Physical Penetration Testing: What It Is, And Why You Should Care
Physical penetration tests are meant to simulate real-world scenarios to help assess the vulnerabilities and risks that could compromise a company’s physical security. Specialists often carry them out in this field who know how to access sensitive information, bypass controls, intercept network traffic and EM waves and more!
Penetration testing is not the be all end all for securing your assets. Digital security is one big component of overall security, and physical security is equally important when it comes to securing people and assets.
Physical penetration testing is a vital part of any company’s security. This article will tell you what physical penetration tests are, why they’re important and how to do them.
Why do companies use physical penetration testing?
As technology continuously evolves, so make the threats it brings along. Unfortunately, some companies are still unaware of that and continue to ignore the risks associated with physical security flaws, which leaves them vulnerable to outside dangers – from burglars and corporate espionage to natural disasters like fires or floods. Even in a “perfect” building, there might be an old-fashioned way of breaking into it. This is where a physical penetration test comes in handy.
The sooner a company detects their weak spots and protects against them, the better it is themselves as well as for those depending on them (clients or employees). To resist attacks, one must carefully think about potential weaknesses within their business premises; they need to know what would happen if an attacker manages to get inside their building without being noticed. For example, what if a fire suddenly breaks out? Or what would happen if a perpetrator invades the building to steal goods and personal data?
What are physical penetration tests exactly?
The physical penetration test is an assessment conducted by a third party company to identify security risks. This assessment aims not only to verify the existing level of physical security in a company but also to assess its potential weaknesses and possible countermeasures that can be carried out.
Here are some examples:
– A bank transfers money from one branch to another every day – you can guess how much sensitive information it contains! Risk analysis should include all data elements associated with such operations to predict any possible threats that may be used against them (such as robberies).
– Companies often have competitors or business partners who’d like to obtain confidential information about their actions/plans/structure.
Physical penetration testing is carried out by security experts who assess how secure a given place or object is. This type of testing determines which doors, windows, and other entrances can be broken into, whether fire alarms can be deactivated without setting them off, and other potential risks that may arise during an attack. If you feel uncertain about your company’s protection against burglars or other criminals, take advantage of this kind of test – it will help you identify all weak spots in your business premises so you’ll know where to start from when strengthening security.
Physical Penetration Testing Methods and Examples
Support your company’s resilience against cybersecurity threats with a comprehensive plan that includes physical penetration tests. Physical penetration testing methodology involves test cases based on the scope and context/environmental elements. It could change for every project, for instance, tailgating may be possible at one location and lock picking is a way for another location.
To view a concise version of this article, we invite you to watch our video on the same topic.
Tailgating into a facility
This happens when outsiders hide in another employee’s car or vehicle until they reach their destination or enter behind someone else who has legitimate access. Sometimes it is just a matter of asking someone inside the organisation to let them in once they get close enough. Some even find a person getting off an elevator and follow them through the exit door. There are multiple ways based on the physical access controls and awareness of the security and staff onsite. In real crime scenarios, breaking through an open window or door is done tactically to avoid motion detectors.
Lock picking is an essential part of physical penetration testing. Testers should look for locks that are most often improperly installed or not used and try to open them. Most popular tools include tension wrench or torsion wrench used to lockpick mechanical locks.
Flash drives can be plugged into USB ports when employees don’t realise it, allowing a test hacker to control computers by using malware-loaded flash drives.
Blowing up cameras or other computer equipment is too suspicious and leaves people with no doubt about what has happened.
A penetration tester clones RFID badges and uses them to get into areas they shouldn’t be in. Criminals can walk up to the door and use a hidden RFID reader to steal employee access. They can then clone the stolen card ID using appropriate equipment, such as an off-the-shelf RFID cloning device. Then, they’ll be able to gain access into secured facilities without risk of detection
Other common methods:
The following methods are commonly used during physical penetration tests.
- Access Control Bypass – Penetration testers look for ways to get past the physical security controls in place, including setting off motion-activated alarms from the outside, using a tool to open doors from the inside or other various methods.
- Bypassing a human firewall – Various checks are included to observe the employee awareness against walks around the facility (different locations include data center, server rooms and sites), open access areas such as kitchen, cafe, reception areas, waiting areas, after-hours check-in.
- Network access – Attempts to access the internal network bypassing security controls, including business-critical assets, once initial access is achieved. It would include access through common areas, meeting rooms, conference halls or places with network access.
- Sensitive data discovery from open areas, desks or other information troves with papers, sticky posts and other visible stationery with sensitive information.
- Dumpster diving is another sub-set of physical penetration testing. In case the organisation has disposed of sensitive information, it might still be found in nearby dumpsters. A dumpster diver can easily access the documents and get a head start on penetrating the network even if it’s currently secure. The most common items found during these tests are papers with passwords and personal information such as addresses or home phone numbers needed to conduct social engineering attacks. Other various remnants from lunchtime meals, sticky notes with phone numbers or emails, business cards left behind by people who have visited your facility. You will also find out how well-disciplined employees are when disposing of this type of paper waste from a quick test.
Social Engineering and Physical Penetration Testing
Social engineering is the most successful attack vector in this methodology. Physical access control assesses how easy it is for an unauthorised person to obtain access to a company’s premises. This type of test determines whether employees can gain access to sensitive areas or not. Social engineering, on the other hand, helps assess staff awareness about phishing. This test is used to predict the effects of deception on a company’s physical security and IT security. Therefore, social engineering is one of the sub-sets of physical test methodology and is used as an attack vector.
