A closer look at physical penetration testing. Why is physical security penetration important?

Physical security is about ensuring that an organisation’s physical areas are protected from unauthorised physical access, damage and possible interference. Physical areas include information processing and storage facilities. This is a key component of the overarching information security management system (known as ISMS) and the information security strategy.

In this blog article we will look at the components of a physical penetration test, discuss the importance of such tests and provide a list of recommendations.

What does Physical Penetration Testing cover?

Physical Entry Controls

Having unauthorised personnel access areas and possibly information which can be copied, tampered with, and subsequently misused together with permanent loss of such data is a risk that every organisation with weak physical entry controls faces. Each company should set security perimeters and boundaries safeguarding areas containing sensitive and critical information.

Access to data storage cabinets, server rooms, c-level offices quarters, and other spaces that have confidential data are to be controlled. Physical access is to be controlled and closely monitored. When employees are traveling on a regular basis, working from clients’ premises and/or working from home – these contexts pose risks of unwanted access to company assets, such as laptops, and the data within.

Simply put, organisations need to establish secure areas and access levels that protect valuable information and intellectual property. These should be documented and implemented in day-to-day operations. These measures need to cover different personas including employees, independent contractors, and visitors.

The assessor, running the pen test, will check the policies and if all the listed measures are being adhered to. Extra consideration is given to (levels of) access to classified information. All controls are to be robust, thoroughly tested and constantly monitored.

The use of biometrics and scanning equipment provide a solid solution to access control. Processes to granting access include listing all visitors and handing them a temporary access card.

Securing Offices, Rooms and Facilities

Securing the company’s office, facilities and equipment may seem as an obvious element in the physical security management of a company. Yet when physical penetration tests are carried out, a number of non-conformities are usually found. Common weaknesses include:

• Unaccounted for Access cards
• Meeting rooms are not soundproof (and white boards / flip charts are visible from outside)
• Visitors are not escorted to meeting rooms
• Server rooms, archives and other areas with data are not locked or have access barred from everyone inside the building.

The external auditor will inspect the security controls for offices, rooms and facilities. The test will spot any inadequate controls or their absence altogether.

Secure Disposal or reuse of existing equipment

Items such as laptops and storage media have a limited lifetime. Another consideration is that a workforce is dynamic with employees joining and others leaving on an ongoing basis. Common vulnerabilities and many incidents result from poor disposal and the reuse of peripherals.

Good practices should include physically destroying old unused hardware and securely wiping data using digital shredders and related technologies (to get hardware back to a clean state). When third party companies are used to dispose of unwanted old hardware, a certificate of destruction is to be provided, even more if valuable data was (once) stored on such devices. In the physical penetration test a number of aspects are inspected including technologies used, policies and processes and evidence of secure destruction of not-in-use unwanted hardware such as outdated laptops.

It is recommended that the organisation keeps a decommissioning section in the information asset inventory.

Unattended User Equipment

Unattended and unprotected equipment are a serious weakness in a company. This is worse when employees hot desk in an open plan environment. Different members of staff of different levels should be given awareness training to understand the risks and what should be done in order to mitigate these risks. Policies such as locking one’s laptop when not at the desk is a simple yet effective policy. Apart from staff members, some offices see a high volume of visitors and this may pose an additional risk when keeping workstations unattended.

Physical penetration tests check policies, processes, awareness levels and responsibilities by all the stakeholders (mostly staff) involved. This may include walk-around inspections, during on-site tests.

Related to the above is the commonly used ‘clear desk and screen policy’. In this case special attention needs to be given to sensitive data and the way it is left around, easily accessible without the required control.

Why is Physical Security Important?

Property, People and Data – Physical security is of utmost importance to safeguard all the aforementioned. Technologies need to be used to ensure physical security is in place to protect the workspace, taking into account your staff, data, intellectual property and physical assets. Visitor management systems and access control elements make physical security effective.

Our physical pen tests are based on Annex A.11.1 of ISO27001:2013. The ultimate goal of carrying out physical penetration tests is to:-

• Expose real life risks and their severity level
• Expose any weaknesses in the workplace (infrastructure) and physical assets
• Protect against external and environment threats and therefore work in a secure area/s
• Provide actionable recommendations to neutralise any identified weaknesses / non-conformities / holes.

It is always recommended to have policies in place, reference manuals, continual training of staff and to responsibilise all those making use of the physical environment. Inventory of physical assets is to be kept up-to-date and physical security assessments and audits should be carried out periodically. Any breaches are to be taken seriously and remedial action taken to avoid them being repeated.

The overall penetration testing strategy of any organisation is to cover pen tests of physical environment, cloud services & systems, web and mobile applications and networks.