Tales From the Road: The Power of Physical Penetration Testing

Is Your Organization’s Physical Security Top-Notch?

Having high-level security measures at any organization is a must, especially for large corporations that deal with specific clientele and hold confidential and sensitive information. We know attackers find ways to gain access to corporate networks remotely, but physical access poses even more risk, as attackers can potentially get their hands on paper records in addition to infiltrating your network.

A well-conducted physical penetration test assesses the strengths and weaknesses of your physical and network security through a series of deliberate breach attempts, persisting until the breach attempt is either successful, or detected. 

We recently conducted a physical security penetration test for a repeat client, a large banking institution with, as you can imagine, a lot of sensitive information to keep secure. This physical penetration test engagement involved two locations for us to attempt a breach: the bank’s main headquarters and secondary customer service location.

Exploring Physical and Digital Security Challenges

Simply by asking us to do the physical penetration test, this client was making an important acknowledgment about the importance of strengthening their overall security.

The aim of the penetration test was two-fold: to evaluate the security measures in place at the two facilities that would protect the banking institution’s physical vulnerabilities, and to assess the readiness of their personnel in recognizing and responding to potential breach attempts.

With any physical penetration test, the overall goals are to eventually ensure the premises are secure against unauthorized physical access, ultimately preventing any potential network infiltration originating from within the facilities.

Unmasking Vulnerabilities Through Expertise

Expertise is crucial to conducting a physical penetration test, both for the preparation and execution.

Firstly, it’s important to know as much as possible about an organization and its people before making breach attempts. Plus, attackers do their research too, and thinking like an attacker is the only way to uncover every vulnerability within an organization.

Second, in the execution of the physical penetration test, we want to be diligent and careful while attempting to gain any unauthorized access. It takes the right background knowledge, but also a high level of confidence and skill to be convincing and get into restricted areas without raising an eyebrow.

Employee Research

Before diving into physical security penetration testing, we conducted thorough research. We scoured publicly-available resources like social media and the company website to gain insights into the bank’s employees. This information guided our impersonation strategies, showcasing how easily malicious actors can gather data to pretend to be specific employees – or to pose as job applicants or delivery personnel looking for a certain employee – and breach security.

We also took care to note any employees who were out of office. By sending a mass email to the company, we paid attention to out-of-office email auto-responders, signaling to us that we could easily impersonate that employee in some fashion, as they would not be physically present to counter any claims we made.


Test #1: Headquarters

In this scenario, one of our consultants posed as a job candidate scheduled to meet a hiring manager at the bank’s headquarters. Little did they know that the “hiring manager” was actually another member of our team posing over the phone as an employee who was actually out of the office. While our candidate successfully passed the front desk and was given an office within the secure perimeter, they were under constant supervision, preventing any substantial network infiltration.

Test #2: Customer Service Center

At the secondary location, our consultant assumed the identity of a third-party vendor, aiming to gain access for a safety inspection. Initially denied entry due to paperwork issues, our social engineering expertise came into play. Our consultant impersonated the facilities manager, and while they were eventually granted access, they remained closely monitored, impeding any attempts to access the network.

Notably, the front desk employee did initially request an email verification from our consultant to show they were supposed to be there for facilities maintenance, but eventually allowed them through without the email. In general, requesting email verification in cases of doubt regarding a vendor’s presence is not a recommended best practice as with the right level of preparation, any email can be spoofed and made to look legitimate.

Building Stronger Defenses

While we didn’t breach the network during this engagement, physical attacks remain a viable threat for any organization, and even being let into other parts of the facility during both tests demonstrates a gap in physical security protocols. 

Physical security penetration testing uncovers vulnerabilities like unlocked doors, unlocked filing cabinets, and lax ID checks, serving as an essential tool to assess general security and employee compliance with and understanding of security protocols.

Our journey provided valuable insights that you can use to inform your own physical security status:

Physical Security Strengths:

  • Escorted Access: If visitors arrive at your organization, are they escorted to their destination? Vigilant escorting of visitors – no matter who they are – greatly reduces unauthorized access opportunities.
  • Network Access Controls: If someone attempts to access the network, would your organization be alerted? Strong controls can stop network infiltration gained through an attacker’s physical presence or remotely.
  • Anti-Tailgate Controls: It’s easier than you may think for a bad actor to simply tailgate their way into your building – that is to say, walk behind an authorized employee to get through otherwise locked doors. Prevent unauthorized entry by bolstering anti-tailgate measures with entryway security personnel, ID badges, or mandatory check-ins for any unknown individuals.
  • Employee Impersonations: Anyone can impersonate an employee by leveraging knowledge gained through public-facing resources like social media or your company’s website. Train employees to be wary of phone calls or emails from individuals making requests or seeking approvals for anything that seems out of the ordinary. Phishing and vishing are highly common and even though they may look or sound legitimate, ask employees to call the individual back to verify they are who they say they are, or implement a video recognition call back.
  • Visitor ID Checks: ID checks are crucial to prevent tailgating as well as unauthorized access throughout your company’s facilities. Fake ID badges can be easily created and used without raising alarm unless you have checks in place to ensure everyone who arrives with an ID badge is a real employee, and that the ID badge itself is legitimate.

Even the Strongest Physical Security Should be Tested

To ensure comprehensive protection for your organization, it’s essential to assess physical security regularly. New employees, changing regulations, and rapidly advancing attacker tactics mean that even the strongest physical security protocols can be surpassed by a savvy attacker.

DirectDefense offers the expertise you need to bolster your defenses against both physical and digital threats.

Take the first step in securing your organization by calling us today at 888-720-4633 or contacting us here. Together, we can build a stronger, more resilient security framework that protects your assets and operations.


2023 Security Operations Threat Report