It is only when you put an operation or resource under real-world ‘’stress’’, can you factually determine its efficiency and capability.
To understand the factual strength and effectiveness of physical security controls within a venue, building, environment, and organisation.
What is Physical Penetration Testing?
A physical penetration test assesses all physical security controls, including access control (manual and electronic), fences, guard force, CCTV, employees, and other security measures, such as policy and procedure.
During a physical penetration test, simulations will occur, such as, attempts to coerce, circumnavigate, bypass, destroy and/or breach controls to gain physical access to certain areas, information, and/or systems, for example a restricted area, or space, within a building, or venue which may house classified documents or data, or be inhabited by the company executives, or high-value target (at risk) employees.
Why is Physical Penetration Testing Important?
Many organisations claim to have, or believe they have, impenetrable security in place, perhaps it is the belief that a guard on a front desk of a high-rise 40 floor building, along with a guard monitoring CCTV, is sufficient, or maybe it is due to the ‘’head in the sand’’ mentality of, ‘’it has never happened, and it will not happen to us’’.
As we know, security is not seen as a profit-making function, what people do not factor in, is that with a capable, professional, collaborative security strategy in place, security ''should'' aid in mitigating any risk associated with loss or damage to the business, reducing the potential for an undesirable event to arise, which may impact business continuity, thus impacting revenue and profits.
Note, internal audits are vital of course, but not sufficient in factually giving accurate findings, as employees will likely be aware of such an audit, and aware of the persons conducting the audit, which may lead to a biased, coerced result, hence why a specialised company should be engaged to lead.
A physical penetration test assesses the risk of an adversary act, physically causing disruption to an operation, and the potential for loss.
While many organisations may do a good job of protecting their IT network against the threat of a virtual cyber-attack, many organizations do not ‘’really’’ consider, or take seriously, the risk associated with a possible physical attack.
No cybersecurity professionals can claim to provide true information security or effective security controls without professional, fit-for-purpose, competent, capable layered physical security measures in place.
What Questions Should It Answer?
What is the risk of someone breaching your access control measures?
Before the organisation purchases a new access control system, appropriate for securing the the NASA launch control room, is it even necessary at all?
What information can an adversary gain access to if they breach access control, for example, PII, server rooms, key rooms, CCTV rooms, at risk employees, garbage bins, shredded documents.
What happens if an adversary gains access? By gaining access to a specific room, what adversary actions could take place?
Will employees challenge an adversary or unknown person within the organisation’s footprint, for example within an office, public, and non-public space? Is guard force able to detect hostile reconnaissance?
Benefits of Performing a Physical Penetration Test
Expose weak physical barriers: Security Assessments will expose physical security vulnerabilities like unmanned posts, doors that are inadequately secured, by way of either poor access control measures, or none in place at all, and policy and procedures that are not being followed by employees.
Understand the risks: As part of the vulnerability assessment, simulated attacks must occur, to identify the existing controls in place, which will provide findings of the kind of impact that risks could leave the operation exposed to.
A Security Physical Penetration Test should improve the security awareness program, to include the testing of policy and procedures, and physical controls that protect the operation. Testing uncovers real-world ‘’actual’’ vulnerabilities in the physical controls. Some tested barriers might include doors and locks, fences, PIDS, BIDS, guard force and other employees.
What are Some of the Techniques That Should be Used in a Physical Penetration Test?
Some of the below are an example only, and not exhaustive. Many professionals use a variety of well-practiced methods and simulations, many of which are not mentioned below.
RFID Cloning: Using an RFID cloner, the auditor may attempt to get close enough to employee’s badges to read and copy them. Once a valid card is obtained, attempts will then be made to gain access to the building or venue.
Coercion: The practice of persuading someone to do something by using force or threats, for the purpose of a simulation, this will likely be a form of bribe, or intimidation through use of power, claiming to be a company executive, ideal targets will likely be a cleaner, or a security guard, who may provide the auditor with valuable operational information, or provide you with an access control mechanism, such as a duplicate card, or provide you with access to a certain area.
Tailgating: Tailgating simply means using social engineering to try to get an employee to hold the door open for you, using their access control card (pass back) to allow you to ingress, or just by grabbing a door before it closes. This happens frequently, and I am sure most people reading this will even be able to think of a recent time that this happened in your place of work, when you kept a door open for an ‘’unknown’’ person, just being polite, but not challenging that person.
Circumventing Access Controls: This could be as simple as climbing over a fence, forcing a door, or walking through an open door, open area, without being challenged.
Lock Picking: Most modern doors have protection that make it difficult to pick the lock and gain access. However, many desks, cupboards, cabinets have a very simple locking mechanism, and with ‘’know-how’’ this can be breached with relative ease in a very short time period.
Dumpster Diving: Looking through the trash in search of any information that can be used to further penetrate the operations layers of security. Paper documents, books, manuals, invoices, and bank statements are some of the things an adversary would look for in order to retrieve useful information.
Shoulder Surfing: To test this attack, auditors simply observe if they can pick up login credentials, loose talk, or notes, that employees’ type, talk about or write down, or which websites they visit, or which documents they look at, both digitally and, or physically which may include vital information, such as passwords. Other ''real-world'' scenarios may include adversaries posing as a contractor being engaged to fix an AC vent in an office space, or a coerced employee within the operation.
The report should provide detailed, actionable information to help improve physical security controls and the overall security posture of a business, these may include;
Information learned during the information gathering and reconnaissance phases.
A detailed scope and methodology as to the process of the audit.
Identification of successful, and unsuccessful simulated adversary actions.
Evidence of risks, any mitigations observed during the test, for example the detection, delay, and response to a simulated adversary action.
Recommended mitigation measures to reduce risks to ALARP "as low as reasonably practicable".
A professional, extensive test should be endorsed at the highest levels of the organisation, and knowledge of the audit should be kept on a ‘’need to know’’ basis.
Depending on the scope, a test may take considerable time, and must be conducted professionally, and respectfully always, remember that the operation will likely be ‘’operational’’ so the business should continue to operate without unrealistic intrusion, although this might be complex in many simulated actions.
CPNI - Disrupting Hostile Reconnaissance - Centre for Protection of National Infrastructure (CPNI)
CPNI - Understanding & Countering the Threat - Centre for Protection of National Infrastructure (CPNI)
Building a Proactive Security Culture - Adam Green MSyl CSMP®
See, Check and Notify (SCaN) - Centre for Protection of National Infrastructure (CPNI)
Behavioural Detection - ICAO
Protect UK - Resources
Kindly reach out to me should you require an introduction to a company within the Arabian Peninsula to support you with the above.
Thank you for reading.