Why Your Organization Should Conduct a Physical Penetration Test

Posted by Melanie Klag on Oct 14, 2019 10:30:00 AM
Melanie Klag

A physical penetration test can help you find your business’s vulnerabilities when it comes to security. However, instead of simulating an attack on your company’s network and cyber infrastructure, a physical penetration test actually tries to breach the perimeter of your office itself and tests the efficacy of your locks, barriers, cameras, or sensors. The information you will gain from this physical penetration test is vital to protecting your company, employees, assets and your reputation. You will determine if your physical location is vulnerable to a break-in and how to prevent an actual intruder.

For a physical penetration test to be effective, it needs to incorporate a variety of tools and testing methods. The third-party conducting the test should have a thorough plan that it provides to your organization up front so you know exactly what you are getting into and what the company will be doing. The testing company should do its due diligence and map out your building or request blueprints of your office space. Once that is complete, they will be ready to attempt to gain access to your company.

Gaining Access via a Physical Penetration Test

Social engineering – This method can incorporate a number of different tests that involve around the company’s employees. It can include pretending to be an employee or guest, following in a person or asking someone to hold a door, or looking over an employee’s shoulder to gain the access code.

RFID-Cloning – If RFID access cards are used by employees to enter a building, an RFID Cloner can be used to read the contents and duplicate a badge that can be used for entry. Cloners work when within close proximity to the badge or card so the attacker does not even have to have physical control of a badge to clone it. They generally can copy the information from 2 feet away.

Lock or access control bypassing – This is often the most challenging task for the tester. It includes physically picking locks, using an under-the-door tool to open doors, setting off motion-activated doors to gain access, or a number of other methods to bypass security mechanisms that an attacker can think of.

Once Inside, Then What?

If penetration testers are able to enter your facility, their physical test isn’t over. They will attempt to gain access to files, servers, employee information and anything else that may provide information that an attacker could use against a company. This portion of the test will also determine the efficacy of internal motion detection, employee safety protocols and much more. Items testers will look for include: network access control, servers room, papers or files on employees desks or on their computer screens, employee willingness to answer questions or share information with someone they don’t know, etc.

Are You Sure Your Company is Safe?

Hiring a company to break into your building may seem like an odd thing to do, but can you really afford not to know if you are vulnerable to an intruder? Think of the damage that can be done – monetarily, legally and to your reputation. It could be devastating. But learning that you are protected or how you can become protected can be priceless. Don’t you want to know? It is time to conduct a physical penetration test.

Topics: "Pentesting", "Penetration Testing", Physical Penetration Test