Physical Security Assessments

Physical Security Assessments Tom Eston Spylogic.net

Topics
Convergence of Physical and Logical Assessment Methodologies
Planning the Assessment
Team Structure
Reconnaissance
Penetration Phase
Walk Through Phase
Lessons Learned

Penetration Test Definition
Simulate the activities of a potential intruder
Attempt to gain access without being detected
Gain a realistic understanding of a site’s security posture

Why conduct a physical security assessment?
Assess the physical security of a location
Test physical security procedures and user awareness
Information assets can now be more valuable then physical ones (USB drives, customer info)
Risks are changing (active shooters, disgruntled employees)
Don’t forget! Objectives of Physical Security:
Human Safety
Confidentiality
Integrity
Availability
Not limited by the size of an organization!

Convergence of Methodologies
Network assessment methodology is identical (NIST 800-42):
Planning
Objective and Scope
Discovery
Remote and On-site reconnaissance
Attack
Penetration test and walk through
Reporting
Final report and lessons learned
OSSTMM ( Open Source Security Testing Methodology Manual)

The Security Map
Visual display of the security presence
Six sections of the OSSTMM
Sections overlap and contain elements of all other sections
Proper testing of any one section must include the elements of all other sections, direct or indirect
* Security Map © Pete Herzog, ISECOM

Planning the Assessment – Critical Tasks
What are we trying to protect at the locations(s)?
List the critical assets (these can be your objectives if applicable)
Rank them (high, medium, low)
What are the threats to the locations(s)?
Weather, Fire, High Crime Rate, Employee turnover

Planning the Assessment
Who will conduct the assessment?
Third party involvement
Team members
What is the scope?
Process and controls
Security awareness- Is the team challenged for ID?
Removal of confidential customer information
Steal laptop, proprietary information
Social engineering included?
Target selection
Regional location, size of facility, dates (schedule well in advance)

Planning the assessment continued…
Escalation contact list
Include in the authorization to test letter
Walk through contact (very important)
Facility person, security guard, department head
They should not know when you are on-site!
Do not forgot! The Authorization to Test Letter
(aka: Get out of jail free card- literally!)

Authorization to Test Letter Example

Assessment Team Structure - Team Leader
Identify a team leader!
Handles all coordination
Sets up meetings
Central point of contact for feedback and problems
Compile and document results
Put together the final report
Should be your most senior member to start out
To avoid burn out…rotate the team leader position!

Assessment Team Structure - Team Members
Maximum of three internal team members
Dependent on scope
Assist with all phases if required
Document results and observations (photos..good for keeping a log)
Communicate issues or problems to the team lead (cell phone required!)
Decide on third-party involvement
Comfort factor
Anonymity of the testing team
$$$

Remote Reconnaissance
Gather as much information as possible off-site!
Floor plans from company documents
Google Maps satellite views
Google searches for news and information about the target location(s)
Better yet…use Maltego ! http://www.paterva.com/web/Maltego/
Number of employees at the locations(s) and listings
Job functions, departments at the site (phone numbers)
Security guards? Armed?
Access Control - Card Readers? Photo ID’s?
Call or email the city building department for blueprints…seriously!

Maltego for Reconnaissance
Can be used to determine the relationships and real world links between:
People
Groups of people (social networks)
Companies
Organizations
Web sites
Internet infrastructure such as:
Domains
DNS names
Netblocks
IP addresses
Phrases
Affiliations
Documents and files

On-site Reconnaissance
1/2 or 1 day is recommended for on-site recon
At a remote location or region?
Coordinate with the pen test team the night before to discuss the recon plan
Two team members maximum
Ensure you have authorization to test letters in hand!
Things to observe:
Building location, parking, traffic patterns
Employee entrance procedures (smokers area?)
Look for cameras and access control systems
After hours procedures? Are things different at night?

Penetration Test Phase
After on-site recon, determine the plan!
Create multiple scenarios based on your objectives
Some examples:
Tailgate (easiest)
Look like you belong (goes great with tailgating)
Printer repair man
“I’m late for a meeting!”
Chat with the smokers
“I forgot my badge”
I’m here to see <INSERT NAME OF EXECUTIVE>
Use a business card (faked) as ID
Create a fake ID

Penetration Test Phase Continued…
Take photos if you can
Use conference rooms to your advantage
Be prepared to be compromised
If you feel someone wants to challenge you…quickly turn around and walk the other way!
If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter.
Be ready to make a phone call if needed
Do not endanger yourself or others! (Beware of big dogs!)

Walk Through Phase
Conducted after the penetration test
Time frame depends on objectives and location
One team member should be coordinating the walk through with the designated contact during the pen test
Ensure you will have someone available
No chance of pen test compromise
Be prepared to escalate to management

Walk Through Phase Continued…
Conducted by at least two team members with the facility contact
What are we looking for?
Perimeter controls
Confidentiality control of hard-copy data
Internal access controls
Cameras/Alarms
Personnel practices (security awareness)
Emergency procedures (evacuation)
Fire extinguishers (expired?)
OSSTMM is a good place to start for creating a physical security checklist
No one standard, dependent on your organization

Walk Through Phase Continued…
Ask questions!
“ Do you have any security concerns?”
Take notes and pictures
Ask for permission prior to taking pictures
Tell them about the penetration test
Prepare for “hostility”!
Put an awareness spin to it. “Your not getting in trouble”
“ Full Metal Jacket” © 1987 Warner Bros. Pictures

Reporting and Lessons Learned
Team Leader compiles notes and results from team members
Prepare the final report ASAP
Setup meetings shortly after the assessment with management of the facilities
Don’t wait too long! You will loose the effectiveness of the assessment.
Keep them in the loop
Lessons learned with the assessment team!
Setup a meeting – include third-party if used
What went well? What didn’t?

Standards and Books
OSSTMM
Open-Source Security Testing Methodology Manual
Version 2.2 http://www.isecom.org/osstmm/
NIST 800-12 (Chapter 15 – Physical Security)
http://csrc.nist.gov/publications/nistpubs/800-12/
NIST 800-42 (Guideline on Network Security Testing)
http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
Physical Security for IT
Michael Erbschloe
The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems
Mary Lynn Garcia

Questions? Email: tom@spylogic.net

http://www.slideshare.net	44
http://www.ferassayed.com	5
http://fabian.bustillos.googlepages.com	3

Physical Security Assessments

by Tom Eston on Dec 01, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 52

Statistics

Physical Security Assessments — Presentation Transcript