Getty_922088430

Physical Penetration Testing and Security Awareness Training - the vital and often missing links in an organisations security strategy.

Physical penetration testing, sometimes known as black teaming or red teaming, is a hybrid between a security test and a security assessment focusing on the vulnerabilities which can be exploited via an attacker gaining physical access to a building. Once the vulnerabilities are identified they are tested through the methods which would be used by both opportunistic and sophisticated attackers. This is a very pragmatic service that businesses can utilise to explore known and unknown threats against their assets. Learn more about physical penetration testing

My organisation has excellent security infrastructure why would we need to worry?

Security budgets frequently prioritise physical defences, little attention is given to ensuring that staff understand the security policy and why compliance is so important. The best access control methods are useless if someone holds the door open for the person behind them or is not confident to react to a tailgate alarm.

 

When asset and risk registers are created a common mistake is to calculate the value of physical office assets as items such as furniture and IT hardware, the result is a fairly low value and the security provision to protect them is on par with that equation.

 

An organisations intellectual property and data and the risks from malware and ransomware are often assessed to be at risk purely from external attack, falling under budgets dedicated to cyber security rather than local physical prevention. Often loopholes can be exploited enabling network access to be achieved through a simple action such as inserting a USB device directly into a computer.

There is no reason for our organisation to be targeted

In the case of ransomware, hackers rarely care who they target. The threat is not coming from state sponsored actors motivated by industrial espionage or political agenda. It may be simply about holding your files or systems to ransom to make easy money.

 

The human factor is frequently the weakest link in the security spectrum. Recent attacks against blue chip companies have occurred through the exploitation of staff, this can be overtly or covertly. Overt methods include offering large sums of cash to entice a staff member to take an action such as the thwarted plot against Tesla in which an employee was offered $1 million to insert a device containing ransomware onto Tesla systems. Covert attacks include staff being exploited without their knowledge; this was seen in the twitter hacking scandal where the attacker impersonated a member of IT staff in order to gain employee log in credentials resulting in a hack which provided access to celebrity twitter accounts which the attacker then used to commence a $110,000 bitcoin scam. Attacks against smaller companies are a constant occurrence but don’t make the headlines in the same way as companies which float on stock markets or those who control large amounts of data.

 

In many cases regardless of the threat actors origin and objectives common attack methods are used, these include leaving USB devices where curious staff members may find them and plug them into unguarded systems, phishing attacks and gaining physical access under a pretext in order to plant a device which will access a companies network, steal their log in credentials or simply record sensitive conversations. Learn more about corporate surveillance

How can we improve our security strategy to mitigate these threats?

Physical penetration testers act in the same way as the attackers, they are well trained and highly experienced in the arts of persuasion, impersonation and pretexting, otherwise known as social engineering. They will gain physical access to a company through a combination of simple factors such as looking like they belong there, speaking about the right people within the organisation, knowing where they are going and having a reason to be there so as not to appear in any way suspicious.

 

They will operate under the parameters of the particular task and will attempt a range of exploits to assess security procedures and infrastructure at every level of the organisation from the situation of cameras, effectiveness of access control, standard of physical security personnel and levels of staff security awareness. The company is then provided with an in-depth report which will score all security risks and will provide recommendations if improvements need to be made.

 

Educating staff in the importance of security procedures, knowing how to identify a well disguised attacker and providing them with the confidence to alert security or office seniors of people who appear out of place is in our experience the most vital line of defence to prevent malicious attacks. It is also a relatively inexpensive option with high results.

 

Once we have completed a physical penetration test, we offer the company a bespoke staff security awareness training session based on our findings, this can be tailored to fit with staff schedules over multiple sites if required and is designed to be a non-judgemental session where the aim is to educate rather than point out individual failings.

 

For more information regarding our range of services including physical penetration testing, executive digital profiling, and surveillance awareness, or to create a bespoke employee security awareness training package for your organisation no matter how large or small please contact our training department.

Please see our other blogs dedicated to social media exploitation, surveillance and physical penetration testing.

 

info@sloaneriskgroup.co.uk

Phone 02038972272

71-75 Shelton St, Covent Garden, London, WC2H 9JQ

surveillance

Social Media as an OSINT tool

It is that time of the year again, the one that is particularly annoying for people who have lots of friends with small children.

