 Hello, Defcon Lockpick Village. Super excited to be here. This is my talk, doors, cameras, and man traps, oh my, an overview about the ins and outs of physical security risk assessment. If you are curious about pursuing this as a career option, you are in the right place. If you want to learn about lockpicking, I'll mention some sources that can help with that later on in the talk. Here is a quick intro. I am the magician, or Dylan, whichever you prefer. I am a member of the Open Organization of Lockpickers in Orlando. I am a security consultant with Gold Sky Security. I teach cyber security at the University of Central Florida, Go Knights, and I am an overall security enthusiast. This is really a hobby for me, as much as a career. What I do is straightforward. I explore client sites with the defenders in tow, so I can demonstrate for them any physical security vulnerabilities I spot. Bringing the client defenders with me allows for a teach back while on site, instead of solely in our report. It is an absolute blast. This mostly summarizes the process. I show them the vulnerability and I tell them the mitigation. So what are we going to discuss in this talk? This is not a lockpicking or how to talk. This is more a talk about the processes and procedures, mostly about what we look for and how we relay the information to the clients. I will cover physical security controls, key questions I ask my clients, and how I go about educating the clients about risk mitigation. At the end, I'll talk about how to approach this field. Physical security controls start with the front door, I think. So I want to start with doors and windows. There are a lot of mechanical components to doors, but here's a short list I tackle. Do perimeter doors have the hinges exposed to the outside? Those hinges can be exploited. Can I slide something between the latch and the strike plate to pull the door open without a key or combination? Can I get tools over or under the doors to manipulate the door handles? If I run across double doors, can I manipulate crash bars? Those bars that go across the middle of doors that you can kind of push open with your hip so you don't need to use a knob or a handle. These are all resolvable exploits. While some windows can be opened or manipulated in similar ways, they offer different challenges. In a lot of office spaces, some clients don't have policies about shoulder surfing or looking over the shoulder of a user to obtain information. This is a physical security risk. If someone is trying to establish a good time for physical entry, maybe just what PC operating systems are being used or even information as simple as what browser type a particular company is using, looking through a window is really low effort. This clip, by the way, is very much not a risk model my clients have ever asked me to test. The next physical controls are fencing and bowlards. Both are passive and require little maintenance in most cases. Even though some folks are scratching their heads about what bowlards are, don't worry, you've seen them before. Fencing is obvious. Maybe folks have them in their homes or at work maybe. Fencing establishes a clear perimeter and if locked clearly sets an expectation of limited access. It would take a heck of an improviser to explain to a guard why you are walking around a parking lot or building at a locked and closed facility. It's also near impossible to scale a fence in most environments without attracting attention unless in a very rural location. You have all seen bowlards before. They are the reinforced obstacles that prevent the use of a vehicle as a battering ram to create a point of entry in an otherwise defended structure. This is a very fancy hydraulically assisted version, but here we are at a target. Remember when we used to go to Target in 2019 for groceries? Those were the days. In front of the store, these steel reinforced concrete spheres are not just to look cool. They actually prevent people from running their cars into the glass doors to gain access in off hours to steal random stuff. It's a pretty simple passive risk mitigation, I think. Cool bonus, I just find it fun to say bowlards. Next up are mantraps. This is a super cool concept. Mantraps are completely underutilized. Sure, it's a challenge to get people through them. You'll understand why a flow of people can be interrupted in a moment, but I think they are really awesome. Many banks have them and after seeing the next slide I'm willing to bet a few of you are going to be sitting at home saying, holy cow, I've totally seen those. This is a great scene from the movie Sneakers, my personal favorite hacker movie. The lead character Bishop walks through a glass sliding door after using a magnetic stripe reader. The door closes behind him and another door is in his way that uses a biometric reader. Now he has to get past that. Super neat control that I would love to see in more places. Cameras are a great security control for several reasons. If you have the means, I encourage you all to grab some power over ethernet or wifi cameras and try hacking them. Cameras are in most businesses and some homes now. If you have the funding at a job site, you can even have your cameras actively monitored in a SOC or security operations center. Lots of small to mid-sized businesses just record video and reference it in incident response if something goes wrong for forensic purposes. Video is easy to store and you could find out who took company property maybe after they got terminated or who was negligent in some security policy. There are many technologies in the world of cameras but I firmly believe that wifi cameras specifically are a poor choice. Please reach out for that soapbox rant if you like. A fun fact about a lot of security cameras is that often they aren't even powered on at job sites. Because I love surveillance cameras and have several to tinker with at home, my oldest son has developed a curiosity around them and likes to point them out when we are at theme parks here in Orlando. He can quite accurately count the number of cameras on the walk up to a structure. Would you have seen the two massive