Sloane Risk Group
Physical Penetration Testing
The importance of Business Security
A layered approach to security is vital for all businesses from start-ups to international corporations. Starting with perimeter security and external access control, leading to internal access controls and then secured areas and cabinets, security is the first, second and third ring of defence against corporate espionage, hostile attackers, opportunistic intruders, and a large range of threats which can cost a business time, reputation and money.
What is Physical Penetration Testing?
Businesses invest a great deal in fencing, alarms, access control and manned guarding. Physical Penetration Testing is a proactive way to identify if these security measures are working sufficiently and to assess a company’s security vulnerabilities through the eyes of a would-be attacker enabling the business to improve its weaknesses before a real attacker can exploit them potentially causing a data breech, loss of IP, theft and even physical damage and harm to employees.
How is Physical Penetration Testing Conducted?
Each deployment is bespoke to the client requiring the service, after establishing the location, nature and size of the business the client is generally offered three levels of test to choose from, some organisations especially those who have a reason to be at high risk from a hostile attack such as research facilities and Government buildings take a very forward facing approach to their security concerns and will choose a level of service that simulates the real-time that a hostile attacker would spend conducting open source intelligence (OSINT), hostile reconnaissance and surveillance of the building, its key executives and employees. Smaller businesses with a lower security budget but whom understand their responsibility towards facing security threats might opt for a shorter project but will provide some basic information about the running of the business which the testers would have found out themselves had they conducted a longer surveillance period.
The first step is OSINT, this will show the profile of the company, related media and its areas of interest. Geographical information such as mapping of the area in which it is located, the thoroughfares, staff areas, parking, travel options and other local facilities and businesses which can be utilised during the attack phase.
Most importantly it will show the security awareness of staff members. Through a range of media options OSINT can identify who works for the business, which department and position they hold, who they report to and who reports to them. If staff are not overly cautious it can show when they are on holiday, what the internal office areas look like, even what type of ID they wear and what operating systems they use.
All of this information will build a picture for the next stage of the attack.
The social engineering part of the attack will start before the main deployment, vishing (voice phishing) calls will be made to identify routes via staff members into the building and to find out additional information about the daily operations and procedures. Pretexts will be established, and appointments will be set up to enable later access or to gain further information about the security procedures.
A Cyber penetration test will assess the cyber security of the organisation. How far the team are required to penetrate will depend on the appetite for a realistic result by the client versus their natural precautions surrounding very sensitive client data and the budget available.
Whilst malware can be specially created and deployed during a spear phishing attack
many clients opt for a shallower test to determine if any improvements need to be made.
The range of typical tests include:
- Internal Infrastructure test - the type of test which will detect any vulnerabilities which could be exploited by a threat such as a disgruntled employee
- External Infrastructure and web application penetration tests - to simulate hostile attacks over the internet or intranet
- Wireless penetration tests - to determine the security of WIFI networks
- Voice communications tests - these can assess if the telephone network is susceptible to attack
- Mobile devices and application tests and assessment of their build - to ensure they are secure especially in an age of bring your own devices
- Cloud configuration reviews - to establish if cloud systems are secure
These tests are performed against benchmarks for industry best practises.
A physical penetration test can be conducted with or without a cyber penetration test, if they are in conjunction then the physical part will involve the operators planting various devices such as key loggers and USB sticks inside the building.
Red teaming, Blue Teaming, Purple Teaming and Black Teaming
Red teaming is an objective led penetration test typically scoped to obtain data or to gain access to sensitive areas or networks. A Blue team is a team who react to the red team and try to prevent the attack. A purple team is where the two teams work together either in conjunction or by sharing information after the test.
A Black team is a phase used to describe a physical penetration test.
What happens when the testers gain access to the building?
Once the testers have identified the pattern of life of the building, business, staff and contractors the physical attack phase will commence. The testers aim is to gain entry under a pretext, SE or covertly and to blend in. They may have been tasked to access certain rooms or areas such as the data centre, to photograph unlocked workstations assessing staff security awareness, to acquire or photograph sensitive documents or in some rare instances to cause disruption inside to see how the staff and security team deal with it. The majority of clients require a soft approach and wish to see how easy it is to tailgate employees in to access controlled areas and to extract themselves with company information without being detected. On some occasions the client requires a Covert Methods of Entry (CMOE) attack which will utilise qualified lock pickers to test the physical aspects of the building’s security.
What are the benefits of this type of test?
The test is not purely to see how far the testers can penetrate, the report and recommendations provided to the client at the end of the test will examine the feasibility of a hostile attacker conducting each breach the team have identified. It will score the impact to the business against a risk matrix. A report will be provided that will make recommendations proportionate to the likelihood of attack at each stage. The end result is that your building will be more secure and less likely to receive a security breech or physical attack and as the implementor you will be able to take the credit for improving the buildings security plan and potentially adding to or improving security policy.
What is the most common vulnerability that you find?
The most consistent vulnerability that we find is the human factor, staff members who are too keen to help or provide information without being aware of the security implications of their actions. Sometimes corner cutting is an issue, and very often we find that people are not sufficiently invested in the security of the building to have the confidence to challenge people who are not supposed to be there. We can assist with this by returning with our evidence and in a friendly way explain to staff why they must take security seriously, what the consequences can be if they don’t and train them in a workshop focused on improving security procedures to be comfortable to challenge people who they do not recognise or who are not wearing the correct Identification.