Good points. We tend to think in terms of clever, perhaps even "high tech", techniques. Asking something as simple as whether office or lab walls extend above the dropped ceiling, or whether sheet rock walls can be penetrated with nothing more than a box cutter with a sharp blade... not so much.
So story time : At uni, the association that was managing the cafeteria was moving a fair amount of cash. So, for insurance reasons, the cash had to be be stored in a safe, mounted to the wall, in a back office, with an armored door. This was done and the insurance company was satisfied. Now, that back office, was just drywall. So, the armored door was mounted on quarter inch drywall, and so was the safe. There had been known instance of drunk students just punching their way into there. One night, the place got broken into. The burglars apparently knew about the armored door, because they used some sort of breaching tool to enlarge the door frame and open it, then they ripped the safe off the wall. At no point was the dry wall ever attacked. I'm assuming they only figured it out after they got the safe that they could have kool-aid their way into the office. The insurance worked fine, and after inspection, still did not care about the drywall mounted door. Not sure what the moral of this story is...
Which is why you need to consider the risk assessment when implementing mitigations. Lab full of unique IP... you are probably more concerned with covert access. Office with a petty cash drawer and some computers, but nothing special, you're probably more concerned about the broken window/kicked in door for a smash and grab. The risk assessment and a cost benefit analysis should inform the mitigations put in place. If it is a rare risk but easy and cheap to defend against you might decide it is worth doing.
That Red Team'r on the left should be paying more attention to the Blue Team'r in front, rather than checking his phone for TNSCE updates! Even his colleague to the right seems rather annoyed with his disregard for the tour! Another very thought provoking video and makes me wonder whether a Red Team + Blue Team concurrent approach to physical & cyber pentesting as part of a Threat Management evaluation is the way forward for most companies. This approach might also help ameliorate the 'blame' (directed or perceived) that might be explicit in the Red Team report. Working together : BT-RT in harmony? Unthinkable?? Maybe not such a controversial concept for us all to consider... Thanks for a brilliant video.
With a smash and grab, I'd check there were no acoustic break glass detectors, then if all was clear, put a jacket over the affected area to muffle the sound of breaking glass from any personnel in the building. But first, I'd actually 'check the door', the number of times staff just leave doors unlocked or override HID tech is amazing. Oh, and on the subject of Balaclava's - hey, ugly models gotta work too.
I'd be curious to hear the argument for the use of pen-testing. From a defender perspective, I want every layer to be effective. But if I build a very tough outer layer, the pen tester is going to be caught early and I won't get any feedback on the inner layers. Also, the pen tester's success/failure could be a fluke which is not representative of the layer's security. For instance, maybe a guard was particularly alert one day. Or maybe they got sick and you caught them on their off-day. So if you bypass the guards using social engineering, did you demonstrate a persistent problem that can be remedied? And if the guard sees through your pretext, can you conclude the guard is good at their job? (Maybe you're the one have an off day...) Basically, pen-testing seems like a ton of fun, but I'd love to see a rigorous exploration of the benefits.
Respectful and covert. A site assessment usually highlights basic straightforward issues, probably mostly physical site security problems. A pen test highlights more sophisticated methods people can use to gain entry and possibly steal company property. Pen tests are vital for high security facilities.... All my opinion of course...
What's the advantage of doing a pen test over just having the potential pen tester walk with the blue team on the outside permimeter, point at all the potential first steps of the attack chain. Then, the blue team walks them to the next step and they point at all the potential second steps of the attack chain and so on and so forth?
This was a really solid video. I've been interested in this type of stuff for about two years, but really haven't deeply considered the differences between what a pen tester is allowed to do, and the lengths that a criminal may actually go to. It's crucial to be able to identify those types of threats and vulnerabilities. Question to you pen testers out there: If you were doing a typical physical covert entry job (with a scope that allows for bypassing doors but not destroying property, etc.) would you still be thinking about these kinds of vulnerabilities and including them in your reports? Or would you focus exclusively on the things you can / would do in that situation?
Yes. Exactly. Just the way certain people are freaked out about how easy it is to pick ABC or XYZ locks. I watched an undercover video of locksmiths and how some are unprofessional and unscrupulous. The majority of LOCKSMITHS could not even pick their way into easy locks that had pins removed to make them even easier. (CBC NEWS LOCKSMITHS UNDERCOVER on RUclips. ) People get focused on wrong aspects. They can only see from their own limited POV. That is why I like this channel.
![[76] Understanding your threats: Opportunistic Criminals](http://i.ytimg.com/vi/GheRPmUzSuA/mqdefault.jpg)
![[76] Understanding your threats: Opportunistic Criminals](/img/tr.png)
![[60] I was Hired to Legally Break into a Company](http://i.ytimg.com/vi/4pD3AYYKbZg/mqdefault.jpg)
![[61] Covert Entry Tool Tierlist](http://i.ytimg.com/vi/7FullVIDj9o/mqdefault.jpg)
![[58] The Red Team Tactics of Among Us](/img/1.gif)
Good points. We tend to think in terms of clever, perhaps even "high tech", techniques. Asking something as simple as whether office or lab walls extend above the dropped ceiling, or whether sheet rock walls can be penetrated with nothing more than a box cutter with a sharp blade... not so much.
