File Cabinet (In)Security

I have been toying with lock bumping since it became a national hot item a few months back. If you have not heard about it yet, check out the basics here.

OK, so a lot of this is overblown and the hype is pretty high to cause Mom and Pop to panic and buy some new locksmith services and products. I get it. I really do.

I also realize that the actual threat has been around a long time, and that criminals have known the technique for a while. I too have read that there has been little significant increase in break-ins since the lock bumping technique made headlines…

That said, I have been focusing on the long beloved friend of accounting folks everywhere – the venerable locking file cabinet. Best-practices for securing offices and accounting departments have long held that locking a file cabinet or desk drawer was a pretty decent layer of protection for the contents. Unfortunately, lock bumping very much changes that perspective.

I have attempted to bump quite a few file cabinets and desk drawers over the last few months. I am averaging in the 90th percentile in terms of gaining access. In many cases, it takes just about the same time as using the real key and I easily gain access to the contents to do with as I may.

How serious is this? Well, it makes much of the physical security associated with open cubicle environments suspect. Public access to receptionist desks and the like have proven pretty fruitful – including the usual suspects of phone lists, password lists and other generally attacker friendly items. Not to mention the items available for outright theft – often including just plain money…

The old rules of physical access trumping many security mechanisms still exist. Lock bumping techniques are just the newest way to reinforce the lesson. If you have not taken a good look at your file cabinets, desk drawers and the availability they might have to an intruder with a simple bump key – it might be time to at least think about it. Especially sensitive materials like regulatory data, personnel data and the like may have to be given some other special protections if your relying on rows of locked filing cabinets to secure it.

This entry was posted in General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply