Share this post

🔑 Key Takeaways

  1. Security measures should be spread out throughout the entire vault, including cameras and sensors in walls, and businesses must plan for employee departures to prevent major security risks.
  2. Small opportunities can lead to great things. Physical security is crucial, and proper security measures must be implemented to ensure safety. A simple door can be easily bypassed without proper security measures.
  3. Elevators may not be as safe as you think - physical penetration testing is essential to fully understand the security measures in place and how they can be bypassed. Don't underestimate the importance of testing and securing elevators.
  4. Physical penetration testers provide value through their expertise and detailed reports, while locksmiths can adapt their skills to become physical penetration testers. Successfully breaking into a building requires an understanding of not only physical access, but also detection avoidance and response management.
  5. Penetration testing requires both technical skills and physical access, with critical thinking being an essential aspect. In analyzing the situation carefully, a diverse set of skills between team members is mutually beneficial for successful penetration testing.
  6. Electronic door locks can be vulnerable if the sensor position is known. A straw-fed with propellant can trigger the sensor and open the door. Remote access requires Dropbox.
  7. Always carry your access card and be aware of security protocols in public spaces to avoid close encounters and potential security breaches.
  8. Confidence and adaptability are key skills to navigate unfamiliar situations, while industry knowledge and appearance facilitate effective communication.
  9. Testing a company's security involves assessing the physical building, people and electronics. Ethical testers prioritize not causing harm or danger while tricking employees, while also ensuring clients' security posture is protected without exposing them to danger.
  10. Conducting regular penetration tests is crucial for identifying vulnerabilities in physical security measures. Thinking outside the box and being adaptable are essential in this process.
  11. Regular penetration testing can identify security vulnerabilities and promote preparedness for unexpected situations, ultimately safeguarding sensitive information and assets from potential security breaches.
  12. Before conducting physical penetration tests, obtain a genuine authorization letter from a high-ranking official in the company. Be discreet and avoid raising suspicion to avoid being caught, as emotional investment and attention to detail from employees can lead to exposure.
  13. Creating a positive work environment by paying employees fairly, providing benefits and recognizing their contribution can lead to increased efficiency in security measures. Preparing for possible breaches and having an alternate team plan can ensure a sustainable security system.
  14. Thorough preparation and meticulous planning with a cross-disciplinary team of experts, including the use of advanced equipment, can help handle any challenges and lead to success in a large-scale job.
  15. Companies invest in hiring Red Teams to test their defenses and identify any vulnerabilities that can be exploited. They use advanced tools such as SpotterRF, which helps track potential threats.
  16. Understanding the entry points and gate systems of a secure facility can help gather valuable information, even in the face of tough security measures.
  17. Regular security system audits and updates are crucial in minimizing the risk of security breaches. Guards must be trained to check trunks and other areas during inspections to prevent potential gaps in security.
  18. Companies must educate their employees to be alert and cautious of social engineering tactics, frequently evaluate and enhance security measures, and ensure their employees use their security badges effectively to prevent unauthorized access.
  19. Proper building security requires constant upgrades and various levels of security from outer perimeter to innermost sensitive areas to prevent unauthorized access.
  20. In the complex world of security testing, being prepared with backup plans and utilizing creative distractions can be crucial in identifying vulnerabilities and preventing potential breaches. Clear protocols and communication are also essential elements for success.
  21. Being aware and facing the dark with others can make things less scary. Engage with allies, learn from security assessments, and improve to overcome fear.

📝 Podcast Summary

Importance of Effective Vault Security Measures

Security measures should be spread out throughout the entire vault and not just focused on the door, as demonstrated by the robbery of a bank vault in Antwerp. Physical penetration specialists, like Deviant Ollam, are experts in identifying and exploiting these vulnerabilities. It's important for businesses to have a plan for when employees with key access leave, as it creates a major security risk. Antwerp's diamond district is a hub for the world's diamond trade, but it also attracts criminals who want to steal those diamonds. This reinforces the importance of having secure facilities, including security measures spread out throughout the entire vault, such as cameras and sensors in the walls of the vault.

From Break-in to Physical Security Consultant: The Story of Deviant

The story of Deviant breaking into a law firm's locked IT room with just a folder led to him being called back to the office to do a full penetration test which eventually resulted in his career as a physical security consultant. Deviant's locksmith skills made him popular, which kickstarted his career as a trainer, consultant, and advisor in physical security. He now has more than one company and is breaking into safes on army bases. His story is a perfect example of how small opportunities can lead to greater things. The incident also highlighted the importance of physical security in office buildings, and how even a regular door can be easily bypassed if the proper security measures are not implemented.

Elevators and Physical Security Measures: What You Need to Know

Elevators are not as secure as one thinks. Common keys used by a lot of elevators are not hard to get. It is necessary to test the security of elevators and not consider them as a mysterious box that only the technician knows how to control. Deviant has extensive knowledge of bypassing physical security measures and loves to teach others. Physical penetration testing is essential to understand different security measures, locks, and doors. Deviant has given more talks about security conferences than anyone else. There are millions of ways to get a locked door open; one of them is shim it open. Whole doors installed backwards allow you to take the door off without touching the lock.