dome cameras on top of this archway at Universal Studios Florida if I had not put boxes in this photo? Heck I can't even see them hardly with the boxes but I assure you if you go to Google Maps they are there go check it out. For electronic access I am going to do a very light touch because it is quite a dense topic. Most of you are in an office environment and have some token that grants you access. A radio frequency ID badge that you wave in front of a reader that opens a magnetic sealed door might be your front door. A pin code that is shared among employees and janitorial staff might get you into privileged rooms. Maybe a fingerprint even unlocks the laptop at your desk. Grocery stores even have electronic sensors that know when someone is there and detect motion and open for you. All of these things can be exploited or copied in some way. I personally am one of the many cyborgs in the hacker community. I got an implant from dangerous things last year and can clone radio frequency ID badges to my hand and I use that to educate clients about the importance of cycling the guest badge so that way someone can't take that badge number and then come back with it and let themselves in. Next I want to talk about how to speak to clients in a productive way. What is your personal area of concern? In other words ask a client what on earth they care about. I've demoed a parking lot to serve a room break in in four minutes and had a client shrug their shoulders. Their dollars were in a manufacturing area in another more secure location. Ask your client what they want you to put time into. Being efficient is a good way to get repeat clients in a role where often you're billing hourly. Don't miss any doors. There is no shame in verifying with a client that you have tested the entire perimeter. Ask which doors get the most traffic and which get the least. Some doors may have super beefy security while another maybe a smoking area door has people flowing in and out of it throughout the day and has less security favoring convenience. Those are good doors to test a tailgating attack where you try and walk in behind an employee. Because you truly are a guest in the scenario of being a security risk assessor you can test guest access policies firsthand. In some cases if it is in scope meaning if the client has agreed to it ahead of time try entering the client premises and asking to use the restroom then see how far you can get into the building unattended. If you show up and notice a robust check-in policy maybe with a photo and temp badge great that is often not the case. Do you get an escort? Also a bonus. Can I keep an RFID badge and replay it when I come back next year for an assignment? Not ideal but I've seen that before. Do you get watched like you're a suspicious hacker in a hoodie or is there instant trust once you've made it past the perimeter? Final fun thing to look for if you get a guest badge. Where can you get in the building? You might be surprised to find yourself in a CEO or CFO office if you're lucky. Here we see some extremely robust guest security policies in action. Armed guards are monitoring a guest who is also restrained and has their tools confiscated temporarily. Someone in security operations hands the guest off to a person of authority who is also armed for the purposes of communication. This is a bit much but similar procedures are not unheard of in a military or DOD establishment. As a social engineering enthusiast myself this is a huge topic. Entire companies are dedicated to just educating and empowering employees to act as part of the security team for a company. Here are quick points on the matter. Gamify your security training. A traveling trophy can go on the desk of the person with the least clicks on email phishing one month or maybe someone else who always locks their computer when they head to the break room. Be creative. Let employees know that they're an integral part in the security of their company and that they can be the first line of defense. Every employee is part of the security team. As a social engineering enthusiast this is equally important. You want to make sure you're establishing rapport with your clients. You want them to want you to come back. Constructive criticism can be done in a very positive way. While there have been tons of talks about how to exploit mechanical components of physical security there have been just a few that cover the specifics of educating the clients on how to go about resolving the exploits that you've demonstrated on the job. Constructive criticisms are the way to go. A positive focus is absolutely critical. Directed or accusatory verbiage is never productive saying things like this is so bad or I can't believe you set it up this way need to be replaced with we have some good opportunities here for improvement. Simple phrasing can mean a huge world of difference. Also leading a client to come to their own conclusions through education and demonstration will work wonders for client morale. Here is the show and tell part. This really is my favorite part of the job. Showing the defenders vulnerabilities on site is immensely fun and can have an extremely positive impact. Telling someone you can bypass a door versus showing them how has a huge difference in the likelihood that a mitigation will be implemented. This step in the process also gets the most heads popping into the room. It gets people excited about the security of their company. I have yet to run across a group of employees that doesn't show interest in an under door tool or a latch slip. This is pretty big. This is all about soft skills and keeping people calm in an otherwise stressful environment. Fear and certainty and doubt have no place when you're trying to be productive. You want to avoid saying things like oh this is bad or you've done this incorrectly. Instead be inclusive and positive we can fix this no big deal. Make sure that you're explaining things you're not telling them. You don't want to just send an email with resolutions. You want to actually have a human conversation. This is pretty much the best explainer of fear uncertainty and doubt and why it