The stock photos... I can't even with the stock photos! 🤣
So story time :
At uni, the association that was managing the cafeteria was moving a fair amount of cash. So, for insurance reasons, the cash had to be be stored in a safe, mounted to the wall, in a back office, with an armored door. This was done and the insurance company was satisfied.
Now, that back office, was just drywall. So, the armored door was mounted on quarter inch drywall, and so was the safe. There had been known instance of drunk students just punching their way into there.
One night, the place got broken into. The burglars apparently knew about the armored door, because they used some sort of breaching tool to enlarge the door frame and open it, then they ripped the safe off the wall.
At no point was the dry wall ever attacked. I'm assuming they only figured it out after they got the safe that they could have kool-aid their way into the office.
The insurance worked fine, and after inspection, still did not care about the drywall mounted door.
Not sure what the moral of this story is...
The moral is that the letter of the law is more important than the spirit, especially if you want to c your a.
The moral is that you should get insurance.
Very informative thanks for this video, cheers
Which is why you need to consider the risk assessment when implementing mitigations.
Lab full of unique IP... you are probably more concerned with covert access.
Office with a petty cash drawer and some computers, but nothing special, you're probably more concerned about the broken window/kicked in door for a smash and grab.
The risk assessment and a cost benefit analysis should inform the mitigations put in place. If it is a rare risk but easy and cheap to defend against you might decide it is worth doing.
After hours? It's a drop ceiling, so you could go over then just lock the doors on the way out. Sure, it'll take longer, but it's another idea.
It depends if its fire protected. Some rooms have solid walls that continue up to the ceiling through the drop ceiling
That Red Team'r on the left should be paying more attention to the Blue Team'r in front, rather than checking his phone for TNSCE updates! Even his colleague to the right seems rather annoyed with his disregard for the tour! Another very thought provoking video and makes me wonder whether a Red Team + Blue Team concurrent approach to physical & cyber pentesting as part of a Threat Management evaluation is the way forward for most companies. This approach might also help ameliorate the 'blame' (directed or perceived) that might be explicit in the Red Team report. Working together : BT-RT in harmony? Unthinkable?? Maybe not such a controversial concept for us all to consider... Thanks for a brilliant video.
With a smash and grab, I'd check there were no acoustic break glass detectors, then if all was clear, put a jacket over the affected area to muffle the sound of breaking glass from any personnel in the building. But first, I'd actually 'check the door', the number of times staff just leave doors unlocked or override HID tech is amazing.
Oh, and on the subject of Balaclava's - hey, ugly models gotta work too.
I'd be curious to hear the argument for the use of pen-testing. From a defender perspective, I want every layer to be effective. But if I build a very tough outer layer, the pen tester is going to be caught early and I won't get any feedback on the inner layers. Also, the pen tester's success/failure could be a fluke which is not representative of the layer's security. For instance, maybe a guard was particularly alert one day. Or maybe they got sick and you caught them on their off-day. So if you bypass the guards using social engineering, did you demonstrate a persistent problem that can be remedied? And if the guard sees through your pretext, can you conclude the guard is good at their job? (Maybe you're the one have an off day...)
Basically, pen-testing seems like a ton of fun, but I'd love to see a rigorous exploration of the benefits.
Respectful and covert. A site assessment usually highlights basic straightforward issues, probably mostly physical site security problems. A pen test highlights more sophisticated methods people can use to gain entry and possibly steal company property. Pen tests are vital for high security facilities.... All my opinion of course...
What's the advantage of doing a pen test over just having the potential pen tester walk with the blue team on the outside permimeter, point at all the potential first steps of the attack chain. Then, the blue team walks them to the next step and they point at all the potential second steps of the attack chain and so on and so forth?
Thanks. What do I do once I’m in the server room? That’s where I like to hańgout due to the a/c!
@@ts757arse : lol. Yeah, I guess that would really fu@k them up.
This was a really solid video. I've been interested in this type of stuff for about two years, but really haven't deeply considered the differences between what a pen tester is allowed to do, and the lengths that a criminal may actually go to. It's crucial to be able to identify those types of threats and vulnerabilities. Question to you pen testers out there: If you were doing a typical physical covert entry job (with a scope that allows for bypassing doors but not destroying property, etc.) would you still be thinking about these kinds of vulnerabilities and including them in your reports? Or would you focus exclusively on the things you can / would do in that situation?
I would think this would be done first then a pen test to gauge effectiveness.
Are "kool aid man"-level of destructiveness pen tests ever held?
Ohhh Nooooo. ☹
Yes. Exactly. Just the way certain people are freaked out about how easy it is to pick ABC or XYZ locks. I watched an undercover video of locksmiths and how some are unprofessional and unscrupulous. The majority of LOCKSMITHS could not even pick their way into easy locks that had pins removed to make them even easier. (CBC NEWS LOCKSMITHS UNDERCOVER on RUclips. ) People get focused on wrong aspects. They can only see from their own limited POV. That is why I like this channel.
this is what all criminals look like trust me I'm an expert... Brilliant.
Most criminals wear a ski mask at all times, this is a known fact
Why am I subscribed to this channel?