Physical Penetration Testing Explained
Ryan Manship, the president of RedTeam Security Consulting, explains his suggested approach to physical security when it comes to penetration testing. He also told us what to avoid during testing and gives tips on some of the best practices.
UPDATE: Anyone concerned about the security of their access card can send it to Kisi Labs to be tested for free. The original access card will be sent back to the user with a cloned or copied card and a report on how difficult it was for Kisi’s technicians to hack. Rather than hiring a security consultant or paying thousands of dollars for a penetration test, Kisi Labs aims to automate the process and offer this free service to as many people as possible.
About RedTeam Security Consulting
RedTeam Security Consulting is a specialized, boutique information security consulting firm led by a team of experts. The company, founded in 2008, is based in Saint Paul, Minnesota. Its areas of business include in-depth manual penetration testing, application penetration testing, network penetration testing and social engineering.
When Is Testing Needed?
When is a physical testing needed? There are certain situations when an IT director needs to start thinking about testing his company’s physical security. Ryan listed three of the most important situations where he thinks a testing is required.
When physical security becomes a realistic attack factor that cannot be ignored, it means that you truly want to understand what your attack surface looks like. That is when you need to consider having a physical penetration testing toolkit. Similarly, you need to prepare and test social engineering campaigns to reduce the likelihood of the success of these campaigns.
Sometimes there are people at your company who don’t exactly understand the security weakness. Or they understand them but need buy-in from their decision maker. In those cases, you might want to learn about the ‘unknown unknowns.’
Finally, compliance also drives suggestions for testing; but usually, the regulatory bodies only suggest testing, but do not require it specifically.
What Happens If You Never Do Security Testing?
The most important aspect of security testing is to validate the assumptions you have about the current security setup. If you are not testing it, two crucial problems might occur:
- You don’t have the opportunity to confirm that your assumptions about the current security system are correct, or that the system is indeed working.
- You can’t test your own response behaviors. It is important to test your response capabilities and speed: What do you do if something like this happens and how will react? How well can you handle the situation and how fast can you react? Those things have to be learned through testing.
What Can You Learn By Completing a Penetration Test?
In a physical security penetration test you can learn about it in a controlled set of circumstances. People used to say “if something happens.” Now, this is shifting to “when something happens.” That’s to say, in doing a penetration test you’re preparing for the event knowing the event will happen—just not when it happens. What does the communication plan look like, how are you dealing with it timewise and publicity-wise? The theme here is, “preparing to prevent and preparing to react.”
For testing physical security, specifically, you should focus on the different controls—are you able to breach the perimeter, are you able to get in the building? Once you’re inside, are you able to obtain the objectives?
Physical security testing is often not done in a vacuum. “Red Teaming” is the name for the approach to understand the entire attack surface across three different verticals:
- Cyber Security
- Human Social Engineering
- Physical Security
Of those, often the physical vector is the most underrated, but humans are statistically still the weakest link. The application/cyber security is the second weakest link, right after human social engineering.
What Does The Testing Process Typically Look Like?
If you’re wondering how the testing process is done, or physical penetration tools, Ryan gave a real-life example of how Red Team Security conducts its testing:
First, they work with a small leadership group. The right people need to know, but they don’t want too many other people to know, otherwise it would spoil the value of the test.
- They work with clients to understand the client’s assets—such as customer data.
- Then they come up with an attack plan on how to potentially obtain those assets. Only the minimum amount of information is collected during the discovery.
- Next they have an operational plan to get approval from the client and they execute the plan.
- During execution, they stay in touch with their point of contact in order to map their actions against the client’s reactions and evaluate their response capabilities.
- Lastly, they consider re-testing to confirm that this has been fixed and to also set up a schedule for re-testing.
Finally, it’s important to realize that these tests are not meant to be a punitive exercise to find out what your company and your people are doing wrong. Ideally, everyone at your company does their best, but there are new problems arising all the time—problems you just don’t have time to worry about, especially when your priority is uptime or the performance of the systems.