Physical-PenTest-Methodology

Basic guide for performing a Physical PenTest - Nist 800-12, 800-53, 800-115, 800-152

What is Physical PenTest?

breaking into your organization. Physical threats that could be simulated include bypassing door locks, stealing devices, or using social engineering to convince an employee to let them inside a server room. While many businesses do an excellent job of protecting their network and applications against the threat of a virtual cyber-attack, many organizations don't consider the risk associated with a possible physical attack on their locations.

Physical PenTest Benefits

The primary benefit of a physical penetration test is to expose weaknesses and vulnerabilities in physical controls (locks, barriers, cameras, or sensors) so that flaws can be quickly addressed. In addition, physical penetration tests mimic real-world scenarios to demonstrate what impact a malicious actor can have on your systems.

Physical security penetration testing, when performed properly, will strengthen your security defenses and allow you to focus on the digital side of your security. It makes no sense to throw millions of dollars on security tools if an attacker can get inside your company buildings and slip out unnoticed.market equilibrium, where threat actors are becoming better at tailoring their demands to what their victims are most likely to pay given the growth of recovery cost and the risk of reputational damage from public data leaks.

Rule of Engagements

The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested. Define the tests that will be performed on your target, defining processes and prioritizing the most important areas.

Methodology

Planning

Gather Scoping Information After initiating the project, scoping/target information will be collected from the client. In the case of physical penetration testing, this information will include the addresses of target locations, compromise goals to help us focus our attacks, and information that can help us prevent issues, such as areas of the building that are off-limits and alarm instructions.
Review Rules of Engagement This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project. Additionally, the client will sign a “Get out of Jail” card that the test team can use to show they are authorized to be testing, should they be caught.

Execution

Reconnaissance Once the test has officially begun, a start notification will be sent to the client. The first phase will involve gathering as much information about the target location as possible. This process will start before the engineers are even on-site. They will search open-source intelligence to try to gather information to help them blend-in to the environment. This will include things like the normal attire for employees, if there are employee badges easily accessible, evaluating the various egress routes from Google Maps, trying to identify favorite restaurants of employees where a badge can be read, etc. Further reconnaissance will be conducted once the engineers are on-site. During this time, the engineers will identify the various ways to enter the building, conduct traffic pattern analysis, and evaluate the physical security controls present from outside the facility.
Threat Modeling For this assessment, the threat modeling phase serves to evaluate the different attack vectors that may lead to accessing the building. The types of attacks and likelihood of these threats materializing will serve to inform risk rankings/priorities and outline the attack plan going forward. In a typical physical penetration test, the goal is to identify the level of risk to an organization. As such, Triaxiom will start with the attack vector that has the least amount of risk. Once they gain access, if they remain uncaught, they will exit the building, and then try a different attack vector a few hours later. Each attack will be slightly less sophisticated until the engineer is caught. This allows the organization to quantify the level of risk they have.

Post Exploitation

After successfully gaining access to a facility, Triaxiom will continue to take actions to evaluate and demonstrate the risk. Some of the areas that will be evaluated after gaining access include:
Network Access Controls – Can Triaxiom gain access to the network and elevate permissions?
Clean Desk Policy – Can Triaxiom find information which could be detrimental to the company if found? This includes items such as passwords, written down credit card information, etc.
Employee Challenges – Triaxiom will walk around the facility and see if employees will challenge a visitor they don’t recognize.
After-Hours Access – Triaxiom will attempt to remain in the facility after all employees leave for the day.
Sensitive Area Access – Triaxiom will attempt to further their access and gain access to other sensitive areas within the facility, such as a datacenter or server room.

Post Execution

Reporting After completing the active potion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable pictures from the assessment. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links.
Quality Assurance All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.
Presentation The final activity in any assessment and the last step in our physical penetration testing methodology is a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.

Threats and Vulnerabilities

Threat 1: Tailgating Most workplaces are secured by some type of access control, whether a locked door or a swipe-card access point. These physical security measures are, unfortunately, easily overcome by a determined attacker.

What is tailgating? Tailgating is when an unauthorised person follows an authorised person into a secure area.

This will naturally happen as multiple people pass through doors, and only the front has to present identification or a swipe card. The people following behind will simply follow through - making it easy for any unauthorised person to get in without any difficulty.

Threat 2: Theft of documents Your office is likely to have papers and documents lying around in many places, from desks to printer stations. Sensitive documents can easily become unaccounted for - and fall into the wrong hands. Even if they are not taken from the office, a visitor could see information that you wouldn’t want them to see.

