April 18, 2015

Companies invest a lot in IT Security equipment these days, but more than often especially small and medium sized businesses fail on physical and human security.

Many of our assessment contain an onsite piece where we are tasked to enter restricted areas and photograph the progress we made. Whilst social engineering (pre-texting, tail gaiting) is responsible by far the most successful security breaches, simple plain lock picking works in so many cases.

Businesses (and individuals) think that a standard door lock, cabinet lock etc. will do. Unfortunately even the most basic lock picks are often successful against standard locks. For us it’s shocking to see that companies invest hundreds of thousands of dollars in latest Firewall, IPS and DDoS solutions and then have their cabinets locked with basic rack locks in standard rooms. More often Racks are even not locked at all. In more than 50% of the cases neither the server rooms, nor the racks are locked. Better security exists when hosted in Data Centers but that’s normally only affordable for larger clients.

We highly recommend to have Physical Security evaluated on a regular basis. You may have read our previous articles around the IT Security (or better lack of IT Security) in Latin America, but we must say that Latin America is ahead and far advanced when it comes to Physical Security around the SMB markets and those breaches are not as frequent as in other countries due to tight physical security.

For Physical Security Audits, Pentesters can purchase Lock Picks in online shops such as:




April 4, 2015

Here’s another impressive video from the Tiger Team. This time they are breaching physical and logical security at a car dealership as part of an authorised Penetration Test.



March 19, 2015

Surely a lot of our readers have seen the TIGER PENTEST TEAM videos. If you haven’t however, take those 20 minutes and watch it. It’s an impressive documentation of a successful full scale Security Breach into a Diamond store. The group uses IT, Social Engineering and other techniques to defeat all security systems.



Physical Security Checklist

Author: Martin Voelk
November 30, 2014

Visible Security

  • Is the facility visible from the street during both the day and night so that roving patrols can conduct external security checks?
  • Are all entrances and exits visible from a distance and well-lit in the evening? Such visibility provides a deterrent to crime and assists employees in the event of an evacuation.
  • Are shrubs cut to mid-point of window or lower?
    Low shrubbery discourages crime and provides a safer work environment.
  • Are tree limbs cut at least six feet from ground level?
    This policy increases visibility and helps deter crime.
  • If the property incorporates fences into to its security, are they in good condition?
  • Have you installed motion-activated lights around entrances and exits?
    This type of lighting has been shown to deter criminal activity.
  • Are all pathways and parking areas well-lit?
  • Are pathways and parking lots patrolled?
  • Are pathways and parking lots equipped with emergency communication equipment that links to a centrally-monitored or police system?

Location Security

  • Are details on the business’ location listed on an outside directory?
  • Does the organization’s website provide detailed information on the building’s location?
  • Does the organization’s website provide detailed information on the location of the management team?

Lockdown Security

  • Are all doorways and exits easily accessible and clear of blockage?
  • Do all doors and windows close completely?
  • Do all doors and windows have working locks?
  • Are doors and windows alarmed and monitored?
  • Do all sliding windows have anti-slide locks?
  • Are curtains, blinds or other privacy providing covers installed on all windows?

Access Security

  • Is outgoing mail accessible only to the Postal Service or other designated carriers?
  • Are all deliveries and delivery personnel monitored when inside the facility?
  • Are all incoming deliveries inspected before being delivered to the designated recipient?
  • Are all visitors asked to sign in on any visit to the facility?
  • Are visitors assigned a temporary security badge?
  • Are employees instructed to visibly display security badges?
  • Are employees instructed to challenge anyone not wearing a security or visitors badge?
  • Can windows, heating-ventilating air conditioning (HVAC) equipment, and doors be secured in the event of the release of hazardous material?