Physical Security Assessments


Published on

Presentation I did for the 2007 Information Security Summit in Cleveland, Ohio on Physical Security Assessments.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Physical Security Assessments

  1. 1. Physical Security Assessments Tom Eston
  2. 2. Topics <ul><li>Convergence of Physical and Logical Assessment Methodologies </li></ul><ul><li>Planning the Assessment </li></ul><ul><li>Team Structure </li></ul><ul><li>Reconnaissance </li></ul><ul><li>Penetration Phase </li></ul><ul><li>Walk Through Phase </li></ul><ul><li>Lessons Learned </li></ul>
  3. 3. Penetration Test Definition <ul><li>Simulate the activities of a potential intruder </li></ul><ul><li>Attempt to gain access without being detected </li></ul><ul><li>Gain a realistic understanding of a site’s security posture </li></ul>
  4. 4. Why conduct a physical security assessment? <ul><li>Assess the physical security of a location </li></ul><ul><li>Test physical security procedures and user awareness </li></ul><ul><li>Information assets can now be more valuable then physical ones (USB drives, customer info) </li></ul><ul><li>Risks are changing (active shooters, disgruntled employees) </li></ul><ul><li>Don’t forget! Objectives of Physical Security: </li></ul><ul><ul><ul><li>Human Safety </li></ul></ul></ul><ul><ul><ul><li>Confidentiality </li></ul></ul></ul><ul><ul><ul><li>Integrity </li></ul></ul></ul><ul><ul><ul><li>Availability </li></ul></ul></ul><ul><li>Not limited by the size of an organization! </li></ul>
  5. 5. Convergence of Methodologies <ul><li>Network assessment methodology is identical (NIST 800-42): </li></ul><ul><ul><ul><li>Planning </li></ul></ul></ul><ul><ul><ul><ul><li>Objective and Scope </li></ul></ul></ul></ul><ul><ul><ul><li>Discovery </li></ul></ul></ul><ul><ul><ul><ul><li>Remote and On-site reconnaissance </li></ul></ul></ul></ul><ul><ul><ul><li>Attack </li></ul></ul></ul><ul><ul><ul><ul><li>Penetration test and walk through </li></ul></ul></ul></ul><ul><ul><ul><li>Reporting </li></ul></ul></ul><ul><ul><ul><ul><li>Final report and lessons learned </li></ul></ul></ul></ul><ul><li>OSSTMM ( Open Source Security Testing Methodology Manual) </li></ul>
  6. 6. The Security Map <ul><li>Visual display of the security presence </li></ul><ul><li>Six sections of the OSSTMM </li></ul><ul><li>Sections overlap and contain elements of all other sections </li></ul><ul><li>Proper testing of any one section must include the elements of all other sections, direct or indirect </li></ul>* Security Map © Pete Herzog, ISECOM
  7. 7. Planning the Assessment – Critical Tasks <ul><li>What are we trying to protect at the locations(s)? </li></ul><ul><ul><ul><li>List the critical assets (these can be your objectives if applicable) </li></ul></ul></ul><ul><ul><ul><li>Rank them (high, medium, low) </li></ul></ul></ul><ul><li>What are the threats to the locations(s)? </li></ul><ul><ul><ul><li>Weather, Fire, High Crime Rate, Employee turnover </li></ul></ul></ul>
  8. 8. Planning the Assessment <ul><li>Who will conduct the assessment? </li></ul><ul><ul><ul><li>Third party involvement </li></ul></ul></ul><ul><ul><ul><li>Team members </li></ul></ul></ul><ul><li>What is the scope? </li></ul><ul><ul><ul><li>Process and controls </li></ul></ul></ul><ul><ul><ul><li>Security awareness- Is the team challenged for ID? </li></ul></ul></ul><ul><ul><ul><li>Removal of confidential customer information </li></ul></ul></ul><ul><ul><ul><li>Steal laptop, proprietary information </li></ul></ul></ul><ul><ul><ul><li>Social engineering included? </li></ul></ul></ul><ul><li>Target selection </li></ul><ul><ul><ul><li>Regional location, size of facility, dates (schedule well in advance) </li></ul></ul></ul>
  9. 9. Planning the assessment continued… <ul><li>Escalation contact list </li></ul><ul><ul><ul><li>Include in the authorization to test letter </li></ul></ul></ul><ul><li>Walk through contact (very important) </li></ul><ul><ul><ul><li>Facility person, security guard, department head </li></ul></ul></ul><ul><ul><ul><li>They should not know when you are on-site! </li></ul></ul></ul><ul><ul><ul><li>Do not forgot! The Authorization to Test Letter </li></ul></ul></ul><ul><ul><ul><li>(aka: Get out of jail free card- literally!) </li></ul></ul></ul>
