Tales From the Road: Physical Penetration Testing Breaches Weak Boundaries

Tales From the Road: Physical Penetration Testing Breaches Weak Boundaries

How Secure Are Your Organization’s Premises?

When it comes to entry points into an organization, network security gaps and vulnerabilities aren’t the only concern. Bad actors can choose a more traditional way in – physically walking through the doors. You may have locks, ID badges, cameras, and employee protocols, but the best way to know if – and how well – you’re actually protecting your premises from an attack is through physical penetration testing.

During a physical penetration test, we assess an organization’s various security controls and processes by attempting to gain unauthorized access to the premises and evaluating the measures in place to prevent intrusions.

One of our clients, a large university, provided us with an ideal testing environment. We conducted physical penetration testing across the campus, trying to break into different buildings and attempting to bypass security controls and processes, primarily in restricted or sensitive areas, then exploring what we could achieve once inside.

Read on to understand why physical penetration testing is important, and the process we employ to not only break physical barriers but to identify the potential repercussions if unauthorized access was successful.

Gaining Physical Access Through a Variety of Methods

In some cases during our physical penetration testing, there were excellent security protocols in place that denied us entry.

In a few instances, we were met with satisfactory door locks, network security controls that prevented breaches through certain means, and savvy employees who followed security protocols.

For example, one of our consultants reports being told to “pound sand” after several attempts to request entry into the campus data center.

During other physical penetration activities, we met almost no resistance whatsoever.

In all attempts, our consultant implemented some creative strategies to gain unauthorized physical access.

Playing the Part and Gaining the Access

We often have to adopt different personas and employ almost stage-worthy performances to appear legitimate and attempt to gain the access we’re looking for. In past client engagements, we have pretended to be different employees at their organization, or dressed up to assume different roles like delivery personnel or maintenance workers.

This engagement had many of these elements.

Attempt #1 – The Data Center: Despite dressing in a UPS delivery worker disguise, our consultant was unable to access the data center due to strong security measures and vigilant staff. It was only when the employee left to make a call to their superior that our consultant scaled the fence and attempted to gain access through any of the several exterior doors.

Attempt #2 – Human Resources: Using a fake authorization badge created using freely available software and printed out at a local UPS store, the consultant masqueraded as an IT worker who was instructed to perform wireless network testing and gained access to sensitive areas.

Attempt #3 – Financial Controls: After bypassing several unlocked doors, and taking advantage of an alarm that had been disabled, our consultant discovered unsecured financial records and data from the last decade.

Attempt #4 – Health Center: Again using the fake authorization badge, our consultant accessed the health center, an act that if accomplished by a bad actor would have put sensitive student healthcare records at risk.

What does it all mean?

Our physical penetration testing engagement highlights the importance of strong physical security protocols. While the observed strengths were commendable, the identified threats underscored the need for continuous improvement.

10 Ways to Bolster Your Physical Security

While we recommend bringing in a third party like DirectDefense to conduct physical penetration testing, you can take steps to enhance your organization’s approach to physical security right away.

1. ID Badges: Arm employees with ID badges (preferably robustly-encrypted MIFARE DESFire RFID, which provides limited range, strong encryption, and mutual authentication protocols) for access control across your premises.
2. Employee Protocols: Train employees on proper protocols when confronted with suspicious individuals making identity claims or requesting access without identification or satisfactory validation of their presence.
3. Secure Locks: Lock buildings and access doors with strong locks, such as abloy Protec2 locks, that are difficult to pick.
4. Network Segmentation: Implement network segmentation to prevent access to privileged internal networks across various locations.
5. Network Access Controls: Implement access controls to ensure unauthorized devices cannot connect to privileged internal networks without detection or responses.
6. Egress Filtering: Implement egress filtering to ensure control over outbound access from internal networks and prevent the establishment of a command and control channel for interactive remote access to placed devices.
7. Security Monitoring & Alerting: If suspicious or malicious activity occurs on your network, you should be alerted right away. 
8. Login Security: If you have employee or other portals, implement security controls like complex security questions and passwords to prevent someone from gaining unauthorized access
9. Updated Patches: Implementing patches to address security concerns on applications and programs puts you one step ahead of an attacker if they gain access to your network.
10. Multi-Factor Identification: When MFA is in place, external access by unauthorized individuals using compromised credentials hits a roadblock, as a secondary form of authentication is required.

Empowering Your Organization Through Internal – and External – Vigilance

Robust physical security protocols (external) are just as necessary as network security (internal). If a bad actor gains access to your physical building, they can then likely gain access to your network.

It’s a double-whammy of a security breach that all organizations would be smart to protect themselves against.

Here are three ways you can better protect your organization’s physical security:

1. Implementing a durable system to verify employee badges and identification.
2. Having a streamlined process to validate unfamiliar personnel who claim to be employees.
3. Providing regular training to employees to increase their vigilance in recognizing and responding to security threats.

By prioritizing physical security alongside network security, organizations can stop potential attackers and safeguard their sensitive data from unwarranted threats.

Take Stock of Your Physical Security

Our ability to gain a significant amount of access to buildings across our client’s campus points to the importance of physical penetration testing and implementing security protocols across organizations.

If you’re not sure how successful someone might be at breaching your physical premises, take action before you find out.

Let us put your premises through the paces before the stakes get higher. Contact us today.

   By: Bethany Kozal   09.07.23