It is the ‘back to school’ or ‘stand by the front door’ week. Many parents do this, I have been guilty of it myself and this year it will be even more prominent as due to Covid the majority of children ended the summer term without meeting the annual leaving milestone as expected, which was especially hard for those reaching the end of their primary schooling or even completing their first year in reception. This year going back to school is a bigger deal for most than ever before and this will be accurately reported on social media and with various versions of #backtoschool and #firstdayatschool

So what? you might ask. What is wrong with uploading a photo of my child looking super cute in their new school uniform?

For many people, nothing at all. I don’t aim to scaremonger with this post, many people have a Facebook or Instagram account with locked down privacy settings and they only share this sort of picture with their close friends and family.

However, in times where employees are manipulated via social engineering to give away confidential information or access such as was initially suspected in the recent twitter hacking breach, people need to be aware of what they are posting on social media and to have a good awareness of what could be compromised if they were manipulated.

Sloane Risk Group specialise in identifying and preventing vulnerability’s which enable malicious access to information security, this is both the physical security of buildings, offices and systems and the access which is obtained through hacking people, by manipulating them to give away vital information leading to data loss or physical breach.

We have worked with clients in businesses that specialise in software development, pharmaceuticals, and research all with their own reasons to be targets of malicious attackers, some of which have experienced campaigns against them including threats of direct violence towards the family members of their staff.
When we look at an organisations staff and their attitude towards security, we frequently find links between accounts such as linked-in and various social media platforms which inadvertently give away far more personal information than can be recommended from a security aspect. We find that people often take measures not to show their address but then they miss other exploitable personal identifiers. This is especially prevalent in spouses who do not realise the access to information or development that their partners may have.

If a malicious attacker is able to trace your children to a local primary school it would not take long to identify them being dropped off, your vehicle and from there your home address. This could be to place you under further surveillance, plant audio devices at your address, search through your rubbish, place tracking devices on your vehicle or even to directly threaten you.

If you are not in the category of people who could be exploited for criminal or competitor gain, the general security of your children should always be a cause for concern. In many child abduction incidents, the perpetrator has conducted some sort of research around that child first especially in kidnap for ransom cases.

What steps should I take to stay safe?

Before you or your spouse post anything with details such as school jumpers with emblems stating exactly where that school is, consider the following:

• Am I in a position where I could be bribed, blackmailed or tricked into giving away company secrets?

• Could the organisation that I work for be a target for hackers, scammers, criminals or protestors?

• Is the company information so valuable that someone could even threaten me or my family to get it?

• Am I giving away too much information about my family and our routines?

This is extreme but unfortunately not unheard of. If you feel that you should maintain the freedom to post about your family life, consider blacking out emblems or logos on uniform, think about the wording you use when you make your posts, and what other information you may be giving away in the picture such as door numbers or car number plates.

If you would like more information regarding counter espionage, a company security assessment, security audit, black team/physical penetration test, staff security awareness training or an employee security profiling test then please contact us.

Applying the Consultancy Cycle to a Black Team Assessment

Security consultancy

A UK tech company requested our services to review their current security strategy, they stipulated a focus on improving staff attitudes towards physical security.

The client was satisfied that their outward facing cyber security was very strong but they were concerned about the damage which could be achieved by insider threat or by an attacker who might gain internal physical access

Stage 1 - Entry and Primary Analysis

We visited the client at their London HQ and ascertained that their main threat was commercial espionage by competitors.

Their need was to develop long term security resilience rather than to see a quantitative regain on their investment. Our pitch focused on the fact that as a black teaming specialist we provide a unique service involving accessing the buildings using the resources of a hostile attacker. This quickly detects the grass roots vulnerabilities faced by the client and creates the starting place for an advanced security strategy to be developed.

Stage 2 – Contracting

Our proposal stated the set times we would allow for each step such as the black team deployment, use of gap analysis and how we planned to work across the spectrum of people within the business, tackling policy and procedure problems as well as identifying the staff shortcuts.

We explained how we would identify the range of security threats and vulnerabilities to the business and use existing framework to strategize ways to reduce them.

