While companies worldwide continue to focus on incorporating security controls to safeguard computer systems from hackers, physical security should never be dismissed as a lesser problem. Many security breaches occur when attackers take advantage of one or more physical security deficiencies. Physical security penetration testing is one approach that organizations can use to improve their security controls.
Disgruntled ex-employees, crime rings and other nefarious entities employ sophisticated attack techniques and methods to exploit these deficiencies when attempting to gain unauthorized access to a company’s assets and facilities. Once they have breached a trusted environment, attackers may steal hard assets, intellectual property or otherwise cause serious disruptions to a company.
Physical security of a facility is particularly open to multiple misconceptions that could be devastating. For example, installing surveillance equipment around a secured site but failing to monitor the feed or implementing security devices that are easily and quickly avoided by adept social engineers. It is astonishing that many companies are, for the most part, unaware of blatant flaws in their physical security approach until a disaster happens.
But how can a company predict which physical controls are inadequate or missing altogether before the worst happens?
All Facilities are Vulnerable to Physical Security Breaches
Businesses of all sizes may have state-of-the-art security devices, armed guards and strong security policies established but none of that makes a difference when bad actors use verbal deception or piggyback/tailgating techniques to access a facility. Once they have infiltrated unauthorized areas, intruders are free to do actions that could seriously disrupt business operations, ruin a company’s reputation, commit industrial espionage or harm individuals working at the facility. In some cases, business owners may not realize they have been compromised by intruders until days or weeks later. By then, so much damage has been done the business may suffer enough financial damage or notoriety that it does not survive the attack. A few companies may not even inform the proper authorities after learning their physical security devices have been penetrated because they fear backlash from stockholders or employees.
Physical Security Penetration Testing – Why a Red Team is Essential to Your Company’s Overall Security
Physical penetration testing provides real-world exploratory trials of how effective a company’s physical security methods are with protecting equipment, data, and personnel. After discussing your methods with a security consultant, your site will be inspected by professionals who carefully evaluate and note vulnerabilities open to exploitation by attackers.
Primary objectives of physical penetration tests include assessing the ability of current physical security controls to prevent penetration by bad actors and actually testing these controls to determine their efficacy. Physical penetration testers, known as a Red Team, are highly trained, experienced individuals who know how to infiltrate secure environments employing techniques accomplished attackers use. Leveraging their experience to target a company’s most critical security issues, Red Team members act and think like intruders by tailgating employees, attempting to enter secure facilities by talking to employees, circumventing alarms or disabling cameras. Other methods may be used to gain access to a facility depending on the type of security measures utilized by a facility.
Red Teams are trained to elude detection from one or more of the following security devices:
- CCTVs (closed circuit television cameras)
- Keypad entry locks
- Wireless intercoms/video intercoms
- Motion/sensor detects
- Single or double deadbolts
- Door and window locks
- Steel security doors
- Remote entry gates
Physical Security Penetration Testing and the Red Team
Physical security penetration Red Teams exceed standard exploitation vehicles used by most companies. Instead of relying on tool-based approaches, a Red Team develops unique attack situations leveraging manual and automated procedures. In addition, Red teams excel in developing programs to fit a company’s security needs at costs accommodating that company’s budget for such expenditures.
Although advanced persistent threats (APTs) is a term commonly referring to cyber attacks, it also specifies attacks involving intruders gaining access to a supposedly secure facility and remaining undetected for extended periods. Physical security penetration testing safeguards against ATPs known to target financial, manufacturing and national defense industries containing sensitive military plans, intellectual property or top-secret data valuable to intruders hired by other companies to perform stealth work.
Acting as a highly cohesive squad of experienced physical security testing experts, Red Teams develop and conduct their exercises using evidence-based TTP (Tactics, Techniques, and Procedures) mimicking today’s seasoned attackers.
Physical security penetration testing performed by a skilled Red Team rigorously test the ability of an organization’s existing security methods. Red Teams also determine if:
- Alarms, CCTV, locked doors and other access prevention devices can be circumvented. How easy is it for an intruder to piggyback an employee who inputs a door code to gain access to a building?
- How long an intruder can wander around a facility before they are detected or before anyone questions who they are, what they are doing and how they entered the facility
- Security policies are adhered to after the facility has closed for the day. In any physical security system, the weakest aspects almost always involve the human element
- Do telephone calls to a company’s front desk or other guest point screen callers who may be pretending to be an employee or contractor? How easy is it for someone to show up with a package, claim they are delivering something important and allowed to access sensitive areas of a facility?
During physical security penetration testing conducted by a Red Team, employees do not know testing is underway. Necessary for the Red Team to gauge real-life responses to an attempted unauthorized infiltration by an intruder, this exercise mimics classic behaviors used by proficient attackers. Organizations employing cybersecurity techniques would also benefit from using a Red Team to discover inefficiencies that exist outside their computer networks.
Physical security penetration testing exercises could continue for several days or several weeks, depending on the size of the company and if additional gaps continue to be uncovered by the Red Team. Many organizations engage in multiple penetrations testing two or three times per year. Security consultant teams also collaborate using chained, multi-vector attacks, multiple actors, exploiting all known attack paths and using nearly any means to accomplish their mission–preventing lethal threats from infiltrating an organization.
Podcast Episode on Red Teaming
In addition to this article, you may find Episode #57 of our Managing Uncertainty Podcast to be a valuable listen. In this episode, I discuss the concepts of Physical Security Penetration Testing and share some specific examples from my experience.
Can we help you?
Bryghtpath has conducted physical security penetration testing for many Fortune 500 organizations across several industry sectors. Our experts have provided detailed reporting on physical security opportunities paired with clear-cut recommendations to improve upon those opportunities.
We’d love to learn more about your physical security challenges and how we may be able to assist you in maturing your approach. Contact us online or via phone at +1.612.235.6435.