  10. 10. Authorization to Test Letter Example
  11. 11. Assessment Team Structure - Team Leader <ul><li>Identify a team leader! </li></ul><ul><ul><ul><li>Handles all coordination </li></ul></ul></ul><ul><ul><ul><li>Sets up meetings </li></ul></ul></ul><ul><ul><ul><li>Central point of contact for feedback and problems </li></ul></ul></ul><ul><ul><ul><li>Compile and document results </li></ul></ul></ul><ul><ul><ul><li>Put together the final report </li></ul></ul></ul><ul><ul><ul><li>Should be your most senior member to start out </li></ul></ul></ul><ul><li>To avoid burn out…rotate the team leader position! </li></ul>
  12. 12. Assessment Team Structure - Team Members <ul><li>Maximum of three internal team members </li></ul><ul><ul><ul><li>Dependent on scope </li></ul></ul></ul><ul><ul><ul><li>Assist with all phases if required </li></ul></ul></ul><ul><ul><ul><li>Document results and observations (photos..good for keeping a log) </li></ul></ul></ul><ul><ul><ul><li>Communicate issues or problems to the team lead (cell phone required!) </li></ul></ul></ul><ul><li>Decide on third-party involvement </li></ul><ul><ul><ul><li>Comfort factor </li></ul></ul></ul><ul><ul><ul><li>Anonymity of the testing team </li></ul></ul></ul><ul><ul><ul><li>$$$ </li></ul></ul></ul>
  13. 13. Remote Reconnaissance <ul><li>Gather as much information as possible off-site! </li></ul><ul><ul><ul><li>Floor plans from company documents </li></ul></ul></ul><ul><ul><ul><li>Google Maps satellite views </li></ul></ul></ul><ul><ul><ul><li>Google searches for news and information about the target location(s) </li></ul></ul></ul><ul><ul><ul><ul><li>Better yet…use Maltego ! </li></ul></ul></ul></ul><ul><ul><ul><li>Number of employees at the locations(s) and listings </li></ul></ul></ul><ul><ul><ul><li>Job functions, departments at the site (phone numbers) </li></ul></ul></ul><ul><ul><ul><li>Security guards? Armed? </li></ul></ul></ul><ul><ul><ul><li>Access Control - Card Readers? Photo ID’s? </li></ul></ul></ul><ul><ul><ul><li>Call or email the city building department for blueprints…seriously! </li></ul></ul></ul>
  14. 14. Maltego for Reconnaissance <ul><li>Can be used to determine the relationships and real world links between: </li></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><ul><ul><li>Groups of people (social networks) </li></ul></ul></ul><ul><ul><ul><li>Companies </li></ul></ul></ul><ul><ul><ul><li>Organizations </li></ul></ul></ul><ul><ul><ul><li>Web sites </li></ul></ul></ul><ul><ul><ul><li>Internet infrastructure such as: </li></ul></ul></ul><ul><ul><ul><ul><li>Domains </li></ul></ul></ul></ul><ul><ul><ul><ul><li>DNS names </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Netblocks </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IP addresses </li></ul></ul></ul></ul><ul><ul><ul><li>Phrases </li></ul></ul></ul><ul><ul><ul><li>Affiliations </li></ul></ul></ul><ul><ul><ul><li>Documents and files </li></ul></ul></ul>
  15. 15. On-site Reconnaissance <ul><li>1/2 or 1 day is recommended for on-site recon </li></ul><ul><li>At a remote location or region? </li></ul><ul><ul><ul><li>Coordinate with the pen test team the night before to discuss the recon plan </li></ul></ul></ul><ul><li>Two team members maximum </li></ul><ul><li>Ensure you have authorization to test letters in hand! </li></ul><ul><ul><ul><li>Things to observe: </li></ul></ul></ul><ul><ul><ul><ul><li>Building location, parking, traffic patterns </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Employee entrance procedures (smokers area?) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Look for cameras and access control systems </li></ul></ul></ul></ul><ul><ul><ul><ul><li>After hours procedures? Are things different at night? </li></ul></ul></ul></ul>
