Physical Security Quesiton

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Alright, I have a client busting my chops on our finding that they
aren't singing in/out unauthoirzed employees and vendors entering their
data center.  I've tried explaining the reasoning, but the client would
like additional guidance in the way of published baseline guidelines
and/or standards that support our claim they should maintain a log of
people going into and out of the data center who aren't typically
allowed access, and shouldn't be relying on the receptionist sign in
and data center cameras as the sole means for preventing unauthorized

As we all know recpetionists hardly ever remember to sign visitors
in/out all the time and I demonstrated that fact to them during our
social engineering testing and I was able to piggy back into the data
center on numerous occassions. Not once did the client or any of their
staff bother to look at the footage of their video and care to question
my presence, but this apparently isn't going to be enough.

Any help would be greatly appreciated.  Please send your repsonses to

Re: Physical Security Quesiton says...
Quoted text here. Click to load it

Signing in/out has nothing to do with security - a method should be in
place so that no-one gets into the data center without a escort or
without a pass card/code. Only employees that show each other their
cards should be permitted into the data center, since an employee can be
canned at any time, just knowing the person is not enough to allow them
to walk in with you.

Physical security has nothing to do with Camera's or a secretary.

remove 999 in order to email me

Re: Physical Security Quesiton

On Tue, 20 Dec 2005 14:37:36 +0000, Leythos wrote:

Quoted text here. Click to load it

Hate to burst your bubble there, but t'ain't-a-gonna happen. Ten years as
a rent-a-cop served to convince me of the fact.

Here's an all-too-typical case in point: client had doors that would not
lock. We informed them of the fact. Repeatedly. Then one night, a
brand-new laser printer disappeared from one of the client's tenant
spaces. They blamed us, we invited their attention to our prior reports.
They still blamed us. And four years later, the doors were in worse
condition than when that little incident took place, despite monthly,
sometimes weekly and on rare occasion daily requests to have them looked

My advice? Fill out your report, enclose your bill, send it to the client
by registered mail with cc to your corporate counsel, turn the bill over
to your collection agency/attorney, and call it a day.

Re: Physical Security Quesiton

Quoted text here. Click to load it

They were at least smart enough to hire y'all for whatever reason.
Why did they say they hired you?    Is this an audit they've had done
for some sort of regulatory compliance?  If so, show them that if they
don't understand the common sense of why this is worrisome, maybe
they'll respect that they're non-compliant with regulation.   If
they're a health care entity, point them to HIPPA's physical security
guidelines that talk about secured access to the data center.

Tell them there's an entire domain on physical security within the
most common security certification in the world.

Ask them if they'd run their systems without a password.  If they say
"of course not" then make sure they understand crystal clear that
physica access to a box allows people to circumvent password security
trivially.  If they aren't preventing people from getting to the data
center, they may as well be running their business off an open kiosk
at a shopping center.

If they're not listening, they're paying you to bang on the table and
give them religion and tell them all the things a person with physical
access can do.  Network sniffing, passwords, data corruption, data
loss, data theft, corporate espionage, stealing their servers,
intercepting all communication, rerouting traffic, physically
endangering their employees, making them liable to lawsuits should
someone cause harm to another and they've expended no due diligence
against things despite a documented finding by a reputable security
firm, destroying their entire business.

Quoted text here. Click to load it

No thank you.

Please at least have the courtesy to read replies here and participate
in the community if you're asking help from it to the benefit of your

Best Regards,
Todd H. /

Re: Physical Security Quesiton

Thank you Todd for the reply and additional information.  Yes, we were
hired to perform an audit and tiger testing of physical and logical
security.  Didn't mean any offense by asking you to respond to my
e-mail addy.  Will mind my manners in future posts.

Re: Physical Security Quesiton

Quoted text here. Click to load it

Depending on their demeanor you could appeal to their financial senses
and inquire "I'm not sure why you're paying for this audit and testing
if you are expending more effort pushing back on the findings than
fixing them.  Trust me, and the money you spent to bring me here when
I tell you that your physical data center security and processes
associated with it are woefull inadequate.  Badge readers on doors are
recommended as are badge access controlled man traps for the most
sensitive areas for your data center, and no outside vendors are to be
allowed into these secured areas without an employee escorting them at
all times.  Write these procedures into the employee terms of
employment, and have the employees review and certify these guidelines
annually at review time so they can't plead ignorance of them."

There's a great quote from defcon that's applicable too.  I don't
recall the exact wording but it was close to: "People don't want
security.  They want a rubber stamp that says they are secure."

Sounds like your client is cut of this cloth.

Best Regards,
Todd H. /

Site Timeline