I highly recommend to all my readers to check out my fellow Texan Ole’ Painless’ site Box O’ Truth for very practical penetration testing.
Remember: Gunfights never happen where you want them to!
Better Security through Penetration Testing
My book, Red Team: How to Succeed by Thinking Like the Enemy, provides the first in-depth investigation into the work of red teams in the military, intelligence, homeland security and private sectors, revealing the best practices, most common pitfalls, and most effective applications of their work. Below is an adaptation.
In the course of conducting interviews for my book, Red Team, I unintentionally broke into an allegedly highly secure government building. After initially failing to obtain a meeting with a senior official in a government security position, I requested that a mutual acquaintance pass along a short e-mail, from a Gmail account, describing my research project and questions that I hoped to ask. Weeks later, an administrative assistant reached out to me and let me know that this senior official had agreed to meet me in person. The administrative assistant and I spoke over the phone to arrange a time the following week, mid-morning at the senior official’s office. The assistant then sent me a confirmation e-mail with the location, different transportation options to get there, and a reminder to bring my government-issued ID.
The office building was a highly secure facility, set back more than a block from traffic, and ringed with blast walls, a series of controlled-access points, armed guards, surveillance cameras, and metal detectors. Once past the access points, visitors are required to show their IDs, have scheduled a meeting that appears in a shared internal database, get their photograph taken, receive a visitor’s photo badge that is always supposed to displayed, and, finally, have an employee escort them through the hallways.
After arriving five minutes late, I was waiting in a long line to pass through a metal detector when a security guard answered a phone call and then shouted a close approximation of my name. I stepped out of line to answer, and before I could say anything, she said, “Oh you can go ahead, they are waiting for you upstairs.” I walked to the front of the line, thinking that I still needed to be screened, but she simply waved her arm and declared, “No, no, you can just go around and head on in.” Next, I approached a front desk, which several armed guards stood behind, to show my passport, get my picture taken, and receive my badge. Before I got to the desk, a young man — likely an intern — asked, “Are you Zenko?” After I nodded affirmatively, he replied, “Okay, let’s go.” Not only was I never asked to show my ID, checked against the internal database, or provided a badge, but, before the young man and I walked away, a guard behind the desk handed me a slip of paper that mysteriously read: “SCREENED.” I placed it in my pocket. We then took the next available elevator to the senior official’s office.
Read the Remainder at Medium