel receptionist interview questions answers
Top 7 hotel receptionist interview questions answersTop 7 hotel receptionist interview questions answers
Top 7 hotel receptionist interview questions answers
 
frankfinn Grooming 1
frankfinn Grooming 1frankfinn Grooming 1
frankfinn Grooming 1
 
Physical security
Physical securityPhysical security
Physical security
 
Grooming attire hygiene
Grooming attire hygieneGrooming attire hygiene
Grooming attire hygiene
 
Personality development
Personality developmentPersonality development
Personality development
 
Design for the World
Design for the WorldDesign for the World
Design for the World
 
Workplace Security
Workplace SecurityWorkplace Security
Workplace Security
 
Social networking present 5 20
Social networking present 5 20Social networking present 5 20
Social networking present 5 20
 
FEMA - Workplace Violence Awareness
FEMA - Workplace Violence AwarenessFEMA - Workplace Violence Awareness
FEMA - Workplace Violence Awareness
 
Personal Hygiene and Grooming
Personal Hygiene and GroomingPersonal Hygiene and Grooming
Personal Hygiene and Grooming
 
Webinar - Preventing Workplace Bullying with Timothy Dimoff
Webinar - Preventing Workplace Bullying with Timothy DimoffWebinar - Preventing Workplace Bullying with Timothy Dimoff
Webinar - Preventing Workplace Bullying with Timothy Dimoff
 
Education and Awareness in the Workplace: A Key to a Dementia Friendly Community
Education and Awareness in the Workplace: A Key to a Dementia Friendly CommunityEducation and Awareness in the Workplace: A Key to a Dementia Friendly Community
Education and Awareness in the Workplace: A Key to a Dementia Friendly Community
 

Similar to Physical Security In The Workplace

Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?
Mike Saunders
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationMike Saunders
 
Defensive information warfare
Defensive information warfareDefensive information warfare
Defensive information warfarestuimrozsm
 
Bio metric security
Bio metric securityBio metric security
Bio metric security
Shah Mohammad Miraz
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
samirapdcosden
 
implement authentication mechanisms
implement authentication mechanismsimplement authentication mechanisms
implement authentication mechanisms
Alireza Ghahrood
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
grp362
 
Step Into Security Webinar - Physical Security Integration & Access Control -...
Step Into Security Webinar - Physical Security Integration & Access Control -...Step Into Security Webinar - Physical Security Integration & Access Control -...
Step Into Security Webinar - Physical Security Integration & Access Control -...
Keith Harris
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
andreasschuster
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
Jorge Sebastiao
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
Thomas Burg
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutions
Eric Larcheveque
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
Jeff Lemmermann
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
Peter Wood
 
Data+security+sp10
Data+security+sp10Data+security+sp10
Data+security+sp10ismaelhaider
 

Similar to Physical Security In The Workplace (20)

Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentation
 
Defensive information warfare
Defensive information warfareDefensive information warfare
Defensive information warfare
 
Bio metric security
Bio metric securityBio metric security
Bio metric security
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
 
Overview
OverviewOverview
Overview
 
implement authentication mechanisms
implement authentication mechanismsimplement authentication mechanisms
implement authentication mechanisms
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
 
Step Into Security Webinar - Physical Security Integration & Access Control -...
Step Into Security Webinar - Physical Security Integration & Access Control -...Step Into Security Webinar - Physical Security Integration & Access Control -...
Step Into Security Webinar - Physical Security Integration & Access Control -...
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutions
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
Data+security+sp10
Data+security+sp10Data+security+sp10
Data+security+sp10
 

