BCS Lecture Series: Physical Security in IT

This month’s lecture was delivered by Thomas Hackner, from the University of Applied Sciences, Hagenberg, Upper Austria.

It was certainly an interesting talk, he covered the various standards (ISO 27001:2005), and pointed out a few case studies, and points often over looked. This was then followed up with a demonstration, and “practical” showing lock picking.


  • Electronic door access systems often just control the door latch, rather than the deadbolt itself.
    • this means that typically, it is possible to circumvent the latch using a piece of plastic. Most systems will also not log door openings, leaving such entrances undetected.
  • Entry systems that use PIN code systems should be changed regularly, otherwise it will eventually be obvious to a casual visitor what the code is.
  • There is usually a simple to identify weakest link in a Physical system, much like any other system.
    • an example given was an industrial fridge in student accommodation in Austria. To open the whole fridge it was secured by a much simpler lock than the individual compartments.
  • People generally disclose more information over an internal phone system.
    • this is most likely because they assume you are trusted for using it.
  • In a report in 2008, the Financial Services Authority found that 10/39 small and large companies in the financial industry had basic lapses of security.
    • in most cases they had implemented solutions like CCTV, and PIN code access on doors, but simply left those doors open, for example.
  • Other examples highlighted oversights such as:
    • access to server rooms with visitor passes
    • keypad entry systems, but leaving main doors open
    • in companies where they had been implemented, 8/10 of the employees questioned had no idea, or only a cursory understanding of a clear desk policy.
  • Another example given was of an Airport in Rome which had no security overnight. This meant that someone was able to walk through the airport, potentially planting banned objects.

In Conclusion

Overall, it was a good talk. The examples showed where people often overlook potential security policies, and the relevance of physical penetration testing. On display where Practical Lock Picking: A Physical Penetration Tester’s Training Guide and Unauthorised Access: Physical Penetration Testing for IT Security Teams which should hopefully stir on my initial interest further.