Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Physical Security Assessments

24,712 views

Published on

Presentation I did for the 2007 Information Security Summit in Cleveland, Ohio on Physical Security Assessments.

Published in: Technology, Business
  • site security analysis
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Physical Security Assessments

  1. 1. Physical Security Assessments Tom Eston Spylogic.net
  2. 2. Topics <ul><li>Convergence of Physical and Logical Assessment Methodologies </li></ul><ul><li>Planning the Assessment </li></ul><ul><li>Team Structure </li></ul><ul><li>Reconnaissance </li></ul><ul><li>Penetration Phase </li></ul><ul><li>Walk Through Phase </li></ul><ul><li>Lessons Learned </li></ul>
  3. 3. Penetration Test Definition <ul><li>Simulate the activities of a potential intruder </li></ul><ul><li>Attempt to gain access without being detected </li></ul><ul><li>Gain a realistic understanding of a site’s security posture </li></ul>
  4. 4. Why conduct a physical security assessment? <ul><li>Assess the physical security of a location </li></ul><ul><li>Test physical security procedures and user awareness </li></ul><ul><li>Information assets can now be more valuable then physical ones (USB drives, customer info) </li></ul><ul><li>Risks are changing (active shooters, disgruntled employees) </li></ul><ul><li>Don’t forget! Objectives of Physical Security: </li></ul><ul><ul><ul><li>Human Safety </li></ul></ul></ul><ul><ul><ul><li>Confidentiality </li></ul></ul></ul><ul><ul><ul><li>Integrity </li></ul></ul></ul><ul><ul><ul><li>Availability </li></ul></ul></ul><ul><li>Not limited by the size of an organization! </li></ul>
  5. 5. Convergence of Methodologies <ul><li>Network assessment methodology is identical (NIST 800-42): </li></ul><ul><ul><ul><li>Planning </li></ul></ul></ul><ul><ul><ul><ul><li>Objective and Scope </li></ul></ul></ul></ul><ul><ul><ul><li>Discovery </li></ul></ul></ul><ul><ul><ul><ul><li>Remote and On-site reconnaissance </li></ul></ul></ul></ul><ul><ul><ul><li>Attack </li></ul></ul></ul><ul><ul><ul><ul><li>Penetration test and walk through </li></ul></ul></ul></ul><ul><ul><ul><li>Reporting </li></ul></ul></ul><ul><ul><ul><ul><li>Final report and lessons learned </li></ul></ul></ul></ul><ul><li>OSSTMM ( Open Source Security Testing Methodology Manual) </li></ul>
  6. 6. The Security Map <ul><li>Visual display of the security presence </li></ul><ul><li>Six sections of the OSSTMM </li></ul><ul><li>Sections overlap and contain elements of all other sections </li></ul><ul><li>Proper testing of any one section must include the elements of all other sections, direct or indirect </li></ul>* Security Map © Pete Herzog, ISECOM
  7. 7. Planning the Assessment – Critical Tasks <ul><li>What are we trying to protect at the locations(s)? </li></ul><ul><ul><ul><li>List the critical assets (these can be your objectives if applicable) </li></ul></ul></ul><ul><ul><ul><li>Rank them (high, medium, low) </li></ul></ul></ul><ul><li>What are the threats to the locations(s)? </li></ul><ul><ul><ul><li>Weather, Fire, High Crime Rate, Employee turnover </li></ul></ul></ul>
  8. 8. Planning the Assessment <ul><li>Who will conduct the assessment? </li></ul><ul><ul><ul><li>Third party involvement </li></ul></ul></ul><ul><ul><ul><li>Team members </li></ul></ul></ul><ul><li>What is the scope? </li></ul><ul><ul><ul><li>Process and controls </li></ul></ul></ul><ul><ul><ul><li>Security awareness- Is the team challenged for ID? </li></ul></ul></ul><ul><ul><ul><li>Removal of confidential customer information </li></ul></ul></ul><ul><ul><ul><li>Steal laptop, proprietary information </li></ul></ul></ul><ul><ul><ul><li>Social engineering included? </li></ul></ul></ul><ul><li>Target selection </li></ul><ul><ul><ul><li>Regional location, size of facility, dates (schedule well in advance) </li></ul></ul></ul>
