Penetration Testing: RE: physical security pentesting procedures, tips, audit programs?

["Todd Towles" <toddtowles () brookshires com>]

Frank, If I remember correctly Xyberpix stated that they should be
hidden. St8r from his e-mail

 " be allowed, stick a business card somewhere out of site, and make a
note of it."

Therefore I understand your point but fail to see the bad idea. You need
to prove you were in a area...I could walk in your office and tell you
that I was in a area but wouldn't it be better to take a member of
management around with you as you pick the cards up? The general staff
wouldn't know what is going on...and sorry to say it but the test is
designed to find the sorry security, not hide it.

Just my 2 cents. 

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Thursday, December 09, 2004 2:05 PM
> To: Todd Towles
> Cc: xyberpix; Vic N; Pen-Test[List]
> Subject: RE: physical security pentesting procedures, tips, 
> audit programs?
>
> On Tue, 2004-12-07 at 14:56, Todd Towles wrote:
> > Very good idea xyberpix, I like the business card idea. 
> >
> > Growing off of xyberpix's idea - If you have time...write 
> the date and 
> > the time on the back of the card while placing it. The 
> dates could be 
> > written on the cards beforehand to reduce the time it 
> takes. Then you 
> > will have a written account of time you were in a area.
> Uhm, very bad idea in my opinion. I do not believe that your 
> sponsor (usually management) would appreciate if you let the 
> employees, or even public, know how far you compromised the 
> security and how weak it looks.
>
> Imagine doctors and/or patients spreading the story of 
> janitors going around leaving calling card that "they were 
> there". You might as well put up posters that say "Your 
> security sucks". Would have the same effect on your sponsor, 
> which will undoubtedly "shorten your final engagement".
>
> Instead of leaving cards/clues that you were there, I 
> recommend you take pictures with a digital camera. When we do 
> physical security checks, we document the violations in the 
> report with the pictures as proof (like a stack of sensitive 
> documents sitting unguarded in the hallway, unlocked 
> cabinets, or the all time favorite, logged-in 
> administrator/supervisor workstations :)
>
> A picture speaks more than a thousand words. But you should 
> keep your findings confidential and only disclose it to your 
> sponsor. You owe him that much at least.
>
> Regards,
> Frank