In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser takes a look at using physical security penetration testing order to improve and mature the physical security of a facility or organization.
Topics discussed include physical security penetration, red teaming, authorizations, tools, techniques, and more!
In addition to this episode, this article from our blog providing an overview of Physical Security Penetration Testing may also be valuable.
Bryan Strawser: Hello, and welcome back to the Managing Uncertainty Podcast. This is Bryan Strawser, principal and CEO at Bryghtpath, and I’ll be solo on today’s episode where we’re going to be talking about physical security penetration testing or red teaming, and I want to give a little bit of background as we get into this topic.
What we’re really talking about here is understanding the physical security vulnerabilities of a facility or an organization kind of writ large, looking at multiple facilities. As we think about how to protect locations like this, a lot of security breaches, even information security breaches, occur when attackers take advantage of some type of physical security deficiency or vulnerability that lets them gain unauthorized access. This is really common with disgruntled ex-employees or sophisticated crime rings or some other nefarious entities who will employ sophisticated attack techniques and methods to exploit those vulnerabilities, those deficiencies, to gain unauthorized access to a company’s assets and facilities.
Bryan Strawser: Once they’ve breached into that trusted environment, they can then steal hard assets, so physical objects, cash, other remittance capabilities. They can take intellectual property, they can install equipment that acts as an advanced persistent threat in a physical sense, and it can otherwise cause serious disruption to your organization. When we think about the physical security of a facility, we often don’t always realize the misconceptions that might be in place. For example, large manufacturing and distribution organizations, facilities rather, often have fencing, and on that fencing, they may install surveillance equipment, CCTV or something similar, but if that feed is not monitored and those alerts are not reacted to, then it is very easily and quickly able … You’re very quickly and easily able to penetrate that facility because what you have instead is a record of what has happened rather than a tool that has helped you keep the bad guy out of your facility.
Bryan Strawser: A lot of organizations, it’s astonishing, but many organizations are just not aware of the blatant flaws in their physical security approach until something happens.
Bryan Strawser: So that’s what we want to talk about today is how physical security penetration testing can help you detect vulnerabilities in your security systems and your approach to defense in depth from a physical standpoint and how we’re able to use physical security penetration to test and probe that.
Bryan Strawser: So the objective of physical security penetration testing is to assess the ability of current physical security controls to prevent penetration by bad actors and then testing those controls to determine their efficacy, how well do they work. We do this by this red team concept of using trained and experienced individuals who know how to infiltrate secure environments, employing the kinds of tactics and techniques that accomplished attackers use. So what we’re doing here is you’re having red team members, which could be a consulting organization like ours or it could be an internal red team who really act and think like the bad guys.
Bryan Strawser: They try to tailgate employees. they tried to enter secure facilities through social engineering. They try to circumvent alarms and disabled cameras, or they may use other methods depending upon the type of security measures that are being utilized by a facility.
Bryan Strawser: So a practical example, a few years ago, we were engaged in a physical security evaluation of a corporate headquarters facility here in the Midwest with a healthcare clients, and one of the things that we noticed during our initial tour of the location and our observations on that first visit is that there was a shared loading dock at the facility of about eight or nine doors, and any delivery agency was able to gain access to those doors. They were often left open. There was this common dock. Beyond the dock, there was a common back hallway that went to all of the buildings’ tenants, and most of the buildings’ tenants, the larger organizations anyway, had a mailroom entrance that was off of this back hallway, including our client.
Bryan Strawser: So we noticed, looking at the back hallway, that the door to the mailroom for our client was propped open. So we simply came in there one day dressed as a UPS driver in just a brown outfit. It didn’t actually say UPS, and we just walked through that mailroom door and we walked right into the corporate headquarters of this facility. In fact, we were deposited right outside of the executive suite, so we had gained access to the building without ever once being checked whether or not we were supposed to be there and we had done this in broad daylight, at 8:30 in the morning. That door to the mailroom was supposed to have been kept closed. There was a video intercom that was there and they were supposed to identify the driver, so the process and the equipment were correct. It wasn’t being followed and, by that, we were able to gain access into the facility.
