"Secure The Perimeter."
These words tend to conjure up a thrilling scene in a movie where some VIP is in danger. Yet data centers, offices, substations, critical infrastructure and more all need to be sure they, too, have secured their perimeters. Physical penetration testing measures the strength of your organization's physical security controls. Here's what you need to know to about physical pen testing methods and how to prepare for your next testing engagement.
A physical penetration test sets out to uncover weaknesses in your physical security before bad actors are able to discover and exploit them. This type of testing, also known as physical intrusion testing, attempts to compromise perimeter security, intrusion alarms, motion detectors, locks, sensors, cameras, mantraps and other physical barriers to gain unauthorized physical access to sensitive areas.
Physical penetration testing is typically motivated by one of three things:
There are globally accepted industry-standard frameworks for physical penetration tests. At a minimum, the testing framework ought to be based on the NIST Special Publication 800 Series guidance and OSSTMM. A thorough physical penetration test has many stages:
The best penetration testers will round all of this out with reporting and remediation. That's when they take what was learned from penetrating the physical environment to the client and deliver recommendations for how to resolve issues found.
Did you know? With RedTeam Security, remediation testing is always free with no time limits.
You can have the sturdiest firewall and most up-to-date password policies and rigorous user permissions, but if someone can gain direct access to your buildings, these other precautions may be little help. A bad actor exploiting your physical security can lead to device theft or provide access to unsecured desktop computers, internal networks, writing closets, data centers and satellite facilities and branches.
1. To prepare for the testing, you'll want to first understand your assets. What is it that those with malicious intent might seek to access? This could be different in a medical office setting (where the goal might be to gather personal identifying information?) than in at a substation (at which the objective might instead be to disrupt power flow)
2. Next, use the assets identified in item #1 to identify parameters and priorities. Now that you understand what can be involved in penetration testing, take the time to identify your objectives. What do you want to verify or evaluate? Also, who is going to be aware of the testing? You want only a few of the right people to know about the physical penetration testing in advance, so as not to tip the testers hand too early.
3. Consider your threat-actors. This might be a malicious insider, an angry ex-employee, an organized crime unit, an opportunist jumping on a crime of opportunity, nation states, the list goes on. Forming the plan for the engagement while also considering the threat actor is a good idea (in addition to considering your assets as outlined above).
4. Also, make sure that you have determined who is going to be the company's point of contact during the execution of the testing. This individual should have the knowledge base to compare the testers' actions against the company employee's reactions and response times. Empower this person to address any gaping security flaws that should be urgently remediated (or at least directly communicate with those who can address the concern).
Without thorough physical penetration testing, you can't validate assumptions about your current security setup. You won't be able to identify what's working and what isn't and you won't be able to evaluate the response capabilities and speed of response in the case of breach or intrusion.
To ensure a sound and comprehensive physical security test, RedTeam Security leverages industry-standard frameworks as a foundation for carrying out its penetration tests. Request a free Physical Penetration Testing quote today and let's open the conversation.