31 October 2014

Ch Ch Ch Ah Ah


Happy Halloween!  Everybody deserves a good scare now and then, and we in the security field see more than our share of spinetinglers.  The jump-out-and-say-boo stuff is one thing, but there’s one thing that gives me the creeps more than anything:  Thinking you’re safe when you’re not.

Unfortunately we see a lot of that in InfoSec these days.  Many promises are made, architectures are reviewed, and risks are deemed “acceptable.”  Management leaves the room with a perception of security that doesn’t match reality.  All too often this is because we believe that the investments we’ve made, just on face (or dollar) value, will stop the bad guys.  But what happens when we put our perceptions to the test?

Take a look at the door in the picture.  It’s solid core, with reinforced glass and a sturdy frame.  Employees are required to provide something they have (a key card) and something they know (a PIN).  Seems legit, and since systems like this can go for $20,000 and up, most folks would say the door is secure.  Too bad attackers don’t feel the same way, and this $20,000 investment is about to be thwarted by a six dollar trip to Home Depot.

The attacker sees a door that’s too strong to kick in, and that uses an access control system that would take too long to hack.  Why go through the access controls when you can bypass them altogether?  Using a homemade under-the-door hook shown below got us through the door in under a minute.  We didn’t even go bump in the night.


Thinking about this in the context of your web facing assets, is your security more perception or reality? Despite all the compliance boxes being ticked, the Synack Red Team finds a critical (CVSS of 7 or greater) in 90% of environments.

Sleep tight.