People, as we like to say, are not paid enough to care. At-will employment, company-sponsored healthcare, etc. have employees so focused on their own wellbeing that protecting "the company" is the last thing on their minds, and I can't really blame them. That lady who you barged in on may very well have just been used to micromanaging jerks doing it to her all the time, so she has to seem busy.
Physical security, in my experience, comes down to giving people something to protect which actually benefits them to protect. All the technical controls in the building can fail and one person with enough skin in the game can kill an intrusion attempt in seconds.
We had to break into a particular unit of a multi-tenant office building. The client wanted us to focus on social engineering, but if we were able to do that, to move on to testing if anyone would see it as suspicious if someone was messing with doors and stuff.
So my partner walked up to the reception desk with a toolbox and a clipboard, claiming to be there for an off-schedule inspection of the elevator fire suppression system. Signed the guestbook with no formal verification, walked into the office area, and sat down to plug his laptop into an ethernet drop.
Meanwhile, after he texted me to let me know he was in, I took the stairs up to a door that led into the back of the target unit and just had to use a traveler's hook to pull door latch open. No guard plates or anything in the way.
Then I walked around in my business casual outfit until I found what looked like an IT closet, waited for a time when no one was in the hall with me, and used an under-the-door tool to pop it open. All their network equipment was in there along with spare laptops and an unlocked IT admin machine on a desk.
:)
> I wanted to try and see if we could bypass the door entirely, and that’s where the canned air comes in. If you turn a can of compressed air upside down, it starts “boiling off cold gases.” These are not harmful in open spaces, and their temperature is well below freezing point even when gaseous. This can trigger a sensor that checks for temperature increases: First it sees a drop to -50C, thinks “Baby, it’s cold outside.” Then, the temperature starts rising again, and the sensor thinks “Oh, temperature going up?! Must be a human!” and opens the door. If this works, I will update my Mastodon. If it doesn’t, well I can still walk in after someone, so it’s a finding nonetheless.
I enjoyed it a lot.
It reminded me of Deviant Ollam's stories such has his elevator security talk w/ Howard Payne: https://www.youtube.com/watch?v=oHf1vD5_b5I