Despite all the firewalls, antivirus software, and VPNs, most companies and government agencies just aren't as safe as they think they are.
And the problem isn't necessarily with the technology. The problem, it turns out, could be as simple as the locks on the doors.
That's the warning coming from Marc Weber Tobias, an investigative attorney and security specialist out of Sioux Falls, S.D. Tobias has long been warning consumers and security professionals that the locks securing their buildings, data centers, and even their personal offices may not be up to the job. He again will be issuing a warning at the Hack in the Box Security Conference 2007, which is running from April 2 to 5 in Dubai.
"Security is the whole package, but it starts with the locks," Tobias said in an interview. "IT people are really, for the most part, ignorant about locks and physical security issues, even though they're handed that responsibility. IT is core to every business, so IT managers really need to understand about locks. And they don't."
Tobias calls mechanical locks the first line of any organization's defenses.
The security specialist has been traveling the world demonstrating how easily pin tumbler locks can be compromised. Pin tumbler locks use pins of different lengths to keep the lock from opening when the incorrect key is used. Many locks, including padlocks and many door locks, use this mechanism, which Tobias said can be bypassed using a technique called "bumping."
All it takes, he warned, is a key that fits in the lock and a mallet. With one whack, the inserted key will trip the pins and the lock will open.
"Ninety-five percent of the conventional pin tumbler locks in a company can be opened in seconds," Tobias said. "If you've got responsibility for protecting your infrastructure, the first thing you should think of is how to keep people out physically. You have to keep people out of the critical rooms whether they're outsiders or your own employees. What happens if your infrastructure is compromised? How much of a disaster would it be?"
Tobias pointed to the rising number of laptop computers stolen from companies and government agencies, including the Veterans Affairs Department and the FBI. The first step to preventing these kinds of thefts, he said, is to secure the buildings and the rooms where the machines are kept.
"Are people worried about someone stealing their computers? Of course they are," he said. "Why do they have locks on their doors if they're not actually going to keep people out?"
Tobias recommended that IT and security managers familiarize themselves with the physical locks in their facilities and find out how easy it is to compromise them. Read the standards. Ask the lock vendors pointed questions. Do research on the locks in use, as well as replacements that would be more secure.
"You're not as safe as you think you are," Tobias said. "If you're Wells Fargo or a major server farm, then you need to know what the hell you're talking about and what can be compromised and what can't."