can damage a client relationship. Fear is not a good motivator to get risks mitigated. Educate and empower. Never be little or disrespect. Provide some means for clients to reach out to you. Don't be out of touch. A reputable company should provide you with a company email and if you're lucky a company phone number. This can separate work and home and keeping a work-life balance in this particular career field can be challenging at times. Make sure to also set expectations about when you can be reached and how long it may take for you to respond. I feel education is the most important aspect of hacking insecurity. That's not to say that a four-year degree or anything like that is needed. Kudos if you're going that route. The different approaches to learning are varied but here are a few. Podcasts, YouTube and Udemy were big wins for me personally. If you want to get into lockpicking or just see some jaw-dropping feats of lock exploits then look no further than lockpicking lawyer. The content on his channel is consistently enjoyable and never stale or boring. If you are an auditory learner then podcasts are fantastic. Darknet Diaries is amazing with great storytelling and incredible guests. The lessons learned are valuable and always come in an entertaining package. If you want to direct your attention at certification to prove you know a specific skill set then Mike Myers on Udemy has, I personally think, the best online content for CompTIA Security Plus and Network Plus. He does cover some physical security content in the Security Plus lecture and he does it in a very fun way. These three are Bill Nye level explainers for those of you who are old enough to remember Bill Nye from the 90s. While not everyone learns from books, I know I certainly can, specifically if the content is fascinating to me. I tried to trim this down to a short list that I can recommend for everybody. Social Engineering, The Science of Human Hacking by Chris Hadnaggy is a very professional and comprehensive guide to social engineering. If you want to learn more about that kind of engagement, Practical Lock Picking by Deviant gives you a more complete understanding of locks, not just how to pick them. The Art of Deception by Kevin Mitnick is super famous and if you haven't read it, you really should. Although, I will mention that Chris Hadnaggy's book is more of a scientific and professional approach to learning about social engineering. What every body is saying is very useful if reading people. This is helpful in everyday life as well as on the job. Just like previously, I wanted to throw in something strictly for those aiming at certifications. I really am a huge fan of anything and everything under the exam cram brand. I really think they portray the information in a way that's very easy to absorb. This was a big topic for me and I hope to emulate those who helped me and pay it forward, so to speak. Approach professionals and listen to talks. Be courteous. These people are busy and have their own lives. That consideration aside, security professionals are people and like to share their experiences. I have received an amazing amount of support from the security community and wanted to list folks who were large influences for me. I encourage you to pour over previous deaf contacts and find individuals who share your personal mindset and speak to you specifically. Use the knowledge shared in venues like this to build an even stronger community of sharing. While I know I am biased as an instructor, I recommend taking guided courses if you are able. Here are some I personally plan to attend as soon as we are able. You can learn physical security, social engineering, or really anything you like in a course guided by a professional in the field. A textbook will never have all the answers. Being able to raise your hand and ask the what ifs and what about this type of questions are hugely valuable. Since we are all at DEFCON, you all have already nailed this so well played. Attending events and local meetups is a great way to meet new people and network. The people I have met in Orlando through meetups and events have truly driven my career. I was able to learn all the skills I couldn't practice because either I personally did not have the tools or the content online didn't quite break things down well enough for me. Just getting introduced to people that could help me understand things between the lines of textbooks was awesome. Huge shout out to the folks at Citrus Sec in Orlando and DC407. If you see your city on the list, then that means there is a chapter of the open organization of lock pickers in your town. I encourage you to reach out to your local tool group and meet some cool people. If you don't see your city, good news. You can now start a chapter in your town and find people that are into physical security. The open organization of lock pickers or tool has been amazing to me and I love being a member. Second last slide, I promise, but I want to say thanks to my family and friends. Mostly my wife and kids. Thank you for understanding when I disappear into my lab for hours at a time for random projects. Thanks Orlando hackers for just being total class acts. I want to thank tool for providing me an unbelievable networking opportunity and the ability to practice hands-on with locks and tools I would never have seen otherwise. Thanks GoldSky security for the opportunity to learn and grow in an incredible supportive environment. Defcon, thank you for having me. This event is so special and to the hacker community at large keep being curious and keep pushing boundaries. I love helping people who are getting started or maybe who are stuck on something. Feel free to reach out. I might take a bit to respond but I will do my level best to help. This was a lot of information in a short amount of time so if you want clarification on something I am at 31337magician on Twitter and here is my LinkedIn if you prefer that channel. Thanks for listening to my talk. That's all I have on this topic but feel free to reach out if you want to have anything answered that you're still curious about. Have an excellent day and enjoy Defcon.