Safes are hard to break, they say, but as long as the Safe is used by a human being and build by one, its not a Safe 100% anymore
Sometime during Pentests we get to go Face Off with these machines and with enough intel we know what is behind that door is vital to what we are after. A lot of testers don't think this way, but as experience grows in this field, you get to learn that this is necessary strategy in Real Life types of Pentest like Blackbox. Now getting to where the safe is, is always a problem, it may require you to go through a lot of hoops, e.g as a Janitor, well during this operation, i acted as Network Support.
IT People have inclusive access to executive office, have you ever seen how an office boss get soo happy when you fix a MS Windows problem that had bothered them for a while.
"Now i can watch new movies?"
"Even the new ones that i couldn't before"
"Yes, i can copy for you more if you want to"
"Go ahead, Go ahead Chuck"
So one thing i have come to find is the use of digits as key codes, and personnels love using numbers they can remember, even i have that vulnerability on such authentication, e.g SIM Pin numbers, MBanking etc. The easiest digits people remember all their life even when suffering from Old Timers are birthdays. And a lot of users will simply use these on a Safe, now the problem as Pentesters is not being in a position to do enough research on target employees online, e.g Social Media and Online Security Assessment.
Surveillance and Recovery Assessment is essential for such intrusions in a great way and this is done in teams. You might find that you get a lot of access to a facility just through this kind of assessment. Am currently doing a Pentest which is similar to this, and i started as a Janitor, its amazing that the employees wont ask who you are as long as you are serving them or cleaning their desks.
Employees and senior management need to understand that security starts with everyone, not the ICT Department thrown at corner cubicle and paid peanuts.
So most safes are used for storage of money but others store confidential documents. The personnel dealing with these documents need to have that sense of security, especially with their surroundings and who has access to their office. Sometimes these Safes might have information about the whole infrastructure and other company secrets that can seriously damage the organization.
When buying a safe, its important to understand the tough ones, and the value it will add to the company as far as Security is concerned.
So whenever you hire an Security Firm for a Blackbox Penetration and they are just doing perimeter scans, just know these are the consultants we call Script Kiddles and they are not in anyway helping you to secure your Infrastructure.