Physical Security In The Workplace

  • 1. Avoiding getting owned without knowing it Physical Security in the Workplace By: Mitch Capper and Doug Farre
  • 2. This Presentation We only have 45 minutes Won’t be covering: Mechanical lock details High security mechanical lock details Latest high security exploits details Goal is to help you evaluate a ‘secure’ area to see possible holes in security
  • 3. What is most important to you? Your Data Your Contacts Your Customers Confidence Your Inventory Your Employees
  • 4. Security Budget Virtual Security: Firewalls Anti-virus IDSs VPNs System administrators Auditing and review Segmented networks Encryption and training Software Updates and Group Policies
  • 5. Your Virtual Security Setup IS GREAT Keeps the virtual bad guys out Stops drive by and 0 day exploits like no others Has kept your company secrets secure for many years
  • 6. Compromising Virtual Security Physical key loggers Bios level rootkits with FDE and virtualization Live malware Cold boot attacks
  • 7. Physical Security is Trump Most virtual security monitors the border Secure data can only be defined as offline and encrypted At the end of the day there is only one undeniable fact: Physical Access means 100% data vulnerability
  • 8. Why don’t people think about Physical Security? Don’t think it’s a threat Impossible to secure Not enough resources or knowledge Haven’t got around to it
  • 9. Espionage Frequently use physical attacks Over 100 billion annually in cost Large attacks can be “game over” Social Engineering w/ minimal physical attacks have accomplished most large attacks
  • 10. Social Engineering and Information Gathering Social Engineering Co-worker Salesman Interviews Reference checks Impersonation Information Gathering Interviews Prospective clients Public tours Dumpster diving Off-site observation Internet
  • 11. Lets Talk Physical Security Breaks down to 5 main areas: Mechanical Access Control Electronic Access Control Alarm Systems Surveillance Egress Devices
  • 12. Egress Devices: Latches Latches Guards Deadlatches
  • 13. Egress Devices: Continued Push Bars Button Releases Infrared/Motion Sensors
  • 14. Alarm Systems Must be hardwired Expensive Install 4 main sensor connection types: Trip on fail Circuit always connected ‘Constant Monitoring’ Magnetic Coupling Use GSM or Phone for reporting Spend most of their time off Response Time
  • 15. Alarm Systems:Considerations Take advantage of unconventional technologies Alarmed glass Photoelectric controls Pull-trip switches Stress detectors Vibration sensors Sound monitoring sensors Ultrasonic motion sensors
  • 16. Surveillance CCTV Primarily Forensic tool Partial Deterrent ID Cards Only good for casual ID Guards Response Two person rule
  • 18. Electronic Access Control Handling of lost keys/terminated employees Easy to reprogram/rekey Advanced control (blackout times, use counts etc…) Provides AUDITING
  • 19.
  • 20.
  • 21. EAC: BiometricsBehavioral Characteristics Voice mapping VoiceVault – phone verification Keystroke biometrics BioPassword – keystroke behavior Think Morse Code during WWII Signature Dynamics
  • 22. EAC: Cards Barcode/ Concealed Barcode Cards Mag Stripe Cards RFID / Prox Cards Smart Cards
  • 23. EAC: Fail Most devices/systems use Weigand Protocol, think clear text over hard wire Mechanical Lock Backup No destructive attack resistance
  • 24. Mechanical Locks: Attacks Key Duplication Bumping Picking Impressioning Rights Escalation in Master Key Systems Bypass
  • 25. MLA: Key Duplication All non high security locks Some high security locks Key duplicators Clay Molding Silicon Casting
  • 26. MLA: Bumping Requires a bump key A blank or key in the system A file Can be purchased online for under $5 a key All non high security Some high security Low barrier to entry
  • 27. MLA: Picking Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction Within months of casual practice most can open most non-high security locks both pin tumbler and wafer. Large picking community www.lockpicking101.com
  • 28. MLA: Bypass - Shimming Padlock Shimming Handcuff Shimming
  • 29. MLA: Lock Bypasses Medeco Deadbolts Master lock 175 American Padlocks
  • 30. MLA: Adam Rite Wires Effected huge numbers of locks Lock/Egress combined attack
  • 31. MLA: Impressioning Key from the lock Key Blanks, File Skilled Attack The art of a locksmith
  • 32. MLA: Rights Escalation in MK Systems Matt Blaze from AT&T Labs -2002 No technical skill required One key to the system, one lock, 5-7 key blanks, and a file Under desk attack
  • 33. High Security Locks Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus) Should be: bump resistant hard to pick hard to duplicate keys hard to drill Industrial Locks
  • 34. HSL: Problems Changing Keys is a pain Even some high security locks suffer from varying degrees of standard attacks (bumping, rights amplification, key duplication) Getting unique blanks very hard for anyone short of the largest companies
  • 35. HSL: Ground Zero Mechanical locks usually are what is in-between the outside world and the sensitive data One of few Active Preventions Low investment can greatly enhance security Frequently Overlooked
  • 37. Proper Physical Security Layers Look not just at how you are supposed to enter, but alternate methods/exit ways Dual authentication separate electronic with mechanical authentication
  • 38. Combined Physical/Electronic Locks Combined cylinders (Say AssaAbloy Brand’s Cliq) try to bridge gaps and minimize costs Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised AbloyProtecCliq still safe (also only mechanical lock for that matter)
  • 39. Closing Points Use your imagination! Never underestimate the attacker!
  • 40. Questions? Our email is at @SecuritySnobsdot com (first name @) Mitch Capper Doug Farre
  • 41. MLA: Rights Escalation – The How File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key Put non working key in door try it If doesn’t work file the one unfiled position Try again until works If works and is same height as normal key keep filing, otherwise the key is done Once all keys are done, compare each to the original and make the GMK of different heights

