In this presentation we will see how this mindset still survives nowadays in the physical security realm. We will see how the very same mindset leads to the very same errors, false beliefs, and often very expensive false sense of security. A realm which should be blessed by nowadays hackers as doing tourism in so-called "highly secured" data centers and industrial sites is just so fun, and a mindset which should be avoided by the responsible of such sites who actually care about their security.

A part of our job is to do physical pentest assessments on those “secure” facilities which usually spend huge amounts of money in various security bell and whistles, from the concrete wall surrounded by shiny barb wire up to highly technological access control, intrusion or theft detection systems such as biometric sensors and some mantraps, all this surrounded by hundreds of surveillance cameras and 24/7 on-site security teams. Too often I encounter the same dated mindset, where all these features are actually thought by vendors to impress honest people (starting with the facility owners themselves) without effectively taking offensive mindset into account. The consequences are usually multiple, but usually end up as our teams getting uninvited free access to the targeted most critical area, with just $30 worth of tools, without feeling concerned by all this costly stuff and without being actually noticed by anyone.

The real issue here is not money, it is the mindset, the same security mindset that has been built during the last decades in the cyber world and is, more often than not, totally lacking in the physical realm. The goal of this presentation is therefore to raise awareness about this situation, and by comparing obsolete IT habits from the early 2000s with current physical security practices we will see which kind of vulnerabilities can often be encountered, how they could be exploited, and how they should be prevented.