“Secure the perimeter.”
These words tend to conjure up a thrilling scene in a movie where some VIP is in danger. Yet data centers, offices, substations, critical infrastructure and more all need to be sure they, too, have secured their perimeters. Physical penetration testing measures the strength of your organization’s physical security controls. Here’s what you need to know to about physical pen testing methods and how to prepare for your next testing engagement.
Physical Penetration Testing Methodology
A physical penetration test sets out to uncover weaknesses in your physical security before bad actors are able to discover and exploit them. This type of testing, also known as physical intrusion testing, attempts to compromise perimeter security, intrusion alarms, motion detectors, locks, sensors, cameras, mantraps and other physical barriers to gain unauthorized physical access to sensitive areas.
Physical penetration testing is typically motivated by one of three things:
- Recognition that physical security is an attack factor that cannot be ignored
- Desire to get buy-in from decision makers with better idea of any unknowns
- Compliance requirements.
There are globally accepted industry standard frameworks for physical penetration tests. At a minimum, the testing framework ought to be based on the NIST Special Publication 800 Series guidance and OSSTMM. A thorough physical penetration test has many stages:
- Passive Reconnaissance — information gathering about the target’s surroundings and environment, perhaps using a tool such as Google Earth.
- Open Source Intelligence — taking advantage of freely available information about the target as well as its people and specifics about the environment.
- Active Reconnaissance — obtaining information through telephoning, emailing or otherwise directly querying target staff or vendors.
- Covert Observation — stakeouts, drones, and covert photography help identify physical security controls and monitor staff as they are coming and going.
- Attack Planning — using what’s been learned about vulnerabilities, exit and entrance points, cameras, guards, fences, company technology, staff members and more.
- Pretexting — ensuring the testing equipment, transportation and personnel are ready to roll.
- Infiltration, Exploitation — carrying out the planned attack.
- Post-Exploitation — penetrating further into the environment and setting up to maintain a persistent backdoor.
The best penetration testers will round all of this out with reporting and remediation. That’s when they take what was learned from penetrating the physical environment to the client and deliver recommendations for how to resolve issues found.
Did you know? With RedTeam Security, remediation testing is always free with no time limits.
How To Prepare For Your Physical Penetration Test
You can have the sturdiest firewall and most up-to-date password policies and rigorous user permissions, but if someone can gain direct access to your buildings, these other precautions may be little help. A bad actor exploiting your physical security can lead to device theft or provide access to unsecured desktop computers, internal networks, writing closets, data centers and satellite facilities and branches.
1. To prepare for the testing, you’ll want to first understand your assets. What is it that those with malicious intent might seek to access? This could be different in a medical office setting (where the goal might be to gather personal identifying information?) than in at a substation (at which the objective might instead be to disrupt power flow)
2. Next, use the assets identified in item #1 to identify parameters and priorities. Now that you understand what can be involved in penetration testing, take the time to identify your objectives. What do you want to verify or evaluate? Also, who is going to be aware of the testing? You want only a few of the right people to know about the physical penetration testing in advance, so as not to tip the testers hand too early.
3. Consider your threat-actors. This might be a malicious insider, an angry ex-employee, an organized crime unit, an opportunist jumping on a crime of opportunity, nation states, the list goes on. Forming the plan for the engagement while also considering the threat actor is a good idea (in addition to considering your assets as outlined above).
4. Also, make sure that you have determined who is going to be the company’s point of contact during the execution of the testing. This individual should have the knowledge base to compare the testers’ actions against the company employee’s reactions and response times. Empower this person to address any gaping security flaws that should be urgently remediated (or at least directly communicate with those who can address the concern).
Without thorough physical penetration testing you can’t validate assumptions about your current security setup. You won’t be able to identify what’s working and what isn’t and you won’t be able to evaluate the response capabilities and speed of response in the case of breach or intrusion.
To ensure a sound and comprehensive physical security test, RedTeam leverages industry standard frameworks as a foundation for carrying out its penetration tests. Request a free Physical Penetration Testing quote today and let’s open the conversation.