Chapter 3. Executing Tests

There are no secrets better kept than the secrets that everybody guesses.

—George Bernard Shaw

I'd like to open this chapter with an example of how not to implement security. I'd been working at a client site performing a (non-physical) security audit. Despite the fact that the team was screened and cleared before being allowed through the door (this was a government client) we had to sit through four additional hours of screening procedures. When this was complete, our electronic equipment (including laptops and mobile phones) was confiscated and we were locked in the room where we would be working. By locked, I mean you needed a proximity badge to get in and out and we didn't have one between us. If at any time we wished to leave the room (for instance to use the bathroom), we had to call our Point of Contact (PoC) on a landline. The problem was he never answered.