Billions of dollars are spent globally on technical controls for information security. Most, if not all, of these controls can be overridden by the implicit trust that someone with physical access has to a system. Yet, physical security is often the easiest control to circumvent.
This talk will focus on ways a legal, ethical, and authorized penetration tester can prepare themselves to inspire trust in those protecting their target allowing them to gain access to protected areas.
This talk will look at the physical signs that someone doesn’t belong in an area and how to create a persona that “belongs”.
During the talk we will compare different outfits and uniforms used by workers who would be expected to be in controlled areas. The talk will also look at paralanguage and body language that can be used to put people at ease.
The talk will cover:
- Why physical access controls are critical
- Tales of “Physical Access Gone Wrong”
- Uniforms, attire, and details that give away an imposter
- Paralanguage – What to say to put people at ease
- Body language – What to do to put people at ease
- “The Getaway” – How to get out gracefully
- Preventing Interlopers – What can you do to stop attackers using these techniques
By the end of the talk the audience should be able to leverage these techniques to test their own security program, bolster their approved penetration testing program, and develop new controls to prevent physical attackers.
Slides in PDF can be found here: