Physical Security Assessments Tom Eston Spylogic.net
Topics Convergence of Physical and Logical Assessment Methodologies Planning the Assessment Team Structure Reconnaissance Penetration Phase Walk Through Phase Lessons Learned
Penetration Test Definition Simulate the activities of a potential intruder Attempt to gain access without being detected Gain a realistic understanding of a site s security posture
Why conduct a physical security assessment? Assess the physical security of a location Test physical security procedures and user awareness Information assets can now be more valuable then physical ones (USB drives, customer info) Risks are changing (active shooters, disgruntled employees) Don t t forget! Objectives of Physical Security: Human Safety Confidentiality Integrity Availability Not limited by the size of an organization!
Convergence of Methodologies Network assessment methodology is identical (NIST 800-42): Planning Objective and Scope Discovery Remote and On-site reconnaissance Attack Penetration test and walk through Reporting Final report and lessons learned OSSTMM ( OSSTMM (Open Source Security Testing Methodology Manual)
The Security Map Visual display of the security presence Six sections of the OSSTMM Sections overlap and contain elements of all other sections Proper testing of any one section must include the elements of all other sections, direct or indirect * Security Map Pete Herzog, ISECOM
Planning the Assessment Critical Tasks What are we trying to protect at the locations(s)? List the critical assets (these can be your objectives if applicable) Rank them (high, medium, low) What are the threats to the locations(s)? Weather, Fire, High Crime Rate, Employee turnover
Planning the Assessment Who will conduct the assessment? Third party involvement Team members What is the scope? Process and controls Security awareness- Is the team challenged for ID? Removal of confidential customer information Steal laptop, proprietary information Social engineering included? Target selection Regional location, size of facility, dates (schedule well in advance)
Planning the assessment Escalation contact list continued Include in the authorization to test letter Walk through contact (very important) Facility person, security guard, department head They should not know when you are on-site! Do not forgot! The Authorization to Test Letter (aka: Get out of jail free card- literally!)
Authorization to Test Letter Example
Assessment Team Structure - Identify a team leader! Team Leader Handles all coordination Sets up meetings Central point of contact for feedback and problems Compile and document results Put together the final report Should be your most senior member to start out To avoid burn out rotate the team leader position!
Assessment Team Structure - Team Members Maximum of three internal team members Dependent on scope Assist with all phases if required Document results and observations (photos..good for keeping a log) Communicate issues or problems to the team lead (cell phone required!) Decide on third-party involvement Comfort factor Anonymity of the testing team $$$
Remote Reconnaissance Gather as much information as possible off-site! Floor plans from company documents Google Maps satellite views Google searches for news and information about the target location(s) Better yet use Maltego! http://www.paterva.com/web/maltego/ Number of employees at the locations(s) and listings Job functions, departments at the site (phone numbers) Security guards? Armed? Access Control - Card Readers? Photo ID s? Call or email the city building department for blueprints seriously!
Maltego for Reconnaissance Can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files
On-site Reconnaissance 1/2 or 1 day is recommended for on-site recon At a remote location or region? Coordinate with the pen test team the night before to discuss the recon plan Two team members maximum Ensure you have authorization to test letters in hand! Things to observe: Building location, parking, traffic patterns Employee entrance procedures (smokers area?) Look for cameras and access control systems After hours procedures? Are things different at night?
Penetration Test Phase After on-site recon, determine the plan! Create multiple scenarios based on your objectives Some examples: Tailgate (easiest) Look like you belong (goes great with tailgating) Printer repair man I m late for a meeting! Chat with the smokers I I forgot my badge I m m here to see <INSERT NAME OF EXECUTIVE> Use a business card (faked) as ID Create a fake ID
Penetration Test Phase Continued Take photos if you can Use conference rooms to your advantage Be prepared to be compromised If you feel someone wants to challenge you quickly turn around and walk the other way! If you are asked for ID..fake it for a minute. If you think it s over, pull out the authorization letter. Be ready to make a phone call if needed Do not endanger yourself or others! (Beware of big dogs!)
Walk Through Phase Conducted after the penetration test Time frame depends on objectives and location One team member should be coordinating the walk through with the designated contact during the pen test Ensure you will have someone available No chance of pen test compromise Be prepared to escalate to management
Walk Through Phase Continued Conducted by at least two team members with the facility contact What are we looking for? Perimeter controls Confidentiality control of hard-copy data Internal access controls Cameras/Alarms Personnel practices (security awareness) Emergency procedures (evacuation) Fire extinguishers (expired?) OSSTMM is a good place to start for creating a physical security checklist No one standard, dependent on your organization
Walk Through Phase Continued Full Metal Jacket 1987 Warner Bros. Pictures Ask questions! Do you have any security concerns? Take notes and pictures Ask for permission prior to taking pictures Tell them about the penetration test Prepare for hostility! Put an awareness spin to it. Your not getting in trouble
Reporting and Lessons Learned Team Leader compiles notes and results from team members Prepare the final report ASAP Setup meetings shortly after the assessment with management of the facilities Don t t wait too long! You will loose the effectiveness of the assessment. Keep them in the loop Lessons learned with the assessment team! Setup a meeting include third-party if used What went well? What didn t?
Standards and Books OSSTMM Open-Source Security Testing Methodology Manual Version 2.2 http://www.isecom isecom.org/osstmm/ org/osstmm/ NIST 800-12 (Chapter 15 Physical Security) http://csrc.nist.gov/publications/nistpubs/800-12/ NIST 800-42 (Guideline on Network Security Testing) http://csrc.nist.gov/publications/nistpubs/800-42/nist-sp800-42.pdf Physical Security for IT Michael Erbschloe The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems Mary Lynn Garcia
Questions? Email: tom@spylogic.net