PHYSICAL PENETRATION TESTING (PPT)
• To identify any weaknesses in the physical securityof a company.
• To prove the current systems.
What is it that needs protecting?
WHAT IS A PENETRATION TEST?
A PPT is a simulated attack against your company’s securitydefences. It is designed to replicate an attack to see if your securitycan be compromised. The primary aim is to identify securityweaknesses before real attackers have the chance to. Oncesecurity weaknesses have been identified, your organisation canstart treating the associated risks.
An example attack may be to target a specific service, processor operation within your business, site or plant by using ‘socialengineering’, or ‘deception’ e.g. an employee holds a secure dooropen for visitor or someone they do not know, but that personlooks like they should be there, inspector, auditor etc, so what isthe harm? ‘Tailgating’ as it is known, is a simple method ofbypassing building security systems or following employees tolunch, eating near them, and taking notes.
Why conduct a PPT?
A PPT identifies the security weaknesses and strengths of a company’sphysical security. The goal of the test is to demonstratethe existence or absence of deficiencies concerning physicalsecurity. Penetration testing should be considered an important part of any ongoing security programme. These tests can be particularlyuseful in attracting the attention of senior management.The results of a penetration test can show the organisationalwide consequences of a breach and help to ensure buy-in fromall levels of the organisation.
Remember “an ounce of prevention is worth a pound of cure”Organisations typically conduct PPT with the aim of identifyingvulnerabilities which could result in some form of loss. Loss maybe specific to each business but there are some forms of lossthat can apply to all businesses.
Immediate financial loss is obvious in the case of an attack toremove money or stock from an organisation. However, therecan also be indirect costs associated with a security incident. Forexample, the cost associated with increased insurance premiumsor the costs of possible regulatory breaches which could run intotens, if not hundreds, of thousands of pounds.
Losses are not just financial. An organisation can suffer significantreputation damages particularly in the food, pharmaceuticalsand IT industries. A security breach could lead to a decreasein client trust which could then lead to a drop in sales.
PPT is typically conducted using a structured approach aroundthe following key phrases:
• Enumeration (listing of findings one by one)
• Vulnerability Mapping
Each phase feeds into the next making it an integrated process.
The discovery phase can be thought of as reconnaissance. Thediscovery process will aim to map out the attack for the test. Thediscovery phase will highlight possible attack vectors based onthe information gathered.
The enumeration phase will gather more detailed informationabout the information gathered in the discovery phase such asdetail of sensitive/vital information, product, systems and staffthat can directly and/or immediately affect the operations of anorganisation including access, information, product, systems andstaff.
The vulnerability mapping phase will attempt to identify weaknessesin the services/systems/procedures/facilities enumeratedin the previous phase.
Once sufficient detail has been obtained, the tester can identifyweaknesses in the service/system/procedure/facility being testedThis information can then be fed into the final test phase,exploitation.
The exploitation phase is designed to demonstrate that a securityweakness exists and can be used by an attacker. The testeraims to compromise the system using a weakness identified inthe previous phases, i.e. the testing officer could obtain unauthorisedphysical access to a facility using non technical means.
The final and most important deliverable to an organisation whohas commissioned a penetration test is the final report. The finalreport is so significant because it conveys and documents thesecurity risks identified during the test in a way that is meaningfulto the organisation.
A PPT report is likely to be read by senior management downthrough to junior managers who are responsible for remedialchanges. A good PPT report will provide information for all theintended audience types.
WHAT TO CONSIDER WHEN BEING PPT?
When an organisation decides to conduct a PPT there are severalkey points to consider prior to the commencement of the test:
• Use an independent security provider. They will be immunefrom internal distractions and are focussed on the key issuesof your security.
• Seek demonstration of providers’ experience. Provenexperience will help to understand the providers’ capabilitiesand will provide confidence in the providers’ abilities.
• Ensure the testing provider utilises proven stingmethodologies. Proven testing methodologies ensure thatthe tests being conducted will produce consistent and reliableresults.
• Never utilise penetration tests as a substitute for an holisticsecurity programme. A penetration test is an important partof your security programme, not a substitute for one.
A well planned PPT can help an organisation identify their securityvulnerabilities. This pro-active approach can help identifyrisks before malicious attacks occur and protect an organisationfrom post attack fall-out.