Sister CISA CISSP

Feb 17 2010   2:58AM GMT

Beware the “Smoker Door!”



Posted by: Arian Eigen Heald
Tags:
Adventures in Auditing
Data Center
Eigen's Rules of Thumb
Hardware & InfoSec
information security policy
Penetration testing
Physical Security
Start Laughing Now
Tools & Tricks of the Trade

When doing a physical security audit, there’s always the “security by walking around” phase. I find PCs with no screensavers, passwords under keyboards and keys labeled “server room.”

Consider the cigarette smoker. Every company has them. (Better, by far, than the cigar smokers, in my opinion.) Now that they all have to go outside, so as not to pollute everyone’s air inside, they tend to congregate in certain spots.

After having been shooed away from the front door (you DO shoo them away from there, don’t you?), where do they go to commiserate together and stay out of sight from management? Ideally, close to shelter (not wanting to stand in the rain) and the ability to get back in quickly (if the boss calls on the cell phone wanting to know where they are).

Today during a walk around, I headed for the break room to grab some coffee. I noticed a door leading outside directly from the break room. Hmmm, I thought, a perfect “smoker door!” I popped it open and looked down. What did I see?

The “smoker door” special rock! You know, the one that props the door open while the smoker grabs his “air time,” especially if there is no easy way to get back in.

Sure enough, there was no card reader so that the smoker could get back in, AND no other door in sight, either. Thus, the “special rock.”

Obviously, nicotine craving trumps physical security here. The front door has a sign in sheet, cameras, escorts and access cards. The “smoker door” has none of these things. It’s facing the unsecured rear of the building. No chain link, etc, just the local woods.

If I were a pen tester, I’d grab a pack of smokes, walk around to the back of the building where the “smoker door” can be found, and hang out sheepishly holding a smoke until someone comes out. After that, it’s a matter of social engineering. I won’t wait very long!

So, what’s the simplest solution? (other than hanging them up by their toes.) Add a keypad to that door. Get rid of the “special rock,” announce the keypad to all employees, and monitor the times that access there is used.It will give you some good information as to who and when that door is used.

If usage drops off, and/or another “special rock” appears, announce the intent to add a camera to monitor that back door. They’ll eventually get the hint. And the camera might just be a good idea anyway.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: