Physical Penetration Testing

A physical penetration test ensures that your office and its physical assets are safe from theft by malicious actors. These assets and the data contained within them are critical to your organization and, in the wrong hands, can be used to disrupt it. Furthermore, competitors would have an unfair advantage with this data at their disposal.

The cost of a penetration test is directly proportional to the amount of effort and time required to assess the physical resilience of the area(s) in scope.

As a rule of thumb, when there is a cyber-related risk, a security assessment is required to address it. A physical penetration test is highly recommended if your office contains sensitive data-holding equipment, such as laptops, computers and servers, or even sensitive documents.

When dealing with their data, clients frequently request a physical pentest to ensure its security. Furthermore, cyber security regulations such as PCI DSS, ISO 27001, and SOC2 place a premium on physical security.

A cyber security strategy should address all cyber-related risks and avenues that may jeopardize data security, including physical security. What good are firewalls and other digital security products if an attacker can simply walk into an office and connect to the internal network or steal sensitive documents containing the information?

As a rule of thumb, a physical pentest should be performed in the following situations:

• Just before the company begins to use the office space;
• Following significant changes to the office space, such as the construction of a new physical extension or the installation of new physical security equipment; and
• At least once a year to ensure that new personnel, both regular employees and security guards, are alert.

Without a doubt. An Access Control Policy specifies what is required and expected of employees, as well as what is acceptable and unacceptable. A deviation from good security practice here can result in stakeholders (e.g. contractors, employees, suppliers, partners) failing to follow best practice procedures, putting the physical security of the entire company at risk.

The following are the top issues based on our extensive experience conducting these assessments:

• Employees’ lack of awareness of cyber-security issues;
• Even when CCTV and cameras are installed, there is a lack of real-time monitoring and surveillance; and
• Doors to sensitive areas that are kept unlocked.

The length of a physical penetration test engagement is determined by the number of sites included in the scope and their size. The following are the main steps in this assessment:

• Building Plan and Access Control Policy Review
• Passive Reconnaissance and Open Source Intelligence
• Surroundings Review – Active Reconnaissance and Observations
• Planning of Attack Paths
• Exploitation:
  • External to Internal
  • Internal to Secure and Sensitive Areas

They most certainly are. The ultimate goal of this type of test is to gain unauthorized access to sensitive information. This can include paper documents lying around the office or internal servers that can only be accessed by connecting to the internal network.

Yes, these terms can be used interchangeably.