Physical Penetration Testing– Why bother?
P
hysical Penetration Testing (PPT) can support your cyber security by assessing physical security measures in place to protect your network. What can you expect from a PPT team?
physical intrusion. With lower numbers of people regularly in the office and new recruits unknown to existing personnel and vice versa there is the challenge of many employees being wary of challenging someone they don’t know nor recognise.
Many organisations put significant money and effort into cyber security to protect their networks, systems, applications, and devices from a digital attack. This is generally backed up with regular IT penetration testing to check the efficacy of the precautions, but how many organisations support this with Physical Penetration Testing (PPT) to test physical access to the network?
Threat actors gaining access
It is important that the risk posed by threat actors gaining physical access to a client’s premises are not underestimated. Their reasons for doing so are varied, but none of them are good. These can include opportunist theft of assets or staff property, the placing of listening devices in key locations, dropping malware-infected flash drives or obtaining physical access to IT networks in order to plant malware which can be exploited by external hackers. There is an increasing threat from single-issue activists looking to bring publicity to their cause and embarrass the targeted organisation by causing damage, painting slogans on or hanging banners from buildings.
The goal of testing
The aim of PPT is to identify any vulnerability or failure in physical measures, security systems, processes, security officers, and personnel awareness. Information obtained from a thorough PPT allows an organisation to address any vulnerabilities in a timely fashion. It is not designed to embarrass anyone or make them look bad.
Many of our clients believe that the new normal of hybrid working patterns has increased their organisation’s vulnerability to
© CITY SECURITY MAGAZINE – AUTUMN 2022
It is vital that PPT should model the Tactics, Techniques, and Procedures (TTPs) of an actual and credible threat. The list of threat actors and their capabilities is diverse, and organisations will need to determine those threats most appropriate for the penetration test based on their own threat and risk assessment if that the test is be meaningful and useful. PPT teams must keep up to date with current methods used by potential adversaries and use this knowledge to assist clients in scoping their penetration test.
PPT is relevant for organisations of all sizes and types. Any regulated sector, operators of critical national infrastructure, national and local government, and operators of sporting and entertainment venues should consider testing themselves. There is an obvious question of whether it is needed at a time when many people are working from home and offices are lightly occupied. This new way of working in itself offers particular vulnerabilities.
Assessing the vulnerabilities
It is important to consider all the important assets that the organisation has, not just the IT structure. For example, sensitive information left in meeting rooms and offices, physical assets which can be stolen or damaged, central shredding bins which can be accessed or walked off site. The PPT physical team must work closely with the client’s IT testers to see if vulnerabilities can be leveraged by having physical access.
A well-structured test will start with detailed liaison between the PPT team and the client to determine the scope of the testing to ensure that it is relevant and proportionate to their requirements. The PPT team will then move on to Open Source Intelligence (OSINT). gathering data about the organisation and its
www.citysecuritymagazine.com
staff. They will use all publicly available material, including social media, closed user groups, subscription databases and social engineering. This information is collated to identify potential vulnerabilities, areas for reconnaissance and potential pretext approaches for use during the penetration testing phase.
Implementing the plan
All the information gathered from the OSINT phase is used by the PPT team to compile a plan for the reconnaissance phase. This plan should be circulated and signed off by the key stakeholders in the client organisation and PPT organisation.
Enactment of the plan should be conducted at different times during the day and night and at weekends to obtain as full a picture as possible of the activities at the client site. The aim is to identify the potential vulnerabilities of the site and potential exploitation methods. Building on the information gathered, a plan will be prepared to exploit the vulnerabilities identified during the OSINT and reconnaissance phases. The attempts will be varied in nature and timing.
The final report to the client should be balanced and identify good practice and performance of controls, as well as the areas where controls failed or were lacking. All identified weaknesses should be highlighted, even if this did not result in successfully gaining entry. Where access is gained, the methods used and the vulnerabilities exploited should be detailed along with any imagery or other evidence obtained.
Mike O’Neill Managing Director Optimal Risk
www.optimalrisk.com
> 18
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40
