Assessing an organization’s physical security is often part of a comprehensive PenTest. Prior to beginning the test, the PenTester will review the project scope and outline the specifics of what is to be included when testing. Details include the parameters and priorities, what assets are to be assessed, and the targets’ point of contact.
The tasks the team might attempt include the following:
-
Taking pictures of restricted areas and proprietary equipment
-
Stealing devices, documents, and electronic data
-
Accessing restricted systems
-
Planting malicious devices such as keystroke loggers
-
Bypassing security cameras and locks
-
Gaining access to server room and utility closets
Prior to attempting a physical security breach of a building, the PenTester should scope out the facility and take a site survey of the security measures in place to determine the best methods of circumventing them.
Fences
Many buildings have perimeter security, such as natural barriers or fences, to deter someone from simply entering the property. The PenTester should walk around the facility and assess whether there are impediments to entrances and other restricted areas that they might be able to go over. In addition, the PenTester can use photographs or Google Earth to examine the property.
If there are fences, the PenTester should evaluate whether they can be climbed over. For example, fences that are three to four feet high can easily be scaled. More restrictive premises will likely have taller fences that are difficult to climb over without considerable effort or using a ladder.
Highly restrictive areas might use extreme security measures in the form of barbed or razor wire on top of fences. This is a robust defense method, as even if someone managed to scale the fence, they would have a difficult time going over it without causing an injury.
Once the PenTester has evaluated the facility for barriers or fences, they can assess the level of security the defensive methods provide and identify vulnerable areas.
Motion Detection
In addition to fences and barriers, the facility might have motion detection systems in place. Motion detection sensors are typically placed in secure areas of buildings along with key entrances and exits to detect movement, monitor activity, and identify unauthorized physical access.
The sensors use a variety of technologies to identify motion, but most focus on detecting changes in the infrared spectrum. Sensors can detect motion in the following ways:
-
Using infrared imaging to detect the presence of a person or object
-
Detecting when the infrared pattern is blocked
-
Using algorithms that detect any deviation from an established baseline
Most sensors are placed in ceilings and opposite each other to cover the widest possible area. If a sensor detects motion, it can trigger an alarm, light, or fail-safe mechanism, such as activating an access control vestibule.
The PenTester should evaluate the sensors to see whether someone can bypass the system and whether there are blind spots that the sensors don’t cover as they move through the building. In addition, the PenTester can attempt to block the motion detectors by placing pieces of cardboard or Styrofoam over the sensors.