April 18, 2015

Companies invest a lot in IT Security equipment these days, but more than often especially small and medium sized businesses fail on physical and human security.

Many of our assessment contain an onsite piece where we are tasked to enter restricted areas and photograph the progress we made. Whilst social engineering (pre-texting, tail gaiting) is responsible by far the most successful security breaches, simple plain lock picking works in so many cases.

Businesses (and individuals) think that a standard door lock, cabinet lock etc. will do. Unfortunately even the most basic lock picks are often successful against standard locks. For us it’s shocking to see that companies invest hundreds of thousands of dollars in latest Firewall, IPS and DDoS solutions and then have their cabinets locked with basic rack locks in standard rooms. More often Racks are even not locked at all. In more than 50% of the cases neither the server rooms, nor the racks are locked. Better security exists when hosted in Data Centers but that’s normally only affordable for larger clients.

We highly recommend to have Physical Security evaluated on a regular basis. You may have read our previous articles around the IT Security (or better lack of IT Security) in Latin America, but we must say that Latin America is ahead and far advanced when it comes to Physical Security around the SMB markets and those breaches are not as frequent as in other countries due to tight physical security.

For Physical Security Audits, Pentesters can purchase Lock Picks in online shops such as: