PHYSICAL PENETRATION TESTING:

PRETTY MUCH EVERYTHING YOU NEED TO KNOW

Protecting your business's assets from building, property, and day-to-day access threats.

When it comes to protecting your organization from attackers, you may first think of using cybersecurity tools, such as firewalls and anti-virus software, to stop threat actors from breaching your system.

While it is crucial to set up measures to protect your enterprise from cyber threats, the importance of physical security may often (if not always) be overlooked and underestimated.

Simply put, physical security refers to protecting your assets from threats related to your business’s building, property, and day-to-day access practices.

According to a report published by Michigan State University and Johns Hopkins University researchers, between October 2009 and December 2017, 53% of the data breaches were internal to medical providers specifically (e.g., unauthorized access or improper information disposal).

In another instance, one of the highest-profile physical security cases occurred in Hong Kong in 2017 when the Registration and Electoral Office (REO) lost two computers with the personal data of 3.7 million voters.

Both examples prove that attackers can not only commit cyber crime from a distance but from the premises of targeted enterprises.

Therefore, cyber and physical security are tightly connected, especially with the rising popularity of Internet of Things (IoT) devices and Artificial Intelligence (AI) among businesses.

What we’ve often seen in the past, and often see even today, is that organizations rely on a hard exterior, but once inside, security goes soft.

Today, this strategy is quite inefficient against emerging threats as attackers just need to crack the exterior physical controls to gain access to the internal cyber controls. It only takes a targeted attack or a malicious insider to breach the network of organizations relying on a hard exterior.

WHAT IS A PHYSICAL SECURITY ASSESSMENT?

A penetration test or pen test is a simulated attack against an organization's computer system to reveal the vulnerabilities threat actors can exploit. There are two categories of penetration testing: cyber and physical.

 

While cyber pen tests focus on identifying non-physical vulnerabilities within an enterprise's system, a physical, on-site penetration test reveals tangible opportunities.

 

For example, malicious actors can utilize the latter to compromise physical barriers (e.g., locks, CCTV cameras) and gain unauthorized access to sensitive areas within the IT infrastructure of an organization. This allows them to extract valuable data (or achieve similar cyber crime-related goals).

THE 5 STEPS OF A PHYSICAL SECURITY ASSESSMENT

In this section, we will explore the different stages of physical penetration testing that cybersecurity professionals conduct to reveal an enterprise's vulnerabilities before threat actors do.

Remote Reconnaissance

Remote or passive reconnaissance is the first stage of the physical penetration testing process. During this step, the goal is to learn as much as we can from the target organization from a distance, without actually visiting its premises.

Penetration testers can use open-source information, such as using Google Maps or Google Earth, to view satellite images from the target location, gather employee data on social media platforms (such as LinkedIn or Facebook), and check whether the company's SSID is wirelessly cataloged. The ultimate goal is to examine all data sources from a comfortable distance.

Physical Reconnaissance

After the cybersecurity professional has finished with their remote recon, they get onsite and gathers information from the physical location of the target company.

This stage includes:

  • Conducting traffic pattern analysis
  • Spotting guards and cameras
  • Evaluating the physical controls that are present outside of the facility
  • Learning how employees badge in and out of the premises
  • Identifying opportunities (e.g., specific employees that are holding doors open) that makes the infiltration process easier

Vulnerability Assessment

The penetration tester takes the data they collected in the previous two stages and analyzes the potential attack vectors, which they can use to bypass the security controls of the facility. The organization can use the data gathered in this stage to evaluate the likelihood and risks of different attack vectors.

Exploitation

During the exploitation stage, the penetration tester attempts to break into the facility of the target organization using the attack vectors they discovered in the previous stage.

The goal here is to exploit the vulnerabilities of the organization while breaching further, as long as it’s within the scope of the engagement, to evaluate and demonstrate the risks.

Reporting

After the exploitation phase, the penetration tester formally documents their findings. This typically includes an executive-level report (high-level overview for management) and a technical-findings report (technical data about vulnerabilities with recommended remediation steps) that they send to the client.

Physical Security Assessments and Social Engineering

Attackers may favor the method of deception and manipulation known as social engineering. Social engineering is used to gather sensitive information about company employees or practices, relying on human error to breach a company.

As attackers often use this technique to deceive the employees of victim organizations, it comes as a fair question of whether social engineering is used during physical penetration testing.

However, there is no clear answer to this question as social engineering is a very sensitive topic. It falls into a grey area regarding its legality during penetration tests, forming a very fine line that a professional tester may not want to cross.

Therefore, pen testers rarely use social engineering and there are times when they don't even engage with the employees of the target company. Although, the latter depends on the objective of the physical pen test. The engagement’s contract will detail the right for a pen tester to use social engineering in this instance.

Hear four physical penetration testing stories from our Assessment team that guide you through the experience from a tester's perspective.

What Are The Most Common Physical Security Risks, Vulnerabilities, And Threats For A Cyber Environment?

While we call new security incidents that have the potential to harm our organization a threat, a vulnerability is a known weakness of a resource or an asset that attackers can exploit to breach into an enterprise’s system.

Finally, when a threat exploits a vulnerability, risk stands for the potential for damage or loss a company faces in case of a successful breach (risk = threat x vulnerability).

Risks

  • Lax user awareness
  • Improper access controls (e.g., lack of badge locking mechanism)
  • Loose company culture (e.g., employees failing to question strangers and/or holding doors to them to get access inside the facility)

Vulnerabilities

  • Insufficient physical controls (e.g., RFID locks that do not require photo badge or pin to lock and open doors)
  • Improper detection response (flawed response process, lack of security personnel monitoring cameras)

Threats

  • Malicious insider
  • Phishing
  • Corporate espionage

Physical Attacker Lifecycle

While we've explored how cybersecurity professionals conduct physical penetration tests, it's time to see the approach an attacker might use to bypass the physical controls of an organization, to infiltrate its facility. The attacker's process might sound familiar. It is very similar to a physical pen tester’s methodology:

REMOTE RECON:

Open-source info and imagery.

PHYSICAL RECON:

On-site learning.

ASSESSMENT:

Analyze risk and approach.

EXPLOITATION:

Breach the facility and exploit vulnerabilities.

However, one last stage is missing for obvious reasons: reporting. This is why it is imperative for organizations to test their physical security measures, just as they would their cybersecurity, as these gaps in physical security may give attacker’s access to the information they need.

Creating Your Organization's Physical Security Plan

As threat actors can attempt to breach your organization's system anytime, you have to be prepared. This is not only true for cyber attacks but physical attacks too.

OVERVIEW

GOVERNANCE

PHYSICAL SECURITY REQUIREMENTS

OVERVIEW

Creating a physical security plan is essential as it provides you the following benefits.

What You Gain
  • Protects your organization through a proactive policy stance.
  • Creates rules for your enterprise's IT personnel.
  • Informs your employees about the possible consequences of a violation.
  • Creates a baseline stance on physical security to minimize your organization's risks for physical breaches.
  • Decreases the risk of data leak or loss.
  • Serves as a base to protect your enterprise from malicious internal and external parties.
  • Sets guidelines for your IT personnel as well as best practices so they can respond to potential security incidents more efficiently.
  • Creates a plan for the different physical controls that are used to protect your organization's assets.
  • Evaluates and ensures that your organization's physical security is compliant with relevant regulations.

RESPONSIBILITY

It is no question that a physical security plan is crucial for your organization's physical security measures. But who should be the one responsible for creating and executing the physical security policy?

Who Is Responsible?

However, to protect against physical breaches, your organization must determine the employee(s) who take responsibility for writing the security plan.

This task can be given to one IT professional within your organization or a part of your IT team, or even the management team can handle it if they have the required skills or security knowledge.

Employee Responsibility

It is also important to mention the responsibility of employees as they are crucial assets to your organization.

With that said, due to our nature, we are prone to committing mistakes. Threat actors know this very well, taking advantage via social engineering to breach enterprise IT systems.

One door that's held open to the wrong person can result in losses of valuable data worth millions of dollars, compromising your clients or consumers, and damaging the reputation of your organization.

Therefore, it is very important to train your employees to know the different physical security controls your company is using, the steps they should take if they spot a suspicious stranger, and how to efficiently respond to an ongoing attack (the physical security plan serves as a decent base for your employees).