Threat 3: Unaccounted visitors If you don’t know who is or was in your workplace at a specific time, it is impossible to keep a high level of physical security. Unaccounted visitors pose a serious risk, as you will not be able to know if they were present if an incident occurs.

Threat 4: Stolen identification An access control system only works if everyone uses their own identification. If people are going in and out of your promises using someone else’s identification, the result is the same as if you had no access control at all.

Threat 5: Social engineering Social engineering attacks can come in a huge variety of different forms. This is one of the reasons why it is so difficult to combat. Social engineering attacks rely on manipulating your employees, often using information that they have managed to gain to impersonate someone else, or abusing basic human empathy to gain access to secure areas and networks.

The following are a series of steps and methods you can take to perform a physical penetration test:

Map The Entrances And Perimeter

Start by mapping all the possible entrances into the business in order to identify unsecured entry points. Attackers often find hidden or unguarded entrances to gain access into buildings. By mapping doors, windows and fire exits, you begin to define the premises you need to secure and that are susceptible to attack.

Mapping the perimeter involves conducting an in-depth analysis of your surroundings and buildings, and represents the equivalent of a reconnaissance phase, which is conducted in every other type of penetration test. Simply put, thoroughly mapping your perimeter will determine the direction of the entire physical penetration testing process and it consists of identifying doors, windows, roof type, basement access, your physical access policy and lock types.

Lock Picking

Even today, one of the most effective ways to pass through doors and exits is by using lock-picking techniques. The main reason for this are mechanical locks that haven’t evolved much over time and can be easily picked with a little training. It’s such a popular method that SANS Institue has a physical penetration testing course that includes lock picking tools.

Most businesses today use electromagnetic locks to eliminate the risk of lock picking. However, scanning and duplicating ID cards used for electromagnetic locks require an equal amount of effort. In order to avoid intrusions, consider using electromagnetic locks with PIN authorization access.

This will provide a dual method of authentication. Something you have (a card) and something you know (a PIN number).

Access Sensitive Information

Telephotography is the act of taking pictures of the inside of a building through windows at a great distance in order to view sensitive information on employee computers. Even though it seems farfetched, there are many business buildings made almost entirely out of glass windows that increase the risk for this type of attack.

Simply trying to take pictures of employee’s computers from outside the office will be sufficient to test if this attack is successful against your company.

Test Server Rooms, Wires And Cables

Servers represent the most critical part of any network and are thus usually given a higher level of attention when it comes to security. If an attacker gains access to your server room, your entire network is compromised. With such access, an attacker can infect your system, completely disable it, or steal your most sensitive data.

Most businesses host their data and systems in cloud environments or own their infrastructure, which is typically stored in data centers. Because data centers host valuable websites and company data, they often require several layers of authentication including biometric scans, identification badges, and PIN numbers to access. In addition, servers are stored in rack cages that require a key or PIN to gain physical access to the server.

If the networking equipment is stored at the business’s location, then consider additional layers of authentication or ideally move your systems to a data center or work with a 3rd party hosting provider.

When ensuring the physical security of your servers against damage and attacks, you should focus on three main points concerning the bootability of your servers from a USB drive, type of RAID systems in place, and surveillance cameras in server rooms. Access should also be logged and monitored to maintain awareness and hold employees accountable by letting you know who accessed what and when.

Test Fire And Cooling Systems

Checking your fire and cooling systems is important in order to ensure the physical safety of your server equipment if a fire or overheating occurs inside the server room. Without these systems, you run the risk of having your servers becoming unavailable, which is worse than being a victim of a major distributed denial of service (DDoS) attack.

Ensuring these systems run properly will allow you to stay safe in case of a physical hazard.

Intercept EM Waves

Electromagnetic waves are often used to transmit an organization’s data and is often vulnerable to interception. An attacker can use wiretapping bugs to fix the wire and pick up the frequencies later on with the use of an antenna and a receiver.

This can cause significant damage to the company due to the theft of sensitive information. If an attacker intercepts the weakly encrypted traffic, they are then able to take the data offline and attempt brute force attacks to crack the passwords. By taking the passwords offline, the attacker is able to bypass any account lockout policies.

The only effective countermeasure for this type of attack would be the use of advanced encryption algorithms to secure communications.

Dumpster Diving

As the name suggests, dumpster diving involves looking through the business or its employee’s trash in search of any information that can be used to further penetrate the business’s defenses.

Paper documents, books, manuals, invoices, and bank statements are some of the things an attacker would look for in order to retrieve useful information. It is therefore important to use paper shredders for all documents that are being discarded. In some cases, you may wish to consider burning sensitive documents as software exists to reconstruct shredded documents.

