“It takes 20 years to build up a reputation and few minutes of cyber-incident to ruin it." - Stephane Nappo
Physical Penetration Testing
When the words 'Penetration Testing' come to mind, most people in the cyberspace think of it in the digital sense, but what if there was more to it than just that.
Physical Penetration Testing is the act of gaining access to a building's important data through means of:
ID Duplication
Impersonation
Lock Picking
Reconnaissance
Disabling Security Alarms
and so much more.
I know what you're thinking. This sounds like something from a Mission Impossible movie, and there is no way any of this is legal.
Companies actually hire and pay professionals to infiltrate their buildings, and there are many benefits to doing so.
Benefits of Physical Penetration Testing
- Testing Physical Security
Companies can find out which doors need tighter security and if any locations have a "blind spot" where there is little to no security.
-Reporting Real Life Vulnerabilities
Humans can have their own vulnerabilities. For example, if security personnel trusts you just because you act like you belong in a location, this would put the company at significant risk if a security breach really does occur.
Story From a Real Physical Penetration Tester
I talked to a Cybersecurity Consultant who has been doing Physical Penetration Tests on and off for around ten years now.
He described to me the methods and skills he used in order to be successful at it:
"I found the most useful skills were to look like you belonged there, but weren't interesting/important enough to talk to."
"Most of the time, I'm using simple techniques to defeat physical defenses-I'm looking for weaknesses, not attacking strong points. I'm not going to break down a door, I'm going to slip a credit or ID card into the latch. That's worked for me numerous times."
I asked about an interesting experience he had from one of his Penetration Tests.
"The dumbest time it worked was in a facility that was the backup datacenter and a warehouse. What I didn't know was that it was also the cash-room for the organization.
We weren't even doing a pentest- we were doing a site visit. We even had a company
employee with us as an escort. I stopped to use the bathroom. The employee decided to take the time to smoke a cigarette."
Strike One - The employee should have been paying more attention to the people who were doing a site visit.
"The other two members of my team wandered off and ran into the security guards.
The guards closed and locked a big heavy door behind them. I come out and meet up with the escort and we go looking for the other two. We go down the same hallway the other two guys did. There's a little bulletproof window in the door, so I see three guards around my two guys. There's an internal phone on the wall. The company guy picks it up and tries calling some numbers, but he doesn't know the extension for the security team in the building.
I see the guards about to cuff my guys. I notice that the latch cover was improperly adjusted. I can just barely stick a credit card in the gap and by pulling the door towards me, it'll push the latch back a bit. I keep pushing the card in while pulling and pushing the door back and forth. About ten seconds of that and I have the door open."
Strike Two - Any door in the building, even if there is no sensitive information on the other side of the door, should not be able to open with the simple act of opening the latch with a credit card.
"The employee has a shocked expression when I open the door. I run in and yell "Internal Audit! We're supposed to be here. Mike sent us!" the guards gave me a hard time about calling up before hand. I just blamed Mike (there was no Mike), but they let us go."
Strike Three- All it took was some confidence and the random name drop of Mike to be set free and not questioned again. The employee should have been more suspicious, and further questioned them rather than letting them go.
With those three strikes, the facility could have easily been compromised by a real threat.