Posted by
Share this article
Physical penetration testing is a testing technique that goes hand in hand with cybersecurity pen testing. Physical pen testing is the process of testers attempting to gain access to physically restricted areas such as offices, server rooms, or other secure facilities. Once inside, the tester may then attempt to gain access to digital systems and data, aka pen testing.
What is Physical Penetration Testing?
Physical penetration testing is when you run exercises to test the physical security of your organisation, to see whether it’s possible to gain unauthorised access through the secure perimeter. Fences, gates, guards, cameras, security systems and other ways to secure the perimeter can all be tested. Physical pen testing can run in combination with cybersecurity pen testing, as testers sneak inside the business premises, scoping interiors to then access workstations and servers, and capture critical digital assets.
Physical pen testing means taking a good hard look at your physical premises themselves, whether you have just one site or many around the country or globe.
Methods of physical pen testing
There are many different ways to attempt to penetrate the physical perimeter of a business.
Physical/technical bypass
Physical bypass
Lock picking, bolt cutting, fence jumping, and window smashing are all ways to gain access to a premises through physical bypass.
Technical bypass
When testers take technical measures such as turning off security cameras or alarms to access the premises, this is known as technical bypass.
Destructive vs. Nondestructive Testing
When using physical or technical bypass methods, the testing may be destructive or non-destructive. Examples of destructive methods are smashed windows or cutting the wires to security cameras. If destructive methods are used in physical pen testing, there must be prior warning for employees and security, to ensure emergency services are not called unnecessarily and there is no risk of human harm.
Opportunistic entry
Testers can gain access to premises through unforced entry by observing weaknesses in a business’s physical premise patterns of operation. This may be through following an employee through a turnstile before it closes (tailgating), gaining entry through a back roller door used for deliveries, or slipping past a security guard during changeover.
ID cloning
ID cloning is when testers get their hands on an employee ID, typically a swipe card, then clone the details to use for their own faked card. This way, the tester can gain access to a secure facility using real, albeit cloned, company credentials.
Social engineering physical pen testing methods
Social engineering refers to the range of techniques used to manipulate employees into giving out information or access to unauthorised parties. Social engineering leverages uniquely human experiences and traits, such as emotion, events that do or don’t demand attention, and regular routines across a particular person’s day or week.
Impersonation
Impersonation is when a tester impersonates an employee, contractor, client, or other associate. For instance, a tester may dress as a cleaner to gain building access.
Tailgating
During rush hour, for instance returning from lunch, a tester may slip through an authorised access point. This is known as tailgating and many employees tailgate themselves in these circumstances unless they have been trained otherwise.
Phishing or vishing
A tester may email (phishing) or call (vishing) ahead in an attempt to gain access to the premises. For instance, if a tester can convince an employee to divulge the door security code under false pretences, then it can be keyed in to access the building.
Pretexting
Pretexting involves setting up a fake situation to gain access to a premises. For example, one tester may chat to a receptionist while another phones an employee to receive a package at the door. While the receptionist is distracted and the door is open from the employee coming out to receive the package, a tester slips through.
Advanced Persistent Threats
Much like advanced persistent threats (APTs) in cybersecurity circumstances, testing physical APTs involves continued techniques in an attempt to stop normal operations and gain access. For instance, many different testers may try the tailgating technique at different times of day across many weeks.
Benefits of Physical Penetration Testing
Test to determine holes in the physical security of your premises
See if staff security awareness training is working
Determine whether you need new physical security measures
See if gaining physical access makes it easier to gain digital access
Physical Penetration Testing Methodology
Unlike cybersecurity pen testing, there are no specific frameworks or standards to follow in physical penetration testing. Instead, each physical pen testing company has a range of tried and tested techniques they follow, which are updated to current business practices. The method of engagement is as follows.
Pre-Engagement
Pre-engagement is when the pen testers and the organisation discuss threats, goals of testing, and the types of scenarios that might be run.
Scoping
Scoping will set the boundaries of the testing; each test, the methods, and what will and won’t be included in the testing.
Cost
Based on pre-engagement and scoping, the exact costs of the physical pen testing can be calculated. The cost will depend on the complexity of tests as well as if there are multiple locations involved.
Rules of Engagement
The Rules of Engagement cover rules such as whether employees are informed of the testing ahead of time, whether any destructive testing can occur (and which objects), and the maximum amount of time the exercise can last to achieve an objective.
Authorisation
Authorisation is the sign off of consent for the testers to conduct their testing, outlining the specific testing techniques involved. Since many of the practices involved in physical pen testing are illegal when performed by a party that doesn’t have consent, the testers need assurance they won’t have trouble with the authorities if they accidentally become aware of the situation.
Written by Richard Smith
Contact us
Speak with a Tesserent
Security Specialist
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.