Applying the Consultancy Cycle to a Black Team Assessment
A UK tech company requested our services to review their current security strategy, they stipulated a focus on improving staff attitudes towards physical security.
The client was satisfied that their outward facing cyber security was very strong but they were concerned about the damage which could be achieved by insider threat or by an attacker who might gain internal physical access
Stage 1 – Entry and Primary Analysis
We visited the client at their London HQ and ascertained that their main threat was commercial espionage by competitors.
Their need was to develop long term security resilience rather than to see a quantitative regain on their investment. Our pitch focused on the fact that as a black teaming specialist we provide a unique service involving accessing the buildings using the resources of a hostile attacker. This quickly detects the grass roots vulnerabilities faced by the client and creates the starting place for an advanced security strategy to be developed.
Stage 2 – Contracting
Our proposal stated the set times we would allow for each step such as the black team deployment, use of gap analysis and how we planned to work across the spectrum of people within the business, tackling policy and procedure problems as well as identifying the staff shortcuts.
We explained how we would identify the range of security threats and vulnerabilities to the business and use existing framework to strategize ways to reduce them.
Stage 3 – Gathering Data
The first step was the specialist activity of the black team, this enabled us to rapidly ascertain the main human based problems facing the business. For instance, the staff were extremely polite and held access-controlled doors open for each other, by fumbling with a similarly looking badge or by holding multiple cups of coffee our testers found entry was easily obtained. Once inside they were accepted as people who should be there. This stage also enabled us to assess the security hardware of the buildings and the perimeter defence zones.
The next step was to create an asset register and to place a value to the things that were important to the business. We reviewed the policy and processes and interviewed staff informally to establish the security-based strengths and weaknesses throughout the organisation.
Stage 4 – Diagnostics
We identified the majority of the client’s problems during the first stage of the assessment. Our Black Team are experts at finding the holes in physical security and identifying how human nature can be exploited to gain access or to encourage staff to perform an action such as clicking on a phishing link.
We assessed that the physical security was generally to a high standard except for an RFID weakness, however due to us managing to breach the building and remain inside for prolonged periods on five separate occasions the human element needed improvement. There were also some policy and contract points which we considered to require amendment.
Stage 5 – Generate Options
For the outlay of the cost, the client expected to see the implementation of a tougher security strategy and a clear improvement in their security culture.
Our shared vision was to achieve this by investing in the organisations people, showing them why security is important and teaching them to recognise and avoid the manipulation tactics used by hostile attackers such as impersonation, phishing, pharming, vishing and smishing.
We presented the client with a range of options which addressed both the quick fixes and long-term goals needed to improve their security resilience which included;
a, doing nothing
b, developing the security strategy by investing in all business departments with business wide initiatives, improvement of the RFID issue, advice regarding contract and policy changes and using our results to deliver an informal staff security awareness session.
c, the additional option of a more in-depth training feature and ongoing staff security culture testing program with measurable results.
Stage 6. – Implement Actions
The client chose the most in-depth option which involved ongoing staff training and subsequent testing. Our consultant led the project with a team of our training consultants and an external partner organisation who implemented an RFID frequency upgrade.
Stage 7- Disengagement
The scope of the work that we conducted was clearly defined and easily measurable. The client was extremely happy with our service and asked us to re-contract to provide quarterly security spot checks and annual training for new staff members.
For black team/physical penetration testing assessments, security awareness training packages for staff and executives and for corporate surveillance investigations contact us:
71-75 Shelton St, Covent Garden, London, WC2H 9JQ