Below are some things to look for when pentesting for physical security. It is by no means an exhaustive list, just some quick and dirty entry pints into the network.
- Are you able to get into the building without a badge? Maybe you can strike a friendly conversation with the security guard and tell him you from out of town and wanted to meet the manager of the IT department, that you’re from a software vendor, while you’re talking to him take a picture of his badge and go home and make a copy, (Social Engineering Basics), if you do this right you may have full access to the building.
- Are there security cameras? If not just picking the lock at the right time will work.
- Are there guards? What time do they patrol the area? Look for patterns as you do your reconnaissance. When are they most vulnerable?
- Sometimes straight up social engineering will work. Go and talk to the receptionist and get the name of the CEO or IT Director, tell them you are there from the Phone Company and came because he called you out to fix his phone system in his office. Always beware of strangers offering you free phone service!
Strong physical security takes good planning. Below are some recommendations:
- Have a gate and if possible a guard at the gate allowing entry into the building campus
- Put strong lighting in place.
- Have guards at the entrance to every building.
- Have users swipe a badge for access.
- Have visitors sign in and be escorted to where they are going by the person that invited them.
- Have all vendors thoroughly checked and all consultants and vendors supervised by full time employees while onsite.
- Check ID cards.
- Challenge anyone unfamiliar to you, check their ID ask who they report to, what department are they in, are the visiting today for a special reason?
- Make sure the server room is locked at all times.
- Disable USB and CD/DVD Drives on all laptops and workstations.
- Make sure all conference rooms are secured when not in use as they have internet connectivity and phones usually.
- Make sure employees don’t leave any sensitive information on their desks and never write down their passwords.
- Make sure you have cameras and test them to make sure they work and that they are being monitored.
- Make sure that no one can just plug in a device to an Ethernet cable and get access. Use sticky ports that are tied to a MAC Address.
- Make sure that your guest wifi is password protected with a strong password WPA-2 Enterprise is recommended and make sure the password is only available upon request, don’t post it anywhere.
- Make sure that the wifi network is in the DMZ
As a pentester the absence or weakness of points 1-16 above will be your easy way into a network.
Just to recap:
Physical Security is often the last thing we think of when designing a security architecture but something that is critical to the overall robustness of a security program and can either help protect the assets of the organization and help the firm get and keep its auditing accreditations or it can be a revenue buster leading potentially to lawsuits and losses.
Strong physical security will only improve the security posture of the organization and make a pentester or hackers job more difficult. Conversely a weak physical security design is a great advantage to pentesters or hackers.