Abstract

Billions of dollars are spent globally on technical controls for information security. Most, if not all, of these controls can be overridden by the implicit trust that someone with physical access has to a system. Yet, physical security is often the easiest control to circumvent.

This talk will focus on ways a legal, ethical, and authorized penetration tester can prepare themselves to inspire trust in those protecting their target allowing them to gain access to protected areas.

This talk will look at the physical signs that someone doesn’t belong in an area and how to create a persona that “belongs”. During the talk we will compare different outfits and uniforms used by workers who would be expected to be in controlled areas. The talk will also look at paralanguage and body language that can be used to put people at ease.

The talk will cover:

Why physical access controls are critical
Tales of “Physical Access Gone Wrong”
Uniforms, attire, and details that give away an imposter
Paralanguage – What to say to put people at ease
Body language – What to do to put people at ease
“The Getaway” – How to get out gracefully
Preventing Interlopers – What can you do to stop attackers using these techniques

By the end of the talk the audience should be able to leverage these techniques to test their own security program, bolster their approved penetration testing program, and develop new controls to prevent physical attackers.

Bio

Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, FERPA, HIPAA HITECH, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He runs the blog www.thetheaterofsecurity.com.