  16. 16. Penetration Test Phase <ul><li>After on-site recon, determine the plan! </li></ul><ul><ul><ul><li>Create multiple scenarios based on your objectives </li></ul></ul></ul><ul><ul><ul><li>Some examples: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Tailgate (easiest) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Look like you belong (goes great with tailgating) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Printer repair man </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I’m late for a meeting!” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Chat with the smokers </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I forgot my badge” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>I’m here to see <INSERT NAME OF EXECUTIVE> </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a business card (faked) as ID </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Create a fake ID </li></ul></ul></ul></ul></ul>
  17. 17. Penetration Test Phase Continued… <ul><li>Take photos if you can </li></ul><ul><li>Use conference rooms to your advantage </li></ul><ul><li>Be prepared to be compromised </li></ul><ul><ul><ul><li>If you feel someone wants to challenge you…quickly turn around and walk the other way! </li></ul></ul></ul><ul><ul><ul><li>If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter. </li></ul></ul></ul><ul><ul><ul><li>Be ready to make a phone call if needed </li></ul></ul></ul><ul><ul><ul><li>Do not endanger yourself or others! (Beware of big dogs!) </li></ul></ul></ul>
  18. 18. Walk Through Phase <ul><li>Conducted after the penetration test </li></ul><ul><ul><ul><li>Time frame depends on objectives and location </li></ul></ul></ul><ul><li>One team member should be coordinating the walk through with the designated contact during the pen test </li></ul><ul><ul><ul><li>Ensure you will have someone available </li></ul></ul></ul><ul><ul><ul><li>No chance of pen test compromise </li></ul></ul></ul><ul><ul><ul><li>Be prepared to escalate to management </li></ul></ul></ul>
  19. 19. Walk Through Phase Continued… <ul><li>Conducted by at least two team members with the facility contact </li></ul><ul><li>What are we looking for? </li></ul><ul><ul><ul><li>Perimeter controls </li></ul></ul></ul><ul><ul><ul><li>Confidentiality control of hard-copy data </li></ul></ul></ul><ul><ul><ul><li>Internal access controls </li></ul></ul></ul><ul><ul><ul><li>Cameras/Alarms </li></ul></ul></ul><ul><ul><ul><li>Personnel practices (security awareness) </li></ul></ul></ul><ul><ul><ul><li>Emergency procedures (evacuation) </li></ul></ul></ul><ul><ul><ul><li>Fire extinguishers (expired?) </li></ul></ul></ul><ul><li>OSSTMM is a good place to start for creating a physical security checklist </li></ul><ul><ul><ul><li>No one standard, dependent on your organization </li></ul></ul></ul>
  20. 20. Walk Through Phase Continued… <ul><li>Ask questions! </li></ul><ul><ul><ul><li>“ Do you have any security concerns?” </li></ul></ul></ul><ul><li>Take notes and pictures </li></ul><ul><ul><ul><li>Ask for permission prior to taking pictures </li></ul></ul></ul><ul><li>Tell them about the penetration test </li></ul><ul><ul><ul><li>Prepare for “hostility”! </li></ul></ul></ul><ul><ul><ul><li>Put an awareness spin to it. “Your not getting in trouble” </li></ul></ul></ul>“ Full Metal Jacket” © 1987 Warner Bros. Pictures
  21. 21. Reporting and Lessons Learned <ul><li>Team Leader compiles notes and results from team members </li></ul><ul><ul><ul><li>Prepare the final report ASAP </li></ul></ul></ul><ul><li>Setup meetings shortly after the assessment with management of the facilities </li></ul><ul><ul><ul><li>Don’t wait too long! You will loose the effectiveness of the assessment. </li></ul></ul></ul><ul><ul><ul><li>Keep them in the loop </li></ul></ul></ul><ul><li>Lessons learned with the assessment team! </li></ul><ul><ul><ul><li>Setup a meeting – include third-party if used </li></ul></ul></ul><ul><ul><ul><li>What went well? What didn’t? </li></ul></ul></ul>
  22. 22. Standards and Books <ul><li>OSSTMM </li></ul><ul><ul><ul><li>Open-Source Security Testing Methodology Manual </li></ul></ul></ul><ul><ul><ul><li>Version 2.2 </li></ul></ul></ul><ul><li>NIST 800-12 (Chapter 15 – Physical Security) </li></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>NIST 800-42 (Guideline on Network Security Testing) </li></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Physical Security for IT </li></ul><ul><ul><ul><li>Michael Erbschloe </li></ul></ul></ul><ul><li>The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems </li></ul><ul><ul><ul><li>Mary Lynn Garcia </li></ul></ul></ul>
  23. 23. <ul><li>Questions? Email: </li></ul>