Social engineering tricks such as spoofing to bypass initial entry restrictions. Security experts may trick the security pretending to be delivery driver, pest control, janitor/housekeeping or facility maintenance, staff.
Physical Penetration Testing is an attack that bypasses physical security controls to uncover vulnerabilities and weaknesses of both people and technology to provide recommendations for secure design. Another term used for this type of testing is Social Engineering PenTesting or human hacking.
Social Engineering is an attack technique that involves manipulating people into performing actions or divulging confidential information. Phishing, spyware or spoofing are some examples. Unlike technical attacks where malicious code infects the system itself, social engineering focuses on human psychology, specifically on how targets think and behave. This exercise involves several items:
- Identifying physical access points, including windows, doors, vents and attics.
- Gaining entry into a facility by forcing open windows or doors, breaking locks or removing handles from exterior doors to gain entry at various critical areas. In some cases, even vehicles can be used to gain access inside the facilities.
- Forging identity badges (ID) with which one can easily move around as an authorised person, e.g., Doctors, service providers etc.,
- Social engineering methods to penetrate security perimeter and reach restricted areas of the organization such as server rooms like a reception area or back office where security is less evident and less guarded. At this point, it would be easy to identify and compromise the physical assets, i.e., laptops/servers etc.
Other methods include:
- Figure out what type of key system is used in an office space or a building, e.g., magnetic keys vs ID cards or some other technology such as biometric authentication like fingerprint scanners at various critical locations that require high-level authorisation to get full control over resources within the physical perimeter
- Once you have identified the entry points, either via social engineering techniques or physical methods, you will collect information on the access permissions of designated personnel.
The scope of work for physical penetration testing can be a part of a larger scope of work for an overall penetration test and is typically broken up into sub-sections called “tasks”. Typically, the person who creates the scope of work will specify what level of access to physical areas and internal network resources are required to fulfil the tasks. Physical security professionals or facilities managers may also define the boundaries or perimeters within which testers have to accomplish assigned tasks.
Physical Penetration Test Tools
The tools used during physical penetration testing to bypass security controls include:
- RFID Cloner that can fit in a laptop bag.
- Lockpicking toolkit with tools such as tension wrench used to lockpick mechanical locks.
- Radio devices/GPS/Phones based on the target site need to communicate outside with the team.
- Camera for taking high-quality photographs and record any evidence/supplemental information during and after the reconnaissance phase.
- Binoculars for OSINT, gathering information from a distance that sets the ground for attack layout. It is an input to social engineering attacks.
- Network equipment such as USB hub, wireless access point, cables is some of the common equipment required at all times.
How to protect against RFID cloning attacks?
An RFID cloning attack is when someone copies the RFID information from a proximity card and uses it to make their own card that accesses the same protected space. One way to prevent this is by shielding your proximity card with a metal enclosure or metal screen. Another way is to cover the radio frequency of the signal when you’re not using it to prevent an attacker from intercepting its data. The best way, though, is not to let your card out of sight or use it at all.
The best way to defeat RFID attacks would be the use of multi-factor authentication. This could be a combination of an RFID badge, fingerprint or another factor of authentication.
How to protect against tailgating?
The best way to protect against someone tailgating through the door is for employees to close it behind them. However, the most important thing about these measures is that they apply equally well to customers who are not wearing a proper logo badge. Utilise digital advancements such as video surveillance as an additional layer of defence with physical security controls.
How to stop lockpicking attacks?
There are several ways to prevent lockpicking. Firstly, using the highest level of physical security for which your building is designed will obviously thwart attempts on windows and doors (such as gaps between frames and doors/locks). Next, many buildings hire a private security team that patrols throughout the shopping centre or office park.
How can you protect against shoulder surfing?
Shoulder surfing is when someone tries to look over your shoulder as you use your key card or PIN code for authentication. There are a few steps you can take to pre-empt this: firstly, change your PIN to something random that doesn’t give away anything about yourself; secondly, keep an eye out for anyone who looks like they’re trying to get hold of it by watching people as they enter their PIN s; and thirdly, place your hand over the key or card reader as you enter the PIN.
How can you protect against spoofing?
Spoofing is when someone tries to use a fake ID to gain access to sensitive areas (i.e. bypass security) to perpetrate an attack such as planting malware on a computer system or stealing records. This type of attack doesn’t have specific countermeasures – it’s all about ensuring that whoever is checking IDs does so correctly and also making sure that any internal policies are uniformly enforced so that people don’t get away with using an expired visa card because someone else lets them through the door just this once.
Many businesses overlook physical security as the entry point for malicious actors because most attention goes to securing digital assets using digital mechanisms only. It includes penetration testing, security operations centre, security products and solutions to monitor network traffic. The effectiveness of physical security can only be measured after validating the controls in place and working on the gaps to prevent potential risks that could help attackers gain access to your premises.
When conducting a physical security assessment or penetration test, business owners and executives can understand the specific risks to their assets that could be gained through a breach of their physical environment.
A formalized method of evaluating vulnerabilities and remediating them should be put into place to protect your organization. Documenting findings is essential for future reference to build up a plan of attack against cybersecurity weaknesses.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.