BSidesSF 2018 has ended
Back To Schedule
Sunday, April 15 • 2:45pm - 6:00pm
Fundamentals of Corporate Physical Access: Attack Surface and Approach FULL

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

There’s many sessions and spaces that teach skills to attack locks, but few focus on the electronic side. Fewer focus on the overall organizational environment and what might be encountered – culture, policy, architecture. Heading into an engagement with a medium to large enterprise, you need to have a solid understanding across a wide spectrum or the path chosen likely won’t be the most effective one. 
This session will take a different approach. It will focus on the reality of how physical security programs, people and systems operate with an emphasis understanding the broad attack surface. We’ll review how physical security practitioners view and classify the assets they’re protecting and the practices they employ to build controls. 
Then we’ll look at it from two aspects – mechanical and electronic. 
Part 1: Electronic:
Physical security doesn’t subscribe to information security principles and as a result, the systems, culture, policies and processes are very different. Not necessarily in a better way, but different enough for most people to make false assumptions that cause significant blind spots for red teams. This session will break down what real enterprises “look and smell like” to set the table for understanding the fundamentals of what you’ll be walking into. 
Hacking an RFID badge to gain access may work, but what about when it doesn’t – there are other ways to break the badge without actually ever targeting it. Therefore, we’ll cover the holistic architecture of a typical Fortune 500 company, from control systems to door readers and everything in between. We’ll discuss how each component is architected, range of configuration and shortcomings. We will review aspect of social engineering and logic manipulation (or policy and process). We’ll discuss a fairly large attack surface across and in combination between all of them. Last, we’ll review what should be in a report, best way to approach delivering findings to this audience, and overview fundamentals of remediation. 
Technologies: Access control systems, controllers, reader models and configurations, badges, badge technologies and payloads, Cameras, VMS, Alarms. Assessing opportunity. 
Program Management: GSOC operations, system operations, process, policy, supply chain of custody, vendor practices
Social aspects: Areas to exploit in and outside the target, barriers.
Industry Direction: Variance of legacy and new technology being deployed. Impact on methods and areas of opportunity. 

Part 2: Mechanical
Mechanical locking systems are as old as the pyramids, and there has been very little in the way of innovation, regardless of the marketing you see online or in print. There have a variety of variations and a flurry of patents, and in the the last decade or so has seen an explosion of almost every brand of lock providing a electromechanical component that provide extra layers security but what does that mean at scale?
There said there are countless ways to go about defeating a Electro/Mechanical locking systems such as picking direct bypass, picking, cloning keys (through photographs, obtaining key codes, impressioning (filing/clay), etc), bespoke(discreet precision tools that start at 5k and up), digital attacks, or just plain circumventing the systems all together by attacking the infrastructure around the system. The problem with each of these methods change as you scale. 
What works in a residential, small/medium business, etc is very different from large enterprises because of culture, policies, and procedures in place which may limit or give you different opportunities to access privileged areas.

We’ll cover master key systems, low to high security locking systems, common flaws, when you should skip certain systems during an audit and often finding other ways to reach your objectives. Many of the techniques from part 1 will apply to circumventing these technologies. Lastly, what should be covered in your report and remediation strategies.

avatar for Terry Gold

Terry Gold

Principal Analyst, D6 Research
Terry Gold has spent nearly 20 years in intersection of information and physical security and is recognized as an authority in the enterprise community regarding physical security attacks and real-world applied remediation. He’s the founder of D6 Research where he focuses on cause... Read More →
avatar for Eric Michaud

Eric Michaud

CEO & Founder, Rift Recon
Founder and CEO of Rift Recon, previously Director of Hardware Curation at ExploitHub, and Computer and Physical security at Argonne National Laboratory Michaud has advised on physical security, computer security, lockpicking, and hackerspaces for over a decade. He is a professional... Read More →

Sunday April 15, 2018 2:45pm - 6:00pm PDT
City View - Twin Peaks