Stage 3 – Gathering Data

The first step was the specialist activity of the black team, this enabled us to rapidly ascertain the main human based problems facing the business. For instance, the staff were extremely polite and held access-controlled doors open for each other, by fumbling with a similarly looking badge or by holding multiple cups of coffee our testers found entry was easily obtained. Once inside they were accepted as people who should be there. This stage also enabled us to assess the security hardware of the buildings and the perimeter defence zones.

The next step was to create an asset register and to place a value to the things that were important to the business. We reviewed the policy and processes and interviewed staff informally to establish the security-based strengths and weaknesses throughout the organisation.

Stage 4 – Diagnostics

We identified the majority of the client’s problems during the first stage of the assessment. Our Black Team are experts at finding the holes in physical security and identifying how human nature can be exploited to gain access or to encourage staff to perform an action such as clicking on a phishing link.

We assessed that the physical security was generally to a high standard except for an RFID weakness, however due to us managing to breach the building and remain inside for prolonged periods on five separate occasions the human element needed improvement. There were also some policy and contract points which we considered to require amendment.

Stage 5 – Generate Options

For the outlay of the cost, the client expected to see the implementation of a tougher security strategy and a clear improvement in their security culture.

Our shared vision was to achieve this by investing in the organisations people, showing them why security is important and teaching them to recognise and avoid the manipulation tactics used by hostile attackers such as impersonation, phishing, pharming, vishing and smishing.

We presented the client with a range of options which addressed both the quick fixes and long-term goals needed to improve their security resilience which included;

a, doing nothing
b, developing the security strategy by investing in all business departments with business wide initiatives, improvement of the RFID issue, advice regarding contract and policy changes and using our results to deliver an informal staff security awareness session.
c, the additional option of a more in-depth training feature and ongoing staff security culture testing program with measurable results.

Stage 6. – Implement Actions

The client chose the most in-depth option which involved ongoing staff training and subsequent testing. Our consultant led the project with a team of our training consultants and an external partner organisation who implemented an RFID frequency upgrade.

Stage 7- Disengagement

The scope of the work that we conducted was clearly defined and easily measurable. The client was extremely happy with our service and asked us to re-contract to provide quarterly security spot checks and annual training for new staff members.

For black team/physical penetration testing assessments, security awareness training packages for staff and executives and for corporate surveillance investigations contact us:

info@sloaneriskgroup.co.uk
www.sloaneriskgroup.co.uk
0203 897 22 72

71-75 Shelton St, Covent Garden, London, WC2H 9JQ

ABILogo2016
hiscox
Picture1

Protecting yourself from spying, stalking and surveillance from your spouse or a former partner.

Sloane Risk Group London

Would your spouse spy on you?

Many of our clients suspect that they may be subject to stalking, surveillance and spying by a spouse or partner. We have experienced cases where our client’s email and social media accounts have been accessed, stalkerware has been installed on their phones, tracking devices placed on their vehicles, and their homes have been bugged with audio and video surveillance devices.

 

This article explores some of the easily obtainable software, programs, devices and equipment that can be used to invade your privacy and the basic ways in which you can prevent yourself from becoming a victim of stalking, surveillance and spying by your spouse or partner.

Stalkerware, Spouseware, Spyware

There are lots of tracking apps for mobile devices available, many are marketed as apps for tracking children but when used maliciously are known as known as stalkerware, spyware or spouseware. Their capability includes monitoring emails, messages, locations, accessing photographs, contact details, obtaining social media passwords, even remotely turning on the devices camera and gaining a view of the surroundings of the device, all whilst running undetected.

 

On an Android some of the current tracking programs can be seen in the form of an obvious app, they may appear as a technical settings that you are unlikely to explore such as; wifi settings, access tool or system update service, on an iPhone you may find an app called Cydia or iKeyMonitor. You may also notice that your battery life drains quicker than normal or your location arrow may be constantly visible.

 

One of the extra problems with stalkerware is that when data is stolen it is not necessarily secured and is then open to compromise by third party’s.  It may also leave your phone open to further attack.

