A physical penetration test emulates an attacker trying to physically break into your organization and steal sensitive information or gain access to the internal network. If you haven’t already seen it, check out our blog on the top 3 ways we gain access to your environment during a physical penetration test. While you are at it, you should probably quickly review our physical penetration testing methodology to understand what all goes into a physical penetration test. This blog will focus on the top 3 ways to improve physical penetration testing results.
1. Employee Buy-In
The number one way to improve physical penetration testing results is also one of the hardest to obtain. To perform better during this type of assessment, you need to get your employees to challenge outsiders they don’t recognize in the building. You would be shocked at how many times I have walked right into an organization’s building without being challenged. I have walked through employee cubicles, talked to employees, hung out in the break room, ate lunch at the cafeteria, and although I get a few strange looks, it is incredibly rare for anyone to ask me who I am and what I am doing there. The fact is, employees are a vital part of preventing, detecting, and stopping a physical security breach.
Getting employee buy-in is easier said than done, however, as the fact is many employees just assume the outsider belongs and doesn’t want to be confrontational. As a penetration tester, I am counting on that! With that said, we have seen some strategies that help in this area. First, anything you can do to make an outsider stand-out like a sore thumb helps. Make employees wear easily distinguishable badges and use visitor badges that are a different color and very noticeable.
A second important step is to require visitors to be escorted at all times. Sure, every company has a policy that states visitors must be escorted, but these policies are very rarely followed, even for an auditor. Start enforcing that and then employees will not assume it is just another visitor. The third thing that can effectively help in this area is to provide a phone number or designated employee for employees to call if they are not comfortable confronting individuals directly. Many employees are very concerned about confronting the outsider themselves, but are happy to report it to someone else.
2. Limit Attack Surface
Similarly to any other type of penetration test, you want to try to limit the attack surface as much as possible. For a physical penetration test, this simply means the less doors there are to break into, the less likely an attacker will be able to break in. It is unlikely that you will be able to physically remove doors, as that will break fire codes, but why can’t employees be limited to one entrance? Make the other doors emergency exits only. Then if someone walks through one of those doors it will either set off an alarm or, at the very least, it will seem odd to employees. I recently did a physical penetration test for a company that required all employees to go through one entrance and there was a receptionist immediately at the entrance who challenged all employees without badges. That was an extremely effective way to limit the threat of a physical break-in.
3. Multi-factor Authentication
In the top two methods, I tried to pick mitigating controls that don’t cost much, if anything, and can still be effective. Depending on how your physical access control system is set up now, this one may cost extra unfortunately. However, I felt it was important enough to mention here. As discussed in another blog about how we break in, one of the most effective ways we can get into your organization is through an RFID cloner.
To summarize, we have a tool that will clone employee badges if we can get close enough to them. We can walk past an employee, steal their RFID badge, and use that to gain access to the building. The way to stop us from doing that is to implement multi-factor authentication. Make employees badge in AND type in a PIN number. That way, if we steal the badge, we still need to know the PIN. This should be required to enter the building, if not for the main entrance while the receptionist is watching, at least for other entrances or while the receptionist isn’t there.
Summary: Improving Physical Penetration Testing Results
Hopefully those are 3 quick and cost-efficient ways to improve your physical penetration testing results. Of course, there are more extreme measures and more technical controls that will also help, such as hiring security guards, implementing a robust alarm/camera system, and using man-traps. Ultimately, one of the best ways you can understand your current risk situation and continue to shore up your physical security is to be regularly tested. This is the only way to identify your weaknesses and work on improving them.