Break RFID Tags’ Encryption

Radio-frequency ID tags are often used to secure portable resources and are trackable through radio waves. Often used in case of theft, RFID tags can be identified and information from them retrieved by using RFID tools.

In order to mitigate this attack, encryption is usually used to secure the RFID tag but can still be susceptible to an attack. If the attacker can break the encryption, the tag can be modified.

Gain Physical Access (Tailgating)

Tailgating is a technique used to pass through secure entrances where only authorized personnel are allowed to enter. Attackers achieve this by following the person that is passing through the entrance and enter without credentials.

With this attack, the perpetrator often uses social engineering tactics to put pressure on the employee and enter the building without much questioning. For example, who wouldn’t let a guy whose hands are full of doughnuts into the office? If you look like you belong, then you belong. From that point on, the attacker can try and gain access to restricted areas by pretending to be an authorized person.

In order to prevent this type of attack, businesses deploy man traps, or checkpoints inside the building, that prevent further access to unauthorized personnel. One set of authentication may be required for the first checkpoint, like an access card, while a second authentication, like a biometric scan, may be required at the second checkpoint.

Turnstiles and security guards are also effective at deterring tailgating. In addition, employees should be trained and prepared to ask for the credentials of anyone if they’re not clearly visible.

Test Network Jacks

Another important step in the physical penetration testing methodology is to check your active network jacks in meeting rooms and your company lobby. Often overlooked, unused active network jacks can be exploited by plugging in a wireless access point.

In order to make sure this doesn’t happen, you should identify all active network jacks in meeting rooms, lobby areas, or any local meeting spaces and monitor them. In most desirable cases, the network jacks will be inaccessible due to the network access controls in place that prevents proper functioning of rogue devices in your environment. For example, a port can be configured to only allow access with a device using a specific MAC address.

Check Meeting Rooms

Employees often leave sensitive documents, unlocked computers, or passwords written on notepads after meetings, presenting a serious security risk.

To mitigate this risk, businesses should establish and enforce employee policies to check for unattended electronic media and/or sensitive papers employees leave behind in meeting rooms. It’s important to also check for notes that employees leave behind that can provide attackers with an overview of some of the more important business decisions in the company.

Shoulder Surfing

As the name implies, this attack involves simple observation of employee’s computer to pick up on their usernames, passwords, intellectual property, sensitive data, and more. To test this attack, penetration testers should simply observe if they can pick up on login credentials that employees type.

Attackers won’t be as obvious as to hover around your workstation. This would draw too much attention. Instead, they may pose as a handyman, delivery person, or friendly “co-worker.” If successful, screen protection can be used to significantly decrease an observer’s ability to pick up on employee’s typing actions.

Social Engineer Employees

Social engineering is the practice of extracting sensitive information from employees at a given company through the use of deceptive practices to which an employee is unaware of. These attacks require strong social skills in order to be successful and are often very effective when executed correctly. In fact, it’s been reported that 98% of cyber attacks rely on social engineering as an entry point into a business’s systems.

Attackers often deploy several tactics in order to succeed in social engineering their targets. One of the main tactics used is authority and urgency. For example, an attacker may pose as a manager requesting $10,000 be wired for an emergency “expense.” At which point most employees would ask why that much money needed to be transferred immediately.

The attacker can then pressure the employee by saying they’re on a tight deadline and that the Vice President isn’t happy. They may even threaten the employee’s job if the request isn’t granted.

Attackers also often exploit a person’s natural desire to help by making the employee abandon best practices and perform a task that they are not allowed to do. Victims are often completely unaware that they have been manipulated and the attacker manages to successfully achieve their main goal.

To test your employees, try hiring a professional social engineer with the goal of gaining access to your business’s premises through the use of various techniques involving disguises, fake phone calls to the reception, and through the manipulation of security guards with fake IDs.

Physical Security Controls

Fences I hear you already yelling, "BORING, I was hoping for robots armed with lasers patrolling our darkened halls, vaporizing intruders at all hours of the night!" First, that's not a terrible idea. Second, we agree that fences are boring, but remember our premise of a layered approach to security. Fencing can form the outermost layer, detracting someone from even approaching the building, or at least making a harder day or someone determined enough to try to climb or cut through.
Cameras Okay, this is a little better than fences, at least it's something that plugs in. A security camera system offers both a historical record of what actually happened in an area — along with being an active deterrent to someone going where they shouldn't be. For the former, there should be enough cameras to cover at least all entrances and exits, for the later they should be installed in plain sight.