How stalkerware is placed on a device

There are a range of ways to do this, but these are the most common:

 

1 – You could receive a Link via text or email such as something that looks like it goes to an interesting article, photograph or website, this is called a phishing attack and when clicked on will start installing the spyware onto your device. This could also be in the form of a pop-up requesting access and location permission which in a rush you may accidently accept.

 

2 - Access to your pin and apple ID, this could be easily obtained by your partner or former partner shoulder surfing and over time seeing what details you enter to access your device and accounts or from a note you may have written down when first setting up your phone.

 

3 - A gift, be wary of anything technical being given to you as a gift or anything you might conveniently find dropped outside your front door.

What to do if you think stalkerware has been installed onto your device

There are many variants of stalkerware and things evolve quickly, the recommended actions vary depending on the type of phone and the install but advice includes; (if using iOS) to log in to your ICloud account and sign out of all active sessions.  It is also advised to perform a full reset on your device, this however is not a failsafe and does not work against all attacks, if you can then consider a professional forensic examination or a new phone. There are tools to search for this type of malware however these are more available for Android than I phone and not all are simple to use. Stay up to date with software updates as they are constantly fighting threats such as this.

If you are however stuck in a situation of domestic abuse then it is advised to retain your phone and carry on as normal so as not to endanger yourself, instead try to discretely obtain a second phone for any sensitive conversations and messages.

 

Next change all of your passwords including your apple ID and follow the below steps to limit your personal identifiers and secure your accounts.

How to protect yourself online and prevent becoming a victim of account exploitation

Reduce your online visibility, if you would not tell everyone that you meet your full name, email address, phone number, home address and details of your partner and children, friends and family don’t do it online.

Step 1 – Use a VPN (Virtual Private Network)

Every computer has an individual IP address which can be used to trace your location.  A VPN such as PIA or Proton VPN disguises your IP address.  There are a range of both free and paid for services although paid for versions generally receive better press. Your account will enable you to use a VPN on multiple devices and you should remember to install it on your smartphone. https://www.privateinternetaccess.com/pages/buy-vpn/ https://protonvpn.com/getvpn?utm_campaign=ww-all-vpn-gro_aff-getvpnp_main_offer&utm_medium=link&utm_content=6&utm_source=aid-1519&bestdeal

 

Step 2 – Create new passwords and usernames

You should not recycle usernames and certainly not passwords. Even if you are not a specific target it is very common for websites to be hacked and data stolen, this data is then dumped in pastebins, these are repository’s which can be accessed by anyone, and your passwords and usernames exploited. If you use the same password on multiple sites it is then very easy for you to be hacked. There are several services that allow you to check if your email password has been compromised such as https://haveibeenpwned.com/ or https://leakpeek.com/

 

Step 3 – Use a password manager

A password should be a mixture of numbers, letters and symbols. Instead of trying to remember complex passwords sign up for a password manager. This is a program that can run on your computer and mobile device which stores and autofill’s all of your passwords, you only have to remember one password to access it. There are many different types of password manager such as Last Pass or Bitwarden https://www.lastpass.com/ https://bitwarden.com/

 

Step 4 – 2FA, (Two Factor Authentication)

The next step is to secure accounts and your password manager with 2FA, this is often a text message that you will enter when accessing the account, but a more secure way is to use a physical token such as a yubi key. You place this like a USB into your computer or phone and simply touch it to confirm that it is you accessing the account. https://www.yubico.com/products/?utm_source=google&utm_medium=pd%3Asearch&utm_campaign=&utm_content=&gclid=cjwkcajw57b3brbleiwa1imytre_yw3758gscyh4zc27war9qsyyanismkjmazydvue0dxy8yfngxxocptmqavd_bwe

 

Step 5 - Consider avoiding profile pictures

We all like to have a profile picture on our social media and linked-in accounts, in most cases this is totally fine, however if you are at risk from malicious activity consider not using them, this also applies to little used accounts where you might add a picture once and then forget that it is there, if someone obtains a reused user name it will be easy to view the pictures that you have used and perhaps forgotten about.

 

Step 6 – Privacy Settings

Set your social media account settings to maximum privacy, make sure that people you do not know cannot access your personal information. Also check your security settings, when you forget a password but someone has accessed your username or email they can use the “forgot your password” option to obtain some of the characters of your phone number or email, this can be slowly pieced together to gain your contact details.

