Testing Physical Security Measures Through Penetration Testing

by Sarah Harvey / November 7th, 2019

When you think about how penetration testing is performed, do you think about testing physical security measures?

While many people believe security breaches only happen on the technical side of an organization, they can also start in your physical environment. You may find it surprising to know that some of the most advanced security attacks originate from an area as simple as a garbage can.

Items such as:

  • Bank statements
  • Credit card offers
  • Personal letters
  • Magazines
  • Receipts

…are just a few items found in the trash that can give a hacker the info they need to launch significant security attacks on a person or organization.

It may be easy to think of a hacker sitting in a dark room somewhere, spending hours trying to break through your firewall and using malware to compromise your systems, but that’s not the only way malicious individuals initiate security attacks.

To protect your secure information, your organization must pay attention to both its technical security and physical security, and consider incorporating social engineering and physical security testing into penetration testing engagements.

7 Ways to Protect Sensitive Information from Physical Security Attacks

There are many ways physical security plays a role in the protection of sensitive information. To make sure your organization is as secure as possible, you can take these important steps towards securing your physical assets:

1. Securely destroy sensitive documents

Trash cans should be placed in an open area that’s visible to personnel, or maybe even in a guarded area, so that anyone who might try to breach your physical security via information in the trash will be caught. Do you shred and securely destroy items that contain personal or sensitive data before going into the trash to protect that information from being pieced together?

2. Implement policies & procedures

Proper policies and procedures should be in place so that employees are well-trained on appropriate security actions for daily activities. Whether that looks like locking doors, keeping security badges on at all times, or requiring all visitors to remain with employees in secure spaces – making sure that every employee understands what is expected of them is important in keeping your data secure.

3. Secure network entry points

Identifying all network entry points is a good practice to prevent wrongful persons from accessing your organization’s systems. Ethernet ports in open areas prove to be tantalizing access points for malicious individuals.

4. Monitor key physical security points with cameras

Security cameras are a great deterrent from hackers who look for easily accessible entry points hidden from view. Part of your organization’s physical security measures should be placing security cameras in areas where secure information is received, processed, and discarded.

5. Monitor all sensitive documents – even locked ones!

Locking secure documents in drawers is a good practice to implement, but these locked areas must also be monitored. A common tool hackers use in physical security attacks is a CH751 key. This key has the greatest likelihood of unlocking simple locks such as those in desk drawers, storage containers, and even elevators, which means securing your documents in a locked filing cabinet isn’t enough. These areas must be monitored at all times.

6. Be careful of after-hours

It’s not uncommon for hackers to slip into your office space unnoticed as everyone leaves for the day. KirkpatrickPrice penetration testers have even waited in office building bathrooms to stake out the best time to enter secure areas and locate security vulnerabilities. Making sure that your office building is secure at all hours of the day is important to protect yourself from security attacks.

7. implement auto-lock computer policies

A practice as simple as auto-locking computers when employees step away from their desk is vital for your organization’s physical security. It only takes a few seconds and an open USB port for hackers to breach your system and install malware.

These practices are just a handful of ways your organization can be proactive in securing assets against security attacks. How can you be sure your current procedures have covered all avenues of entry into your systems? That’s where penetration testing comes in. Through the various types of penetration testing, your organization can gain greater assurance that you have secure practices in place.

Why Penetration Testing Makes a Difference for Physical Security

Penetration testers use the same tricks hackers use in malicious security attacks when they are testing your systems for vulnerabilities. They know that your organization’s physical security is the first line of defense against hackers. That’s why they use tactics such as picking locks to reach areas that are supposed to be off-limits, cloning badges of unsuspecting employees, and scouting out employee workstations to find the right moment to compromise it. At KirkpatrickPrice, our penetration testers perform skilled social engineering and physical security tests to locate vulnerabilities that your organization may be missing.

As an information security firm, we often hear from our clients that they have an internal penetration testing team but aren’t interested in a third party conducting tests on their systems.

Would you choose to test your own building for fire safety or would you rather receive a fire safety report from a Certified Fire Protection Specialist?

Of course, you would choose to have an expert test your safety features to be sure you’re protected against any serious threat of a fire. In the same way, it’s important to have a third-party penetration tester involved in hunting for vulnerabilities within your system, both technically and physically.

When a penetration tester engages in an onsite visit, they are able to recognize physical security weaknesses and help you mitigate your risks. Instead of hoping your security practices will stand against a hacker’s ill intent, you can make sure you have the right procedures in place with a penetration test.

Contact KirkpatrickPrice today to learn how our expert penetration testers can test your security controls and locate your vulnerabilities to help you prevent any security attacks!

More Penetration Testing Resources

5 Information Security Considerations to Make Your Startup Successful

Avoiding a Pen Testing Mishap: What Are You Really Paying For?

3 Hacks to Get the Most Out of Your Penetration Test