Skip to content ↓ | Skip to navigation ↓

picSecurity BSides Orlando is just days away, taking place on April 5th and 6th, and in advance of the event we are highlighting a few of the innovative sessions they have scheduled.

Security BSides Orlando is a community driven event seeking to bring together anyone with a passion for making, breaking or protecting, and they welcome newbies, experts and anyone in between.

First we looked at a session by Lee V. Mangold (@LeeMangold) titled Open Source Security: Security Poverty and the Small Enterprise, then at a talk to be delivered by Alex Hutton (@AlexHutton) titled Alex Dreams of Risk, and Luis “Connection” Santana’s (@hacktalkblog) talk Phishing Like the Pros.

Now we’ll take a peek at a session by Jess Hires (@Hacksonville) titled Physical Security: From Locks to Dox, where he will talk in-depth about the function of locking systems and their vulnerability to manipulation.

Hires is an information security professional and locksport enthusiast who specializes in physical security and penetration testing. He operate the Lock Pick Village at BSides Orlando and other small regional security conferences, and assists at larger conferences with the TOOOL group.

He is the Founder & Coordinator of Jax Locksport (an official TOOOL Chapter), the Coordinator of Jax2600/DC904, Founder & Coordinator of the upcoming BSides JAX Security Conference, and the President of the Jacksonville Linux Users Group (JaxLUG).

“I like to teach people about Linux, hacking, and lock picking in my free time,” says Hires. “And this BSides session should be considered an intro to physical security penetration testing.”

To understand how to manipulate any system, Hires says one must first understand how it works, so he will first describe the mechanics of various types of common locking mechanisms and provide a detailed look at how they operate.

“Systems covered will include pin-tumbler locks, wafer-tumbler locks, combination locks, as well as mentioning some higher-security systems,” Hires said. “I’ll talk about various methods of attack for each of these systems – picking, manipulation, bypass, etc. – and the tools necessary to implement these attacks.”

Hires says physical security is a subject everyone deals with every day, both in our professional and personal activities, whether we realize it or not. From the locks on our homes to the security controls protecting our company secrets, physical security permeates our lives.

“The more we understand the weaknesses of the tools protecting us, the more we can reinforce ourselves to protect from attack,” Hires said. “And while this talk is intended for Penetration Testers, this information applies to everyone because if you understand how to look for weaknesses is a security measure, you can better understand how to protect it.”

Hires says the attendees will learn the basics of lock picking, techniques for bypassing locking systems, and how to look for physical security weaknesses in general.

“These skills will be useful in many ways for network penetration testing, including gaining physical access to target machines, being able plant a device on the targeted network, and finding data like passwords and network diagrams that may assist with intrusion efforts,” Hires explained.

He warns that the biggest issue pentesters should be cautious about is making sure their client has authorized everything they intend to do in a penetration test, including breaching physical security devices.

“If it’s not clearly delineated in the statement of work (SOW), you could be facing legal action, so never attempt these techniques without proper permission and documentation.”

Hires says physical security will always be relevant in penetration tests, even as data and services are moved to “cloud” platforms, because information still physically exists somewhere and companies will still have office buildings loaded with sensitive data.

“While the challenges might become greater over time, the principles of physical security and its vulnerabilities will never change.”

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock