Table of Contents
What is a physical penetration test?
A physical penetration test is a comprehensive assessment of a company’s or organization’s physical security controls conducted by a team of skilled professionals.
Who needs physical penetration testing?
Physical penetration testing is necessary for virtually every company that has a physical location, such as an office, headquarters, warehouse, manufacturing facilities, a space that contains critical infrastructure or a data center, etc. No matter how robust your cybersecurity is and how well-trained your employees are, if bad actors can gain unauthorized access to your premises, they can compromise virtually any device, network and application.
How is physical penetration testing conducted?
Physical penetration testing or physical intrusion testing is typically done according to the NIST Special Publication 800 Series guidelines and OSSTMM. During the first stage of the test, the testing team carries out passive reconnaissance and open source intelligence by gathering information about the target using tools such as Google Earth and publicly available information on the company’s environment, staff, etc.
Next, the team carries out active reconnaissance by contacting the company, its clients and vendors and extracting information. After that, the team of experts moves on to covert observation, during which it carries out stakeouts, uses drones and hidden cameras to collect information about the premises, staff schedules and habits. Next, the team plans an attack using the information they’ve gathered so far and carries out the attack. Finally, the team compiles a report and suggests a remediation plan for the issues that were uncovered.
How to prepare for a physical penetration test?
There are a few things you need to do when preparing for a physical penetration test of your premises. First of all, compile a list of all your assets and rank them according to their importance. This will help you determine what information or equipment malicious actors might try to get access to. Next, create a list of objectives for the penetration testing team. Decide what or who exactly needs to be tested, which members of your staff need to be aware of the testing, etc. You should keep the list of people who know about the upcoming pentest to a minimum to avoid compromising the results of the test.
Next, you should determine what kinds of people and entities could pose a threat to your company. These could be current and ex-employees with malicious intent, rival companies, members of organized crime and even countries. The final step during pentest preparation is to assign an employee to be the pain point of contact with the pentesting team. This employee should be authorized to address critical security flaws, evaluate threat responses of other employees, etc.