Forget about the grainy black and white security tapes of old. Today's modern camera systems record HD video onto hard drives and offer immediate queuing up of timestamped footage. Need to see who came in the side entrance at 6 a.m. last Tuesday? Forget finding the right video tape and rewinding to the correct spot. Just choose your date and time in the app and there's your footage.

Did we mention these modern cameras connect and are powered via ethernet? No need for special tools or running new cabling, just repurpose network drops that you already have. Some have cool features too like infrared recording at night and motion-based recording software that only records when it detects motion. There's no sense in filling up your hard drive with unchanging video of a door that no one's using for 16 hours a day.

Alarm Systems We recommend lots of ears piercing sirens, spinning red lights, and a robot voice repeatedly yelling "INTRUDER ALERT! INTRUDER ALERT!"

Seriously though, alarm systems are an essential reactive layer on top of the historical event capturing layer that is your cameras. These can be your classic sensors detecting doors opening, motion or sound detectors in case Tom Cruise comes in through the ceiling, or other environmental monitoring like smoke detectors that can dispatch the fire department. Not the most super exciting stuff, but definitely a super essential layer to your physical security.

Access Control Systems Access control is exactly like it sounds like: only granting certain people access to certain areas. This can be only letting your employees through the building's front door or onto your floor of a multi-tenant building. It can also include only allowing select employees into specific areas within the property, for example, only allowing IT into the server room. A system can also be on a timer, allowing free access into the building during work hours when a reception area is staffed to greet and monitor incoming guests, but automatically locking at 5 p.m.

The means of granting access can be as simple as a physical key and door lock, but generally for more sophisticated businesses there's some tech involved. A PIN code inputted on a pad could open a door, or a biometric scanner could read a fingerprint, but most typical are RFID cards, commonly known as prox cards or HID cards. The card is scanned at a reader that releases the door's lock if the card is valid.

RFID cards are super convenient in a lot of ways. The cards themselves are cheap and easy to replace if one is lost. They can be programmed to open different sets of doors within the system. Their greatest advantage over physical keys, though, is in the situation where many employees have a copy to the building's front door. In the case of one lost key, you're stuck having to rekey the door and reissue many keys to guarantee building security. With RFID cards just deactivate that one key in the system, done. Add on top of all of this automatic auditing of who's coming in and when, you've got a pretty slick access system.

However, these cards do have some pretty steep downsides. First and foremost, they are incredibly easy to copy with the right equipment. The card reader emits just enough electromagnetic energy to power a small chip and antenna on the card which then transmits a code. The system validates your code as good (door unlocks) or not (door stays locked). A high-powered card reader can easily hide in a backpack, reading the cards of any victim within a few feet of the attacker. The attacker then writes a code to a new card and bingo, easy access.

Sounds like an awful solution, right? Well, again, RFID cards are one of many security layers you should implement. Also, it's a measured risk versus the cost and time to maintain physical keys. RFID systems are being improved constantly also to thwart card code stealing.

Proper Lighting This one seems pretty obvious. Good lighting both inside and out can be enough to deter bad guys from trying to get in at night. At the very least, all building entrances should be well lit. This will help employees working late feel a little better. While on the subject, battery-backed emergency lights should be installed in interior hallways to provide illumination in the event of a power outage.
Document and Equipment Disposal This one is often overlooked, but sensitive company information, either in paper or hard drive form, can be a huge liability. Old or unneeded documents should be removed from the premises by a document disposal company who will thoroughly shred documents either in the building or in a truck outfitted with mega shredders outside your door. Either way, everything is destroyed before it can unintentionally walk out the door.

Old computers can be a big problem in the same way. Hard drives filled with company docs can be a goldmine for criminals looking for company trade secrets, financial reports, or other information that needs to remain private. Machines that are in storage to be eventually reissued should be promptly wiped of all data. For old computers that are no longer needed, you have two decent options. They can be disposed of by an e-waste company who will destroy the hard drives and recycle the hardware or you can use a program like the classic Boot and Nuke to take care of securely erasing drives yourself.

Regular Audits of Systems Any system or security control put in place is only effective if it's well maintained. After a burglary is a bad time to realize that the camera by the back door stopped recording months ago.

Every security control should be regularly audited to make sure things are still working as expected. It's not always fun work, but installing any control is only the beginning. Check the cameras to make sure they are all still recording. Audit access control logs, have all former employee cards been deactivated? Is anyone coming in at weird times? Do any fences need some TLC to repair broken sections? Are old laptops piling up in that closet (you know the one, where broken hardware is left to "one day" be sorted through)? Do the emergency lights work or are the batteries long dead?