What is a Physical Pen-Test
A physical pen test, or physical penetration test is a security audit conducted on your physical systems, usually on your business’s HQ/Office. Whilst most modern companies are moving completely virtual, around 98% of businesses are still located or have some kind of physical office presence. A physical pen test will allow a pen-tester to come in, and attempt to bypass traditional physical security such as CCTV, fences, and doors to gain access to your business.
Why you need to consider a Physical Pen Test
There are many benefits of performing an in-person, physical pen test on your building or for your company. These benefits are usually ignored for smaller businesses but should be considered no matter what size, as this could save your company thousands.
Expose Physical Vulnerabilities
Although you use your office every day (potentially), there will be physical vulnerabilities that you’ll miss or have completely ignored or even discovered. These physical vulnerabilities are often your weak spots within a physical test and once rectified will leave your business, staff, and overall security posture in a much better place.
Understand your Property and its Risks
If you’re in a shared building, your building, the location, or even the staircase to your floor may all be risks that you won’t know about. A physical pen test won’t just target your business but rather your location, and will try to find ways to break in (both legally or illegally – so long as they have permission) to ensure your property and business is safe and secure.
Can Improve Cybersecurity Awareness
There are two approaches you can take – one of which is to let your staff know about some cybersecurity training prior to the test, or after it. Both of which will make sure people are more switched on to potentially notice of someone breaking in. This could be making sure the door behind them is closed and no one else comes in, or even watching other people’s behaviour who they’ve not seen before.
Can save your Money
Although physical pen-testing is quite uncommon in larger attacks you hear about on the news, it can still save you a lot of time and money. This comes in two aspects. Firstly, in the event that a real threat/adversary can come into your office, gain access to your network and cause you problems – this can cost you a lot of money. This will be in fines, legal trouble, and potentially even compensation depending on what data was taken.
Secondly, you may be able to get a reduced cost of cyber insurance, as this testing will give the insurance provider more confidence that both your staff and your systems/location is secure to really cover all aspects of your security.
What is included with most Physical Pen-Test
When we talk about door bypassing, this test will likely involve someone who does not (or at least for testing purposes – would not) have access to the office. By using door bypassing, they may wait outside of a locked door for someone to open it for them, or become friendly with people outside of the office letting them in. Another way of doing this is to duplicate and relay an RFID tag that could open a locked door – depending on the user’s access.
Physical Barriers/Deteroant Bypassing
Physical barriers do include doors, however, are more towards CCTV, Fences, garage doors, and things that could physically stop you from entering a business’s location. These things are usually the first or second items that a physical tester will try to exploit, but once passed can usually by bypassed again and again (i.e putting a hole in a fence).
Information Exploit Events
Information exploits can be made in a number of different ways. Exploiting information in any regard can be done with simple data harvesting, access to machines, or even social engineering – but more on that later. Information exploits events will be used to try to gather further information about your business, customers, or location to gain further access to information or areas that the tester should not be able to know/get to.
Network and System Hijacking
Once someone has access to your location/site, the chances are you have some kind of hardware there. Obviously, the bigger your company the worse this can hit. If you have servers or devices that have connections to AD/Azure AD or however your setup is – then an attacker, or tester can exploit this. Gaining access to a building is one thing, but then gaining access to an authorized internal device can cause you untold issues and is a major vulnerability in your business.
Out-of-Bounds Access (Physical)
If your office has a location that is supposed to be locked down, essentially only accessible by certain people – then your tester should try to gain access to these. It may be by replaying RFID frequencies, social engineering, or just waiting for a door to be opened for them.
If your office is still very much on pen-and-paper and hasn’t digitalized documents, there is a good chance that one of your employees could’ve thrown away something confidential, or something that could lead to data exfil or access to your office. Something such as a misplaced or thrown-away ID card or invoice could cause your business untold amounts of problems.
Social Engineering and Staff-Exploitability
Your staff are your weakest link without a doubt, and at the end of the day – we’re only human. A physical pen-tester will exploit this and will become a friendly, shadow, and eavesdrop on your employees whilst taking information and increasing their reputation as they go. This activity will help identify issues with your staff setup, and where their current knowledge sits.
What are the outcomes of a Physical Pen Test?
Most commonly, once you or your 3rd party has completed the physical pen test, you will likely need to put together a couple of calls or meetings to remediate or respond to the findings. This may be as something as simple as “door bypass” or “access gained via. shadowing” in which case you can amend the policy, or purchase/update hardware/systems to ensure that you are not vulnerable to the findings in the future.
Whatever a physical pen test finds, you should heavily consider remediation as this will likely secure your on-premise security 10-fold. Some remediation actions may be as followed;
- System Policy Changes
- Staff Training & Staff-based Policies
- Provides a Holistic Security Assessment with Actions
Our Verdict on Physical Pen-Tests
Overall, physical pen testing is just as important as normal pen testing that may be delivered virtually or to your systems. Physical pen tests, if you have an office or shared location is critical to be tested, as depending on your company size it may even be required for regulatory or compliance requirements.