[001spartan]

If you did this job, you would not be surprised by the ease with which you can pull off these sorts of things. I've been doing this for a couple years now, and it's terrifyingly easy to compromise data or physical security for organizations that really should know better.

[logfromblammo]

You can pick office furniture locks with a binder clip and a paper clip, which you can often find in the unlocked portions of the office furniture. The paper clip is permanently disfigured in the process, but the binder clip can be put back unharmed.

I know, because I have actually done this occasionally, to remind myself to never leave anything valuable at the office. It can take less than 60 seconds to go from empty-handed to an opened lock. A few more seconds to re-lock it with your makeshift pick.

Cheap locks might as well not exist to a professional attacker. They barely exist for an amateur motivated by curiosity or boredom.

Door locks are a bit more difficult, and may require more sophisticated tools, but those are left unlocked more often, for the extremely ironic reason that the employees that have greatest use for them typically don't have the keys. The only keyed doors that ever get locked are upper management offices, the office supply closet, and wherever it is they keep the sodas and snacks for visiting customers.

As with online security, companies are only willing to pay for the illusion of security. Genuine physical security is difficult, expensive, and wears heavily on employee morale.

[001spartan]

That's very true. In many cases, that's even _perfectly fine_. Not every organization needs enough physical security to deter a determined attacker. The ones that do hire people like Sophie (or me), and take the lessons to heart. Even if the organization doesn't make changes to their physical security posture as a result, they know what to be aware of, and they know where their weaknesses are.

A lot of our security--both network and physical--is based on the illusion of security. One of the most important things that penetration testing does is to make organizations aware of the issues, to put the bug in their ear to remind them that security is important, and shouldn't be an afterthought. We see lots of organizations make material improvements to their security as a result of red team exercises. We also see a lot of organizations that don't. It's disheartening when that happens, but I like to think I help make a difference. The next data breach might be mitigated by our recommendations, or even prevented entirely.

[salamancara]

Heard a story recently of a major MSP forgetting to disable the Ethernet port on the back of a set top box, and it provided access to a VLAN with direct access to the company’s back-end systems. They didn’t have passwords on many of their databases because they assumed the firewall would protect them. Pwnage ensued.

This is a big company you have definitely heard of. You didn’t hear about the data breach because they basically paid the hacker off with a security consulting contract, then said he was a pen tester. This happens all the time.

Most companies are really bad at security. The bigger they are, the worse they are.