Editor's Notes

  1. -Ourselves and Background-Talk name-Tag Line*Background in mechanical locks and mechanical lock compromise*My personnel background: currently do project management at a medium size IT service company; recently gave presentation in New York and Las Vegas on recent high security lock compriomises, and identification card security
  2. 0:22-Half day talk worth of material in 45 min-Not: mechanical or high sec locks or exploits, buying-Help you understand and evaluate secure areas*These things don’t effect much except what locks to stay away from and what to buy (which we could easily just tell you strait up).*Broader topic
  3. 0:53-First step is deciding what to secure-Then what money you are comfortable spending to secure it*What is important to you, and how much money do you have?
  4. 1:19-Lets talk about your security budget-What Security Budget? -Yearly budget-Not always case but most invest once in physical security vs ongoing on virtual*Lets talk about your security budget, some are saying “what security budget””*Many organizations have have virtual security budget allocation and but choose to just invest in physical security on a case by case basis*One of the goals of this presentation is to help your realize that virtual security should have its own separate budget allocation
  5. 1:45-Best Case-slides
  6. 2:00-Slides-Apple firmware key logger-Live malware even in generic download malware
  7. 4:05-Slides
  8. 4:30-Slides
  9. 5:30-Internal and External espionage both use physical attacks as low skill-FBI 100 Billion-End game for biz-Social Engineer + minimal phys all that was required for most major espionage*Takes someone with training to copmromis a secure virtual system*Social Engineer + minimal phys all that was required for most major espionage
  10. 6:25-Don’t need Social Engineering but don’t hurt
  11. 6:45-5 main areas-Slides*ElectronicAC: wide range *Egress: any hardware that involves in/out – frequently overlooked.
  12. 7:50-Lets talk latches-What are standard latches / found in all exist and some entry-slides*A latch is in all doors that will remain closed without being locked*To open a latch just means depressing it*Guards: prevent shimmin*Deadlatch (if the bar is all the way out then the latch can be depressed)
  13. 9:50-Most don’t think about-Slides-Simple under door/ Balloon*push bars – for exits but drill a hole and use a wire*button: access from the other side*infared/motion sensor: wiggle under door, baloon
  14. 12:00-Once understood not overly complex/secure-Read Slides-false alarms / remote / response time
  15. 15:40-Things attacker wont know /will trip/ or etc…-Slides
  16. 16:15-Cameras good record lots if resolution k good for identification-Not aware of breaches right away -Even 24/7 monitored not obvious-Id cards not inspected easy dupe-Guards respond not detect, 2 guards
  17. 18:10-Easy replay streams-Hard to cover all areas-Most not High Quality
  18. 18:35-EAC used by most major medium/large and some small-Slides-Auditing not always secure
  19. 19:30-Slides
  20. 20:50-Slides-Images-Tollerances-Lifted/captured-Photoshop
  21. 22:40-Slides-Use comfort vs tolerances-kb strokes easy to analyze
  22. 24:35-Slides
  23. 27:00-Slides-Zac Franken –Replay, Deny, Escalate, output-Rolling Code Garage/IR devices
  24. 29:50-Slides
  25. 30:00-Slides
  26. 31:15-Slides
  27. 31:55-What most people think of-Slides
  28. 32:45-Similar to past shimming-Slides
  29. 33:40-Slides
  30. 35:30-Combo lock/egress attack-Slides
  31. 36:00-Slides-2-15 min for locksmith-Talk about as can be done over time-Working key prepped before for use later
  32. 36:45-Slides-Work on all non and some high sec locks-Under 5 minutes of instruction
  33. 37:30-Slides
  34. 38:30-Give examples of each, bumping mul-t-lock or pirmnus, rights amp mededco/primus/assa or key duplmedeco m3-Slides
  35. 39:30-Slides
  36. 40:05-Slides
  37. 41:50-Slides
  38. 42:15-Slides
  39. 43:00
  40. -Slides