What Can Go Wrong During a Physical Penetration Test
As with every type of penetration test we perform, our engineers are experienced and know how to balance the goal of giving you a realistic view of your vulnerabilities with the need to avoid business disruptions. However, just like other types of tests, as good as we may be, there can occasionally be problems that arise. In this blog, we will look at two things that can go wrong during a physical penetration test and what we do to avoid them.
Problem 1: We Get Caught Early
One of the biggest risks with a physical penetration test that we do not have with other types of tests, with the exception of maybe social engineering, is that if we get caught, the test is compromised. The whole point of a physical penetration test is to emulate an attacker trying to physically break into your organization. Therefore, if we get caught trying to break into your building, everyone is going to know about it very quickly, and then the likelihood of the engineer who was just caught “blending in” is slim to none.
To mitigate this risk, Triaxiom takes several precautions. First, for the majority of physical penetration tests we send multiple engineers. That way, if one gets caught, we still have another engineer who has yet to be seen and can continue testing. Additionally, if we do get caught, we try to contain that incident. Once we work it out with the relevant parties that we were authorized to be here and do what we were doing, we try to end the communication at that point and reset. This allows the engineer to conduct additional attempts at night, other buildings, etc. Finally, we always start with our most advanced attack paths first and slowly lower the sophistication to try to determine your level of risk. By starting with our most sophisticated attacks first, we have a much lower chance of being caught and we can more accurately gauge what your organization’s risk level is, as it relates to physical access.
In the worst case scenario, where all of our engineers are compromised during the assessment, we can still provide value. Once the call is made that there is no chance we are getting in undetected, we will switch the assessment to more of a physical security audit. This way, we can walk around and evaluate whether there are any gaps in your physical security posture in a non-adversarial manner. This allows us to add value and improve your security posture, even if you have a strong security baseline that prevented unauthorized access.
Problem 2: The Authorities Get Involved
A second thing that can go wrong during a physical penetration test is that we get caught in more significant way, usually one that involves police, etc. Although it is extremely rare, and most of the time things go off without a hitch, our engineers have been confronted by the police during a physical penetration test. To avoid any problems arising, before we start a physical penetration test, we require a letter of authorization to be filled out on your letterhead and signed by the company official authorizing the test. Triaxiom engineers are trained to try to use social engineering tactics on initial confrontation (besides when the actual police are involved). But, if that does not work or more formal authorities are involved, the engineers are going to quickly give up the attempt and show the authorization letter. Usually, the person who confronts us will want to call the authorized party and ensure we are in fact authorized, which is why it is important we have a cell phone listed. Finally, in some situations, such as tests in rural areas, we will request that the client reach out to the local police force and inform that a test is ongoing. This just makes sure everything is safe and there are no accidents/confrontations.
Conclusion
During a physical penetration test, we do everything we can to give you a good test while avoiding any problems or disruptions to your business’s day-to-day operations. With that being said, in rare instances things can go wrong during a physical penetration test. In this blog we looked at two of them, getting caught early and getting caught where the authorities get involved. In both of these situations, we take precautions to lessen the likelihood of them happening where possible and lower the ramifications if they do happen. Even in the instance mentioned where the police showed up, we were able to work it out and still provide a great test, although we would like to avoid that ever happening again for the sake of our health.