Let’s get Physical

As anyone who has ever worked in Information Technology, something we are all aware of is Penetration Testing. Usually, the first thing that comes to mind is making sure our Vulnerability Scanners are up to date, and appropriate measures have been taken to Mitigate Risks against our Network.

An often misunderstood part of the Penetration Test is the Physical Portion during Phase 1: Reconnaissance

Organizations tend to check the following boxes for the Physical Penetration test:

  • Doors Locked
  • Alarms
  • Cameras
  • Security Guard
  • Badge to Enter the Building

While these are fantastic countermeasures, they are not the full scope of Physical Protection.

Here are some other things to keep in mind a hacker\attacker may attempt during Physical Recon.

1. Act like they Belong – Someone who is trying to gain access will act like they are supposed to be there.

  • They will Have a Uniform (i.e. Disguised as a Maintenance Worker)
  • Pretend they Know People in the Office or Walk in and say they are a New Hire

2. Have a fake Badge. (Check out this 2017 Mashable article about Badge Cloning)

  • The attacker could have Cloned or Stolen and Employee Badge
  • Bribed or Black Mailed a Security Guard or Employee (Verify your Hires by using online services like Spokeo )

3. Pick your Locks

  • Once Attackers gain Access to the Building our Security Mechanisms tend to be Weaker and businesses a lot of time use cheap door locks for offices.

4. Dumpster Dive

  • It may seem overkill, but shred everything! (Sticky Notes and Notepads too.) Use a crosscut shredder, and before tossing it in the garbage, soak it. Soaking finely cross cut paper is the second best way to destroy it, besides burning it.

5. Work Events

  • The company just landed a huge contract or it’s the holidays and everyone wants to celebrate. What better way to do a bit of Intel Gathering than chat up some drunk people?
  • Have someone check off a guest list on who is there is supposed to be there.

Penetration Testing is not just about protecting your assets, but the people you hire, too. Keeping people in mind when protecting your business, will help ensure your success, and prevent easily overlooked mistakes.

Good Luck, and until next time #dontcodealone it’s dangerous!