Bryan Strawser: Another example from the same client is the case of we were in the building, having gained access through a similar social engineering method, through the front, actually through reception. We were touring the building on our own and we happened to enter what was the data hall. They had a small data center. We entered this data center because we were able to bypass the access control on the door because there was a gap between the door and the door frame, and we were able to jimmy that using some basic tools, like a screwdriver, and we get into the data hall, and now we have access to some servers and et cetera. What we found is that security was actually alerted because we had opened the door. They sent an officer, two officers down. Those officers found us, and we just acted as we belonged there, and they backed off, and we continued with our tour.
Bryan Strawser: To their credit, the supervisor said, “No, wait a minute. No, you need to bring them up here. We need to talk to them and find out what exactly they’re doing and I want to verify their visitor access,” and the guards came back and escorted us upstairs and then we had to give up the ghost that, “Well, no, actually, we’re conducting physical security penetration testing, here’s our authorization letter,” and et cetera.
Bryan Strawser: So those are just two examples of what this starts to look like.
Bryan Strawser: What red teams are trained to do, what you want to be able to do is bypass and elude detection from equipment like closed-circuit television cameras, keypad interlocks, motion sensors, wireless intercoms, video intercoms, deadbolt locks, door and window locks, steel security doors, remote entry gates, and the list goes on and on and on.
Bryan Strawser: When you’re doing physical security testing, physical security penetration testing, you want to be pretty rigorous about this. You want to probe the various layers of the physical security defenses that the company has put up.
Bryan Strawser: Things you want to look at are, can you circumvent physical access controls, like alarms, CCTV, locked doors, and access prevention devices? Can we piggyback on an employee, for example, who uses a door code or a proximity card to gain access to the building? How long can you wander around the building before you’re detected? When you’re detected, what do they ask? Do they actually stop you from proceeding further? What happens after hours? Are the same security protocols followed after hours, and are there ways to social engineer that differently? What happens if you make phone calls and start digging around, doing classic social engineering, trying to gain information about how to access the facility? What if you show up with a delivery and say you’re here to deliver something important and see if they let you in to go deliver that item, particularly to an executive or somebody who might be a target if there was to be nefarious activity at the location?
Bryan Strawser: So these are examples of the kind of things that you want to probe during physical security penetration testing. Couple things to keep in mind in this process, you should have some type of letter of authorization from a senior security officer, like the chief security officer or from another leader in the organization so that if you are stopped by police or security, you’re able to explain what it is that you’re doing and provide proof of that authorization.
Bryan Strawser: I would also counter that you want to be careful in your approach to this, if you happen to have security officers at the facility that are armed with lethal or non-lethal technology, firearms or tasers or chemical spray because you don’t want to get shot, you don’t want to be tased, you don’t want to be sprayed with a chemical spray or OC spray in the process of your physical security testing. So proceed carefully if those things are in place at the organization.
Bryan Strawser: Then think about the tools that you may want to use. We have found that using small drones is very helpful with this to get the lay of the land from a physical standpoint. Sometimes the drones can be useful to distract security if you’re trying to gain access to the perimeter or at least to get a good view of what’s going on and then use that as a part of your plan to gain access or attempt to gain access to the location. We just use a commercial or rather a consumer, grade off-the-shelf drone from DGI. We use the Spark 2 I believe is the model that we’re currently using. It’s relatively small, very fast, has a great 4K camera stream that you can watch and take photos with.
Bryan Strawser: So those are some examples of how physical security testing, physical security penetration testing, can help you in your business. If you need help in this area, Bryghtpath has conducted physical security penetration testing for many Fortune 500 organizations across several industry sectors. We provide detailed reporting on opportunities paired with clear-cut recommendations to help you improve the safety and security for your assets team and facilities.
Bryan Strawser: That’s it for this episode of the Managing Uncertainty Podcast. We’ll be back next week with two episodes, our [Bryghtcast] episode, looking at two or three hot topics and events in recent news that impacts the private sector, and a deep dive into a process topic later in the week. Thanks for listening. We’ll see you next week.