36 CHAPTER 2 Low tech vulnerabilities: Physical security most common problem that we find. This is a serious problem, in that it defeats the purpose of the dead bolt feature of the lock. It takes me less than a second with my trusty fingernail file to see if a particular lock (bolt) has this problem. If it does, I'll know (and have the door opened) in a few seconds. Use employee badges I know these can be faked, but I still think that it is much better to have some form of visible identification worn by every employee at all times. Most of the companies that hired us did not have a policy requiring employees to wear their corporate ID badges all of the time. This made our social engineering attempts much easier. Once we were inside the buildings, it was as if everyone just took it for granted that we belonged there. Not only were we inside their buildings, but were also inside their firewalls and intrusion detection systems. Employees can be somewhat trained to even detect fake ID badges. I was working for a large company that did require employees to always wear their ID badges when they were on company property. This was back in the days when color printers were just starting to show up in homes and offices. I created a fake ID that was intention- ally made without any thought of quality control. The first time I wore it into the building instead of my real ID, I suspected that I would be stopped immediately and questioned about it. This was a security project, so I was prepared to explain myself. To my amazement, I never had to explain anything because it was never questioned. For the next three months, I wore it everywhere and not one person no- ticed it. During one of our security meetings, I told everyone in our group about my little experiment and most people were quite surprised that it was never detected. Part two of my experiment had the most interesting results. I created a picture showing my two personal employee badges side by side. The fake one was quite ob- vious when seen next to the real one. We began to teach people how to take a slightly closer look at the badges that people were wearing as they walked through our build- ings. From that time forward, I only wore my fake ID when I was conducting security awareness training for a group of employees. I was amazed at the number of my friends who had been through a version of the training and would spot the fake ID as I was walking past them on the way to another training class. Some would spot it from 10 feet away. These are the same people who didn't even notice it when they sat in my office just 3 feet away prior to being made aware of the threat. AWARE- NESS TRAINING WORKS! Shredder technology keeps changing as well As with everything else, these past few high tech years, shredder technology has changed considerably. Our team had gotten really good at putting strip-cut papers back together again years ago. We used to take bags of strip-cut documents that we found at the clients site back to our office during the test. Frequently, the bags of shredded documents were sitting outside in or near a dumpster where we simply