The Similarities and Differences Between Physical Penetration Testers and Locksmiths

Physical penetration testers and locksmiths share a common skill set, but physical penetration testers also deliver value through their comprehensive knowledge and the report they deliver. Locksmiths are often guarded with their knowledge, but as the field of information security evolves, more locksmiths can become physical penetration testers. The success of a physical penetration test is not just getting into the building, but also avoiding detection and dealing with responses effectively. While physical penetration testers and locksmiths have overlapping skills, they have different mindsets. Physical penetration testers can break into a building and teach their clients how they did it, while locksmiths are often hired to simply break into a building.

The Importance of Physical Access and Critical Thinking in Penetration Testing

Penetration testing companies team up to access a building's network and test its security. Physical access is crucial for gaining remote access, and having a diverse set of skills between team members is mutually beneficial. Deviant checks out the building before attempting to gain access and realizes that the security is concentrated at one point of entry, leaving other areas vulnerable. Deviant uses a checklist to assess vulnerabilities in the building's doors before finding an easier way in. It's not just about having special tools but analyzing the situation carefully. Testing security is not just about technology; it also involves physical access and critical thinking skills, which are crucial for successful penetration testing.

Exploiting Electronic Door Locks with Propellant Cloud Triggers

Physical access control systems with electronically locked doors can be exploited by triggering the sensor with a little cloud of propellant to open the door. These sensors are very common in access control environments that detect egress events. A sensor detects impending egress events through motion sensors. A straw-fed with propellant can be used to trigger the sensor, and the door will pop open. However, this method is successful if the sensor position is known. You need to know where the sensor is located in the vestibule to trigger it. In addition, leaving a computer to access from a remote location requires a Dropbox.

Importance of Access Cards and Security Protocols in Public Spaces

Deviant, a security consultant, found a place to hide in an elevator after forgetting his access card in his hotel room. He decided to put the elevator on independent service mode and soon found himself relaxing and scrolling through Twitter. However, after a couple of hours, he heard a loud banging noise that he assumed was the cleaners. But to his surprise, it was a security guard who had noticed he was in the elevator and had taped a notice that the elevator was out of service. Deviant had a close encounter and realized the importance of having access cards and being aware of the security protocols to avoid such incidents in the future.

The Importance of Confidence and Adaptability in Unexpected Situations

The power of confidence and a little bit of knowledge can get you far. By acting confidently and using industry jargon, the protagonist was able to convince a security guard that he was a technician and gain access to restricted areas. This shows how appearance and language can be important in convincing others of your abilities and expertise. However, it also emphasizes the importance of being able to think on your feet and adapt to unexpected situations, as the protagonist was able to do when thrown into a situation that was not according to plan. Overall, this story showcases the importance of confidence, quick thinking, and adaptability in navigating unexpected situations.

Importance of Ethical Testing in Company Security

When testing a company's security, it is important to test all aspects including the physical building, people, and electronics. Deviant Ollam, a professional social engineer, believes in a moral code in testing people which involves not causing harm or putting anyone in danger. He tricked a guard into thinking he worked for the elevator company but also gave the guard opportunities to verify his credentials. Social engineers want people to feel better for having met them instead of leaving them feeling awful about being deceived. However, not all bad actors have the same moral code and can resort to violent means to access company data. Deviant believes in giving clients a win by testing their security posture but also ensuring that they are not exposed to any danger.

The Importance of Creativity and Strategy in Penetration Testing

Penetration testing requires creativity and strategy. Deviant and his team used a search-and-rescue dog and social engineering tactics to gain access to a facility in a small town. They avoided contact with employees by going at night and on a Sunday. By compromising the RFID key cards, Deviant was able to gain access to sensitive areas. This emphasizes the importance of testing physical security measures and highlights vulnerabilities that may go unnoticed without testing. It also shows the value of thinking outside the box and being adaptable in the face of challenges. Companies should consider conducting regular penetration tests to identify weaknesses and improve their overall security posture.

The Importance of Effective Penetration Testing

Penetration testing involves attempting to breach security measures to identify vulnerabilities. The team in this story used social engineering tactics to gain access to a factory, replicating employee badges and dressing the part. While they were successful at getting inside, they encountered an unexpected employee who was suspicious of their presence. Despite the risk, they were able to leave without incident. This highlights the importance of testing security measures and being prepared for unexpected situations. Effective penetration testing can help identify vulnerabilities and prevent security breaches, ultimately protecting sensitive information and valuable assets.

The Importance of Authorization and Discretion in Physical Penetration Tests

When conducting physical penetration tests, it is crucial to carry a letter of authorization from the company, preferably from someone high up who can vouch for you. If caught, this authorization can act as a 'get-out-of-jail-free card.' However, it is important to use a genuine authorization letter, as a fake one can easily be uncovered. Deviant and his crew were caught during a security test and could not lie their way out of it. The employee caught them and checked the authenticity of their letter by calling the company head of security himself. It is also important to be discreet during physical penetration tests and not raise suspicion. The employee caught them because he had emotional investment in the company and was attentive to details.