 

Step 7 – Don’t use your real name

This is for people who have a genuine fear of being stalked, don’t let vanity take over, your friends know who you are and can find you if needed.

 

Step 8 – Be aware of what you post

It is possible for investigators to search for text in images, an innocent picture with your vehicle registration in the background could later reveal what you, your house or your children look like. Likewise, with check-in’s and geotagging, consider if you really need to publish where you are and what you are doing. Even if you show this information retrospectively you still create a dossier on the places that you visit, the things that you like and potentially annual events that you go to.

 

Step 9 – Change your phone access password regularly

Avoid being a victim of revenge Porn

In hindsight this is an obvious suggestion but in the moment it is not uncommon for people to engage in exchanging sexual imagery. Our advice to all parents is please have this conversation with your teenagers, blackmail regarding compromising images is very common. If you have any compromising images on your devices, erase them and don’t forget to empty the wastebin, you may also want to consider clean up software often known as file shredding.

https://www.bleachbit.org/

Bugging your house or vehicle

In more extreme cases consider a bug sweep, there are many quick plant devices that are easily obtained, they might not have a long battery life but the quality is good and they can be accessed remotely. Focus on the areas of your home where you are likely to have sensitive conversations and spend a lot of time. If your spouse is likely to have placed the item themselves then conduct a logical search starting from left to right, high to low. Check everything, books, objects, behind sofa cushions. If you believe that they may have contacted someone to install a more professional device with some longevity, consider contracting a professional TSCM (technical Surveillance Counter Measures) expert.

Are you likely to be under physical Surveillance?

See our other blogs describing surveillance techniques, if you feel that you are being followed you first need to establish if that is the case, depending on your situation you may want to do this overtly or covertly. Overt methods include manoeuvres such as driving twice around a roundabout, turning on quiet stretches of road or randomly when walking to establish if you see the same person, people or vehicles more than once. Covert methods involve finding a reason to look behind you without appearing to look or to notice anything for example pausing to stroke a dog, looking back as you cross the road. To detect a professional surveillance team, we suggest employing experienced counter surveillance. If you are under surveillance your options very much depend on your situation and the level of threat against you and we advise our clients accordingly.

We hope that this blog will enable you to protect yourself from stalking, surveillance and spying by your spouse or partner.

For more information regarding our range of security risk mitigation and protective services including surveillance, close protection, TSCM bug sweeping and counter surveillance please visit our website www.sloaneriskgroup.co.uk or contact us by email info@sloaneriskgroup.co.uk

We have offices in Brighton and London and operate worldwide

Sloane Risk Group

Physical Penetration Testing

The importance of Business Security

A layered approach to security is vital for all businesses from start-ups to international corporations. Starting with perimeter security and external access control, leading to internal access controls and then secured areas and cabinets, security is the first, second and third ring of defence against corporate espionage, hostile attackers, opportunistic intruders, and a large range of threats which can cost a business time, reputation and money.

What is Physical Penetration Testing?

IMG_2672

Businesses invest a great deal in fencing, alarms, access control and manned guarding. Physical Penetration Testing is a proactive way to identify if these security measures are working sufficiently and to assess a company’s security vulnerabilities through the eyes of a would-be attacker enabling the business to improve its weaknesses before a real attacker can exploit them potentially causing a data breech, loss of IP, theft and even physical damage and harm to employees.

How is Physical Penetration Testing Conducted?

Each deployment is bespoke to the client requiring the service, after establishing the location, nature and size of the business the client is generally offered three levels of test to choose from, some organisations especially those who have a reason to be at high risk from a hostile attack such as research facilities and Government buildings take a very forward facing approach to their security concerns and will choose a level of service that simulates the real-time that a hostile attacker would spend conducting open source intelligence (OSINT), hostile reconnaissance and surveillance of the building, its key executives and employees. Smaller businesses with a lower security budget but whom understand their responsibility towards facing security threats might opt for a shorter project but will provide some basic information about the running of the business which the testers would have found out themselves had they conducted a longer surveillance period.

