IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
IFSEC Insider hears from Mike O’Neill, Managing Director at Optimal Risk Group, who provides guidance to the approach and security planning of Physical Penetration Testing (PPT), along with debriefing clients on its results.
How much money does your organisation spend on physical security and raising staff awareness? How effective is it? Why do you spend this money?
Mike O’Neill, Managing Director at Optimal Risk Group
Let’s start with the last one. You want to ensure access to your building is only available to staff, invited visitors and approved contractors. The risks posed by unauthorised visitors, or ‘threat actors’, gaining physical access to your or a client’s premises are varied, but include:
Theft: Opportunist theft of assets or staff property;
Bugging: Placing listening devices in sensitive locations to overhear and obtain private or confidential information.
Cyber-Attack: Dropping malware infected flash drives or obtaining physical access to IT networks to plant malware which can be exploited by external hackers.
Targeted Activism: Single-issue activist groups using business premises to bring publicity to their cause and embarrass the organisation by causing damage, painting slogans or hanging banners on buildings.
Many corporate security personnel we speak to are wary about running a PPT on their premises as they fear the results. However, we find that the results of a well-planned PPT programme are valued highly as they represent a “real world” test of the organisation’s security stance.
The structured approach to PPT that Optimal Risk Group (ORG) have developed is explained here:
Client Engagement
In order to maintain confidentiality, we try to limit the number of client personnel who know what is happening to two or three. We engage with a detailed questionnaire to provide the client with as much knowledge of our team’s capability as possible, so that we can agree the scope of the PPT. Part of this process is to define the organisation’s most common or likely threat actors so that the team can replicate their capabilities, behaviours and attacks realistically.
Open Source Research
Credit: Andrea Danti, Alamy
Our researchers will start gathering data about the organisation and its staff. This includes publicly available material from social media and other sources available to hostile actors. This information is collated to identify potential vulnerabilities, areas for reconnaissance and potential pretext approaches for use during the penetration testing phase. Social engineering may also be used to solicit more useful information.
Reconnaissance
The reconnaissance phase is used to develop more information about potential vulnerabilities identified during the research phase as well as identify other vulnerabilities such as busy times and even smokers propping open fire doors. This phase is critical to develop an understanding of how the building operates at all times of day, night and weekends. We also seek to understand how visitors, deliveries and contractors are handled, and whether they too can be exploited.
Planning
The research and subsequent reconnaissance will provide us with the information to develop the different approaches we will take. This will include various pretexts, possibly physical scaling of walls and fences or, in some cases, defeat of security systems. This will then decide the final composition of the testing team. We also work in tandem with IT penetration testing teams to see if physical access to the network can allow devices to be planted and allow external exploitation or exfiltration.
Infiltration Tests
The planned tests will take place at different times and are not just focussed on gaining access. At the same time, we also look to access key assets within the organisation. This can involve viewing unlocked computers, entering unlocked server rooms, reading or copying confidential documents left in meeting rooms, or even wheeling out bins for document shredding.
Client Report
Detailed debriefs will be conducted after each penetration attempt. All notes and imagery will be collated to support the preparation of the final report and, once all penetration tests are complete, a detailed report will be compiled.
The report will be balanced and identify good practice and performance of controls as well as the areas where they failed or were lacking. All identified weaknesses will be highlighted even if this did not result in successfully gaining entry.
Where access is gained, the methods used and the vulnerabilities exploited will be detailed along with any imagery or other evidence obtained.
Where appropriate we will offer recommendations for improvements to physical security, processes and ideas for raising staff security awareness.
Closing Remarks
Our experience has shown how seemingly well-secured premises can still be vulnerable to security breaches due to small and unnoticed gaps in the infrastructure’s security plan. By testing your resilience, PPT can play a pivotal role in the safety and security of the organisation’s people, buildings, assets, and reputation.
Keep up with the access control market
The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.
The what and why of physical penetration testingMike O’Neill, Managing Director at Optimal Risk Group provides guidance to the approach and security planning of Physical Penetration Testing.
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources
Related Topics
Physical penetration testers share their experience of ‘a job gone wrong’
How penetration testing can instill confidence in remote storage