Investing in Employees for a Stronger Security System

Investing in employees and creating a positive work environment can lead to a stronger security system. Having employees who care about what's going on and are invested in their company can act as the best line of defense. It's important to pay employees properly, give them real benefits and reward them. The success of being caught in a security breach lies in catching it for all the right reasons, as it reflects on the efficiency and effectiveness of the security system. It's important to have a list of sensitive assets and formulate a series of attack chains to prepare for possible breaches. In case of burning out of one team, having an alternative plan could be beneficial.

Deviant and his Cross-Disciplinary Team's Preparation for a Large-scale Job

Deviant and his team of cross-disciplinary experts embarked on a large-scale job, which required thorough preparation and meticulous planning. This included using long-range cameras, drones, and full badge-printing machines. The team consisted of experts in electronics, surveillance, physical tactics, and social engineering. They had to rotate rental cars constantly and drive long distances to get to the site. The initial phase of the job involved rigorous reconnaissance, including driving by, long-range camera work, and crawling through fields in hunter's camo. The job was scaled so vast that they even brought along interns, making them a whole Oceans Eleven crew. They were ready for anything, which helped them prepare to handle any challenges they faced during the job.

Red Teams and Advanced Tools Used to Test and Improve Company Security

Companies invest a lot of money in their security systems to detect and stop any sabotage or intrusion. Hence, they also hire red teams who attack their own company to find weak points that an adversary may exploit. Getting past such systems requires elaborate planning, reconnaissance, and gathering key information. Threat actors may spend an entire night in the dirt with long-range glass to learn which employees go through which doors, when security patrols come around and when they don't. The red team engages in such activities to test their defenses and improve security. Companies have sophisticated tools, such as SpotterRF to detect motion sensing in a field, which can be used to track a potential threat.

Overcoming High-Security Measures Using Surveillance and Gate System Expertise

Creating a fake profile is difficult and time-consuming, requiring a history and connections, like planting crops. Deviant was able to determine that the only entry point to a secure facility was through the vehicle checkpoint, which utilized a badge-reader and gate arm. Understanding the gate system allowed them to identify potential exploits and gather valuable surveillance footage. Ground loop sensors were used to detect vehicles and prevent gate arm damage, making foot entry impossible. Despite the high-security measures, Deviant was able to gather information and plan their next move using their expertise in surveillance and understanding of gate systems.

The Dangers of Tailgating Attacks and How Attackers Breach Security Measures

Security systems can be vulnerable to tailgating attacks where someone closely follows another person through a secure checkpoint. By using social engineering tactics and carefully planning a backup strategy, it is possible to breach security measures. In this case, the attackers created fake badges and used a dwell time workaround to follow a car through a gated checkpoint. They also planned for multiple exit strategies in case of an emergency. The guards on duty did not check car trunks, leading to a potential security gap. These insights highlight the need to regularly audit and update security systems to minimize the risk of breaches.

The Power of Social Engineering in Unauthorized Access to Secure Areas

Social engineering is an effective tool to gain access to secure areas. The three teams used different tactics such as tailgating and pretending to be new employees to get into the facility. They thoroughly inspected the area by checking doors and taking note of the tolerances in order to exploit their way in. It is important for companies to train their employees to be aware of these tactics and to always use their badges properly. Companies also need to regularly inspect their premises for any vulnerabilities and to implement stricter security measures to prevent unauthorized access.

The Importance of Defense in-Depth for Building Security

The importance of defense in-depth for proper building security is highlighted through the experiences of the hackers who were able to gain access to sensitive areas by being sloppy and prop doors open with doorstops. They were surprised to find that they were not actively being challenged and were able to get into multiple sensitive rooms without being caught. The hackers decided to step it up and try to see what level of noise it would take to make the employees report them to security. The customers even suggested they try drilling a door which they paid for. This highlights the importance of constant upgrades and various levels of security starting from the outer perimeter to the innermost sensitive area.

The Importance of Backup Plans and Creativity in Security Testing

The importance of having a backup plan and being creative when the original plan fails is highlighted in this story, as the protagonist uses distractions like setting off alarms and biking around to divert attention while his team successfully completes their mission. The story also emphasizes the value of communication and the need to have clear protocols in place, as the security guards suggest calling for remote access instead of causing a commotion. Overall, the story highlights the complex nature of security testing and the need for thorough planning and execution to identify vulnerabilities and prevent potential breaches.

Facing the Dark with Allies: Lessons from a Security Assessment

The story emphasizes the importance of being aware rather than living in fear. Going into dark places with friends and allies can make things less scary. This client's security assessment showed the need for improvements, and their engagement with the team was over. The team successfully defeated security, and the client loved hearing about all the different ways they were able to do it. The exercises were a great training exercise for everyone involved. It is the artist's job to take people into the darker places. Darkness is not scary because it's dark, but because you don't know what's in it. Therefore, it's crucial to face the dark with friends and learn from it to improve.