Physical Penetration Tests: An Overview
When many think of a “penetration test,” the first thing that may spring to mind is cybersecurity. But in fact, you do have the option to conduct a physical penetration test—or, a simulation of a physical attack on your premises.
Understanding your landscape of physical security is crucial—though some may not realize it, we grapple with the intricacies of physical security controls every day, from the locks securing our front doors to the card readers we encounter at work. But how robust are these controls and tools that you’ve invested in? Are those being granted physical access being truly scrutinized?
Though the common belief is that our physical security controls effectively repel malicious actors, the reality is often different, and that’s where a physical penetration test can help. In this blog post, we’ll use our extensive experience to unravel the intricacies of a physical penetration test, including its importance, its purpose, the targeted goals, considerations to make when setting the parameters, and answers to other frequently asked questions.
Why is a Physical Penetration Test Important?
Among your many security assessment options, why do you also need a physical penetration test?
Because just as malicious actors can hack your network from off-site, they can blend in with your staff or socially engineer them to gain access to sensitive information or areas of your building—from there, they can then perform other network-based attacks. (Consider that the person you courteously held the door for might not be as innocent as they seem; they could be a potential threat actor aiming to pilfer company secrets or infiltrate the internal network.)
These attacks on your physical security can be as simple as planting a small computer with an out-of-band internet connection in a network closet, or as large as physically infiltrating your data center and interacting with the systems housed there, which could cause loss of data availability, confidentiality, and integrity.
What is a Physical Penetration Test?
A physical penetration test can help you better understand how vulnerable you are to those threats. Though it can encompass a broad scope, the focus of this assessment remains on scrutinizing your physical security controls and network access controls—rather than where you’re vulnerable on the Internet.
A physical penetration test delves deep to physically validate the functionality of those controls beyond the basic assessment of whether a padlock secures and releases—it examines your entire landscape, including the installation integrity of doors and whether or not each door is susceptible to complete bypass. (After all, what’s the point of a high-end security system if it’s improperly installed?)
Another integral part of physical penetration testing is the element of social engineering—a strategic process of deceiving individuals to achieve specific goals, which be performed by your testers making requests as innocuous as, "Hello, can you let me in? I left my badge in my hotel room."
Though often overlooked in general, the human element of security is particularly essential in maintaining your physical defenses, and a penetration test that appraises your personnel’s level of awareness is key to comprehensively understanding and addressing your security.
What are the Goals of a Physical Penetration Test?
All that being said, you retain a lot of flexibility in what you want your physical penetration test to achieve.
Objectives you set for your assessors may include the following examples:
- Gaining access to a conference room and capturing a photo
- Infiltrating the CEO's office after hours and identifying sensitive information
- Gaining access to the internal corporate network by plugging into a network jack
- Chaining physical access by dropping a remote access device to obtain a foothold on the domain
It all depends on what holds significance for you and your business—or, what keeps you up at night. If safeguarding your data center is a business priority, then the goal of your physical penetration test should revolve around securing that data center.
Once you know what you want to test, you’ll also decide what the penetration testers are permitted to do during the engagement, like whether they can target door access control systems or conduct testing during off hours. Remember, these engagements thrive on keeping an open mind; the more flexibility granted to physical penetration testers, the greater the potential for valuable insights and comprehensive security evaluations.
Other Considerations Regarding Your Physical Penetration Test
When shaping your physical penetration test, your most critical decisions will include:
- Defining your scope
- The goals of your test
- Specific tasks you want the penetration testers to perform
- The physical locations where the engagement will take place
That being said, you also must consider the following aspects when having a physical penetration test performed:
- Off-Hours Liaisons: Identify individuals who will be available as points of contact during off hours to ensure smooth communication and coordination throughout the engagement.
- Landlord Approval: Assess whether approval from a landlord is necessary to conduct the testing, especially if it involves physical spaces owned or managed by a third party.
Addressing these considerations ahead of testing will help the engagement proceed more seamlessly.
Physical Penetration Test FAQs
How Long Does a Physical Penetration Test Take?
Testing is typically accomplished within one to two weeks, but timelines can vary depending on the number of locations you include, as well as any restrictions on timing. For instance, if your penetration testers require several days for after-hours reconnaissance of a building, the overall engagement duration would naturally be longer when compared to a more concise social engineering assessment.
Setting the timeline during the planning phase and being mindful of scheduling is crucial, as it will help set realistic expectations.
Are There Any Issues with Legality When Having a Physical Penetration Test Performed?
Given that the nature of a physical penetration test is effectively what could be considered a form of breaking and entering, that’s a valid question—the answer to which is a nuanced "yes" and "no."
Because just as it is with any digital penetration test, this is an ethical and cosigned breach—meaning, nothing happens without an established contract between testers and the organization who grants written authorization for the defined activities to take place. This letter of permission essentially serves as a "Get-Out-of-Jail Free” card that testers carry at all times. While the primary goal is to avoid involving law enforcement altogether, in the event testers do encounter them during our activities, these letters are presented, and the police contact the previously designated individuals listed within for confirmation that everything has been previously sanctioned.
What are the Deliverables of a Physical Penetration Test?
When you work with Schellman, near the end of our engagement, our penetration testers will compile a comprehensive report detailing:
- The defined scope
- An attack narrative that elucidates the pretexts and methods we employed to gain access
- Videos and photos to provide visual insights into specific aspects of the testing process
- A breakdown of our findings, including individual vulnerabilities, their severity ratings, and fundamental remediation steps
Overall, the document is intended to provide a clear understanding of your security landscape and highlight areas for improvement within your security measures.
Moving Forward with a Physical Penetration Test
While you may be more familiar with the concept of a web application or internal penetration test, a physical penetration test is no less important, as this assessment can help you answer the question “What happens when your hardened external physical perimeter is sidestepped?”
Securing your physical perimeter can be made easier using the insight of a physical penetration test, and now that you understand a bit more about these evaluations, you may agree that it’s the right option for your organization. If that’s the case, contact our team today to see if Schellman is the right fit for you.
But it may be the case that a different type of pen test better suits your more immediate needs, and to help confirm, be sure to check out our content detailing the various kinds of tests:
About Tyler Petersen
Tyler Petersen is a Penetration Tester with Schellman Compliance, LLC based in Madison, Wisconsin. Prior to joining Schellman in 2022, Tyler worked as a Penetration Tester for a financial institution, specializing in external and internal network penetration testing. Tyler also supported various other areas of information security. Including vulnerability scanning, incident response, and security operations. Tyler has a wide variety of certifications and currently holds his Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), the Certified Red Team Operator (CRTO) and the Certified Information Systems Security Professional (CISSP). In his free time, Tyler is always learning more by doing CTFs and other events.