Unfortunately, many organizations overlook physical security and its importance to protect against data breaches. Due to the latter, the number of human mistakes has grown, and researchers consider employee negligence as a significant risk to the security of valuable assets.

According to a 2019 report by the Ponemon Institute and Shred-It, 71% of the breaches in the healthcare sector were due to either the loss or theft of electronics devices or paper documents.

While an increased focus on email and phone call phishing training has grown over the years, security regarding our buildings, devices, and physical awareness should not be forgotten.

GOVERNANCE

Governance is crucial to ensure a high-level of security for your organization. Without it, your security plan turns into an accident instead of a valuable strategy that improves the physical security measures of your enterprise.

Admin Controls

Security governance provides formalized risk management through a combined set of personnel, tools, and processes. Governance is embodied in an organization's physical security policies with a need to allocate the proper resources within.

While governance ensures that an organization has the appropriate administrative controls to mitigate risk, controls develop, define, measure, and adjust the performance of security systems via the use of people, processes, as well as technological and physical elements.

PHYSICAL SECURITY REQUIREMENTS

Based on the countries and regions where your company and users are located, you may have to comply with certain requirements. While it's best to check the rules for the appropriate regions, we've collected the most common physical security requirements for you in a brief list. Industry-wide policies may also be in effect. Please check your governance framework for more detailed requirements.

Access Control

Guard the outside and inside access to your facilities. Therefore, if a threat actor manages to get inside your premises, they can be stopped from entering sensitive areas within your facility with internal access controls.

  • Use internal access controls including keypads, ID cards, and biometrically restricted doors within your facility.
  • Implement access controls, such as gates, fences, windows, barbed wire, visible guards, to give threat actors a hard(er) time when they try to enter your facility from the outside.
Surveillance

While access controls help in preventing attackers from entering your organization's building, as well as from reaching different areas within, there can be times when threat actors manage to bypass these measures. That's when surveillance comes into place to help spot and report these incidents.

  • Common surveillance measures include CCTV cameras, burglar alarms, patrolling guards, as well as sound and movement sensors.
  • Companies with high-risk facilities can utilize more advanced surveillance systems for a holistic view of their premises. Examples of such include infrared, image, temperature, pressure, smoke, and proximity sensors.

Step Up Your Physical Security

Despite commonly being overlooked, physical security can help organizations in preventing data breaches and other cybersecurity-related incidents utilizing easily implemented security measures.

RedLegg recommends focusing on the following areas to harden your physical security defenses as well as to perform a Physical Penetration Test:

  • TOOLS & TECHNOLOGY
  • PHYSICAL SECURITY POLICY
  • PEOPLE

TOOLS & TECHNOLOGY

If you want to step up the level of the physical security of your organization, we recommend setting up or upgrading the tools and technology (e.g., CCTV, sensors, keypads, etc.) you use to protect your assets within your facilities.

PHYSICAL SECURITY POLICY

Without a physical security plan or policy, your organization's employees won't know the different rules they should follow (e.g., don't leave doors open or give access to strangers), and they will have problems when detecting or responding to physical security incidents. Therefore, it is crucial to have a physical security policy in place.

PEOPLE

While employees are one of the most important assets to your organization, they are prone to committing mistakes. That's why it's crucial to train them on how to comply with the different physical security policies.

  • TOOLS & TECHNOLOGY
  • If you want to step up the level of the physical security of your organization, we recommend setting up or upgrading the tools and technology (e.g., CCTV, sensors, keypads, etc.) you use to protect your assets within your facilities.

  • PHYSICAL SECURITY POLICY
  • Without a physical security plan or policy, your organization's employees won't know the different rules they should follow (e.g., don't leave doors open or give access to strangers), and they will have problems when detecting or responding to physical security incidents. Therefore, it is crucial to have a physical security policy in place.

  • PEOPLE
  • While employees are one of the most important assets to your organization, they are prone to committing mistakes. That's why it's crucial to train them on how to comply with the different physical security policies.

GET A BASELINE PHYSICAL SECURITY ASSESSMENT

Get in touch with the RedLegg physical security assessment experts to know exactly where you stand.

REACH OUT