Physical Penetration Testing – an effective way to identify vulnerabilities in your security measures?
Physical Penetration Testing (PPT) can support your cyber security by assessing the physical security measures in place to protect your network. Here we describe what can you expect from a PPT team to help you ensure they provide an effective way to identify vulnerabilities.
Many organisations put significant money and effort into cyber security to protect their networks, systems, applications, and devices from a digital attack. This is generally backed up with regular IT penetration testing to check the efficacy of the precautions, but how many organisations support this with Physical Penetration Testing (PPT) to test physical access to the network?
Threat actors gaining access
It is important that the risk posed by threat actors gaining physical access to a client’s premises are not underestimated. Their reasons for doing so are varied, but none of them are good. These can include opportunist theft of assets or staff property, the placing of listening devices in key locations, dropping malware-infected flash drives or obtaining physical access to IT networks in order to plant malware which can be exploited by external hackers. There is an increasing threat from single-issue activists looking to bring publicity to their cause and embarrass the targeted organisation by causing damage, painting slogans on or hanging banners from buildings.
The goal of testing
The aim of PPT is to identify any vulnerability or failure in physical measures, security systems, processes, security officers, and personnel awareness. Information obtained from a thorough PPT allows an organisation to address any vulnerabilities in a timely fashion. It is not designed to embarrass anyone or make them look bad.
Many of our clients believe that the new normal of hybrid working patterns has increased their organisation’s vulnerability to physical intrusion. With lower numbers of people regularly in the office and new recruits unknown to existing personnel and vice versa there is the challenge of many employees being wary of challenging someone they don’t know nor recognise.
It is vital that PPT should model the Tactics, Techniques, and Procedures (TTPs) of an actual and credible threat. The list of threat actors and their capabilities is diverse, and organisations will need to determine those threats most appropriate for the penetration test based on their own threat and risk assessment if that the test is be meaningful and useful. PPT teams must keep up to date with current methods used by potential adversaries and use this knowledge to assist clients in scoping their penetration test.
PPT is relevant for organisations of all sizes and types. Any regulated sector, operators of critical national infrastructure, national and local government, and operators of sporting and entertainment venues should consider testing themselves. There is an obvious question of whether it is needed at a time when many people are working from home and offices are lightly occupied. This new way of working in itself offers particular vulnerabilities.
Assessing the vulnerabilities
It is important to consider all the important assets that the organisation has, not just the IT structure. For example, sensitive information left in meeting rooms and offices, physical assets which can be stolen or damaged, central shredding bins which can be accessed or walked off site. The PPT physical team must work closely with the client’s IT testers to see if vulnerabilities can be leveraged by having physical access.
A well-structured test will start with detailed liaison between the PPT team and the client to determine the scope of the testing to ensure that it is relevant and proportionate to their requirements. The PPT team will then move on to Open Source Intelligence (OSINT) gathering data about the organisation and its staff. They will use all publicly available material, including social media, closed user groups, subscription databases and social engineering. This information is collated to identify potential vulnerabilities, areas for reconnaissance and potential pretext approaches for use during the penetration testing phase.
Implementing the plan
All the information gathered from the OSINT phase is used by the PPT team to compile a plan for the reconnaissance phase. This plan should be circulated and signed off by the key stakeholders in the client organisation and PPT organisation.
Enactment of the plan should be conducted at different times during the day and night and at weekends to obtain as full a picture as possible of the activities at the client site. The aim is to identify the potential vulnerabilities of the site and potential exploitation methods. Building on the information gathered, a plan will be prepared to exploit the vulnerabilities identified during the OSINT and reconnaissance phases. The attempts will be varied in nature and timing.
The final report to the client should be balanced and identify good practice and performance of controls, as well as the areas where controls failed or were lacking. All identified weaknesses should be highlighted, even if this did not result in successfully gaining entry. Where access is gained, the methods used and the vulnerabilities exploited should be detailed along with any imagery or other evidence obtained.
See previous articles from Optimal Risk.
See related article: Penetration testing for cyber security assessment