Physical penetration testing, sometimes known as black teaming or red teaming, is a hybrid between a security test and a security assessment focusing on the vulnerabilities which can be exploited via an attacker gaining physical access to a building. Once the vulnerabilities are identified they are tested through the methods which would be used by both opportunistic and sophisticated attackers. This is a very pragmatic service that businesses can utilise to explore known and unknown threats against their assets. Learn more about physical penetration testing
My organisation has excellent security infrastructure why would we need to worry?
Security budgets frequently prioritise physical defences, little attention is given to ensuring that staff understand the security policy and why compliance is so important. The best access control methods are useless if someone holds the door open for the person behind them or is not confident to react to a tailgate alarm.
When asset and risk registers are created a common mistake is to calculate the value of physical office assets as items such as furniture and IT hardware, the result is a fairly low value and the security provision to protect them is on par with that equation.
An organisations intellectual property and data and the risks from malware and ransomware are often assessed to be at risk purely from external attack, falling under budgets dedicated to cyber security rather than local physical prevention. Often loopholes can be exploited enabling network access to be achieved through a simple action such as inserting a USB device directly into a computer.
There is no reason for our organisation to be targeted
In the case of ransomware, hackers rarely care who they target. The threat is not coming from state sponsored actors motivated by industrial espionage or political agenda. It may be simply about holding your files or systems to ransom to make easy money.
The human factor is frequently the weakest link in the security spectrum. Recent attacks against blue chip companies have occurred through the exploitation of staff, this can be overtly or covertly. Overt methods include offering large sums of cash to entice a staff member to take an action such as the thwarted plot against Tesla in which an employee was offered $1 million to insert a device containing ransomware onto Tesla systems. Covert attacks include staff being exploited without their knowledge; this was seen in the twitter hacking scandal where the attacker impersonated a member of IT staff in order to gain employee log in credentials resulting in a hack which provided access to celebrity twitter accounts which the attacker then used to commence a $110,000 bitcoin scam. Attacks against smaller companies are a constant occurrence but don’t make the headlines in the same way as companies which float on stock markets or those who control large amounts of data.
In many cases regardless of the threat actors origin and objectives common attack methods are used, these include leaving USB devices where curious staff members may find them and plug them into unguarded systems, phishing attacks and gaining physical access under a pretext in order to plant a device which will access a companies network, steal their log in credentials or simply record sensitive conversations. Learn more about corporate surveillance
How can we improve our security strategy to mitigate these threats?
Physical penetration testers act in the same way as the attackers, they are well trained and highly experienced in the arts of persuasion, impersonation and pretexting, otherwise known as social engineering. They will gain physical access to a company through a combination of simple factors such as looking like they belong there, speaking about the right people within the organisation, knowing where they are going and having a reason to be there so as not to appear in any way suspicious.
They will operate under the parameters of the particular task and will attempt a range of exploits to assess security procedures and infrastructure at every level of the organisation from the situation of cameras, effectiveness of access control, standard of physical security personnel and levels of staff security awareness. The company is then provided with an in-depth report which will score all security risks and will provide recommendations if improvements need to be made.
Educating staff in the importance of security procedures, knowing how to identify a well disguised attacker and providing them with the confidence to alert security or office seniors of people who appear out of place is in our experience the most vital line of defence to prevent malicious attacks. It is also a relatively inexpensive option with high results.
Once we have completed a physical penetration test, we offer the company a bespoke staff security awareness training session based on our findings, this can be tailored to fit with staff schedules over multiple sites if required and is designed to be a non-judgemental session where the aim is to educate rather than point out individual failings.
For more information regarding our range of services including physical penetration testing, executive digital profiling, and surveillance awareness, or to create a bespoke employee security awareness training package for your organisation no matter how large or small please contact our training department.