Physical Security Penetration Testing

Penetration testing, commonly referred to “pen-testing,” is very common in the computer and network security world. Pen-testing is the active real-life process of testing, measuring, and evaluating security measures with the goal of identifying and exploiting security vulnerabilities so that security lapses can be corrected. In very simple terms, pen-testing involves hiring a team of trained operatives to thwart security and uncover and expose vulnerabilities.

Businesses often hire “ethical hackers” who attempt to hack into a computer network to identify security vulnerabilities. Can a firewall be defeated? Can passwords be beaten? How easy is it for a malicious virus to be introduced into the system? This is the type of invaluable information that network security professionals need to know to create more resilient networks. But penetration testing is not just for computer networks.

Long before “pen-tests” became common place in network security it was used to test physical security policies and practices, physical security controls, and the level of security awareness in businesses and organizations. It has proven so effective that the Federal Aviation Administration, the Department of Homeland Security, and other government agencies use “Red Teams” to attempt to penetrate physical security at airports, nuclear facilities, and other high-level facilities. For a deeper understanding of the federal government’s use of security penetration testing, refer to Red Team.

What You Don’t Know Can Hurt You

Your business can have the most sophisticated electronic locks, high-tech surveillance cameras, armed guards, and good security policies and procedures, but that does not make the slightest difference if someone can use tailgating or piggyback techniques or deception to gain access to your offices, warehouses, or other buildings. Likewise, if an intruder can use ruses and social engineering techniques to scam or “charm” their way into unauthorized areas they are free to commit theft of physical or intellectual property, industrial espionage, and do any number of other “bad things.” The harm that can occur to your business is immeasurable. Often, when this type of security breach occurs, you do not hear about it. The business is so embarrassed that they do not even call the police for fear that it will become public.

Physical security penetration testing for private business tests the real-world effectiveness of your existing security and can answer questions like:

• Can physical security controls like locked doors, surveillance cameras, and alarms be circumvented? For example: if an employee enters a door code how easy is it for an unauthorized person to “tailgate” or “piggyback” the first person inside?

• Once an unauthorized person gains access to your business, how long can they wonder around your offices, warehouses, or other facilities before someone even bothers to ask the person who they are and what they are doing?

• The weakest point of any security system is often the human element. Are your security policies being followed after hours? Are adequate measures in place to detect an intrusion?

• Will a phone call to the front desk pretending to be an employee, or showing up at the front door with a package, get a clever intruder through the front door and maybe even into a sensitive data center?

Consider this real-life example:

While performing a pen-test to test after hour security of an office building, an operative dressed in a nice business suit walked into the lobby during normal business hours. Noticing a display of business cards at the reception desk the operative pocketed a few cards and asked if the company was hiring. When the receptionist said they posted all their job openings on the company website, the operative politely said “Thank You” and walked out of the building.

The operative then spent several nights covertly watching the building from across the street and observing behaviors and those coming and going – just like a real person with nefarious intent could do. The operative noticed that between 10:00 and 10:30 each night, a janitorial service arrived at the office building to clean the offices. Armed with the business cards, and wearing his suit and now carrying a briefcase, the operative walked to a back door and started knocking loudly and repeatedly on the door. A few minutes later, one of the cleaning crew looked out the window next to the door and the operative displayed one of the cards obtained from the reception desk. The cleaning person opened the door and the operative persuasively explained that he left his keys in his office as he stepped inside. The cleaning person was not sure what to do, but because the operative seemed “legit” the cleaning person let the operative enter the building to go to “his” office and get his “keys.” The operative then spent the next 30 minutes wondering the building and could have gained access to many sensitive areas. On his way out the operative thanked the cleaning person for helping him get his keys.

This pen-test revealed a serious flaw in after hour building security that the building manager had never contemplated. As a result, new security protocols were developed and cleaning personnel received enhanced security training. This is just one real-life example of how a rather simple pen-test uncovered a security vulnerability that could have resulted in grave damage to a company.

Physical security penetration testing is not for every business

But if you really want to know how well your security policies, practices, and controls will perform under real life intrusions or espionage attempts, penetrating testing will positively give you the knowledge you need to reduce your security vulnerabilities – knowledge that cannot be obtained by any other means, unless you wait for a loss to occur.

Physical security penetration testing is a very specialized field. To be effective it requires well trained operatives, meticulous planning, and well defined goals and parameters. It also requires a thorough understanding of the human and legal aspects of conducting a “real life” security test. Babnick and Associates is one of the few companies in the Northwest that is knowledgeable in and has the ability to provide physical security penetration testing for private businesses. A penetration test can be tailored to your individual needs and can be comprehensive or limited in scope. For example, sometimes just finding vulnerability in a particular location is sufficient. Whatever your needs, when you really want to know how your security systems will perform in real life, Babnick and Associates will work with you to develop a program to meet your needs.