 

The first step is OSINT, this will show the profile of the company, related media and its areas of interest. Geographical information such as mapping of the area in which it is located, the thoroughfares, staff areas, parking, travel options and other local facilities and businesses which can be utilised during the attack phase.

 

Most importantly it will show the security awareness of staff members. Through a range of media options OSINT can identify who works for the business, which department and position they hold, who they report to and who reports to them. If staff are not overly cautious it can show when they are on holiday, what the internal office areas look like, even what type of ID they wear and what operating systems they use.

 

All of this information will build a picture for the next stage of the attack.

Social Engineering

The social engineering part of the attack will start before the main deployment, vishing (voice phishing) calls will be made to identify routes via staff members into the building and to find out additional information about the daily operations and procedures. Pretexts will be established, and appointments will be set up to enable later access or to gain further information about the security procedures.

Cyber Attack

A Cyber penetration test will assess the cyber security of the organisation. How far the team are required to penetrate will depend on the appetite for a realistic result by the client versus their natural precautions surrounding very sensitive client data and the budget available.

 

Whilst malware can be specially created and deployed during a spear phishing attack

many clients opt for a shallower test to determine if any improvements need to be made.

 

The range of typical tests include:

  • Internal Infrastructure test - the type of test which will detect any vulnerabilities which could be exploited by a threat such as a disgruntled employee
  • External Infrastructure and web application penetration tests - to simulate hostile attacks over the internet or intranet
  • Wireless penetration tests - to determine the security of WIFI networks
  • Voice communications tests - these can assess if the telephone network is susceptible to attack
  • Mobile devices and application tests and assessment of their build - to ensure they are secure especially in an age of bring your own devices
  • Cloud configuration reviews - to establish if cloud systems are secure

 

These tests are performed against benchmarks for industry best practises.

 

A physical penetration test can be conducted with or without a cyber penetration test, if they are in conjunction then the physical part will involve the operators planting various devices such as key loggers and USB sticks inside the building.

 

Red teaming, Blue Teaming, Purple Teaming and Black Teaming

 

Red teaming is an objective led penetration test typically scoped to obtain data or to gain access to sensitive areas or networks. A Blue team is a team who react to the red team and try to prevent the attack. A purple team is where the two teams work together either in conjunction or by sharing information after the test.

A Black team is a phase used to describe a physical penetration test.

What happens when the testers gain access to the building?

Once the testers have identified the pattern of life of the building, business, staff and contractors the physical attack phase will commence. The testers aim is to gain entry under a pretext, SE or covertly and to blend in. They may have been tasked to access certain rooms or areas such as the data centre, to photograph unlocked workstations assessing staff security awareness, to acquire or photograph sensitive documents or in some rare instances to cause disruption inside to see how the staff and security team deal with it. The majority of clients require a soft approach and wish to see how easy it is to tailgate employees in to access controlled areas and to extract themselves with company information without being detected. On some occasions the client requires a Covert Methods of Entry (CMOE) attack which will utilise qualified lock pickers to test the physical aspects of the building’s security.

What are the benefits of this type of test?

The test is not purely to see how far the testers can penetrate, the report and recommendations provided to the client at the end of the test will examine the feasibility of a hostile attacker conducting each breach the team have identified. It will score the impact to the business against a risk matrix. A report will be provided that will make recommendations proportionate to the likelihood of attack at each stage. The end result is that your building will be more secure and less likely to receive a security breech or physical attack and as the implementor you will be able to take the credit for improving the buildings security plan and potentially adding to or improving security policy.

What is the most common vulnerability that you find?

The most consistent vulnerability that we find is the human factor, staff members who are too keen to help or provide information without being aware of the security implications of their actions. Sometimes corner cutting is an issue, and very often we find that people are not sufficiently invested in the security of the building to have the confidence to challenge people who are not supposed to be there. We can assist with this by returning with our evidence and in a friendly way explain to staff why they must take security seriously, what the consequences can be if they don’t and train them in a workshop focused on improving security procedures to be comfortable to challenge people who they do not recognise or who are not wearing the correct Identification.

For more information about Physical Penetration Tests please contact us:

 

info@sloaneriskgroup.co.uk