  9. 9. Planning the assessment continued… <ul><li>Escalation contact list </li></ul><ul><ul><ul><li>Include in the authorization to test letter </li></ul></ul></ul><ul><li>Walk through contact (very important) </li></ul><ul><ul><ul><li>Facility person, security guard, department head </li></ul></ul></ul><ul><ul><ul><li>They should not know when you are on-site! </li></ul></ul></ul><ul><ul><ul><li>Do not forgot! The Authorization to Test Letter </li></ul></ul></ul><ul><ul><ul><li>(aka: Get out of jail free card- literally!) </li></ul></ul></ul>
  10. 10. Authorization to Test Letter Example
  11. 11. Assessment Team Structure - Team Leader <ul><li>Identify a team leader! </li></ul><ul><ul><ul><li>Handles all coordination </li></ul></ul></ul><ul><ul><ul><li>Sets up meetings </li></ul></ul></ul><ul><ul><ul><li>Central point of contact for feedback and problems </li></ul></ul></ul><ul><ul><ul><li>Compile and document results </li></ul></ul></ul><ul><ul><ul><li>Put together the final report </li></ul></ul></ul><ul><ul><ul><li>Should be your most senior member to start out </li></ul></ul></ul><ul><li>To avoid burn out…rotate the team leader position! </li></ul>
  12. 12. Assessment Team Structure - Team Members <ul><li>Maximum of three internal team members </li></ul><ul><ul><ul><li>Dependent on scope </li></ul></ul></ul><ul><ul><ul><li>Assist with all phases if required </li></ul></ul></ul><ul><ul><ul><li>Document results and observations (photos..good for keeping a log) </li></ul></ul></ul><ul><ul><ul><li>Communicate issues or problems to the team lead (cell phone required!) </li></ul></ul></ul><ul><li>Decide on third-party involvement </li></ul><ul><ul><ul><li>Comfort factor </li></ul></ul></ul><ul><ul><ul><li>Anonymity of the testing team </li></ul></ul></ul><ul><ul><ul><li>$$$ </li></ul></ul></ul>
  13. 13. Remote Reconnaissance <ul><li>Gather as much information as possible off-site! </li></ul><ul><ul><ul><li>Floor plans from company documents </li></ul></ul></ul><ul><ul><ul><li>Google Maps satellite views </li></ul></ul></ul><ul><ul><ul><li>Google searches for news and information about the target location(s) </li></ul></ul></ul><ul><ul><ul><ul><li>Better yet…use Maltego ! http://www.paterva.com/web/Maltego/ </li></ul></ul></ul></ul><ul><ul><ul><li>Number of employees at the locations(s) and listings </li></ul></ul></ul><ul><ul><ul><li>Job functions, departments at the site (phone numbers) </li></ul></ul></ul><ul><ul><ul><li>Security guards? Armed? </li></ul></ul></ul><ul><ul><ul><li>Access Control - Card Readers? Photo ID’s? </li></ul></ul></ul><ul><ul><ul><li>Call or email the city building department for blueprints…seriously! </li></ul></ul></ul>
  14. 14. Maltego for Reconnaissance <ul><li>Can be used to determine the relationships and real world links between: </li></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><ul><ul><li>Groups of people (social networks) </li></ul></ul></ul><ul><ul><ul><li>Companies </li></ul></ul></ul><ul><ul><ul><li>Organizations </li></ul></ul></ul><ul><ul><ul><li>Web sites </li></ul></ul></ul><ul><ul><ul><li>Internet infrastructure such as: </li></ul></ul></ul><ul><ul><ul><ul><li>Domains </li></ul></ul></ul></ul><ul><ul><ul><ul><li>DNS names </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Netblocks </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IP addresses </li></ul></ul></ul></ul><ul><ul><ul><li>Phrases </li></ul></ul></ul><ul><ul><ul><li>Affiliations </li></ul></ul></ul><ul><ul><ul><li>Documents and files </li></ul></ul></ul>
  15. 15. On-site Reconnaissance <ul><li>1/2 or 1 day is recommended for on-site recon </li></ul><ul><li>At a remote location or region? </li></ul><ul><ul><ul><li>Coordinate with the pen test team the night before to discuss the recon plan </li></ul></ul></ul><ul><li>Two team members maximum </li></ul><ul><li>Ensure you have authorization to test letters in hand! </li></ul><ul><ul><ul><li>Things to observe: </li></ul></ul></ul><ul><ul><ul><ul><li>Building location, parking, traffic patterns </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Employee entrance procedures (smokers area?) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Look for cameras and access control systems </li></ul></ul></ul></ul><ul><ul><ul><ul><li>After hours procedures? Are things different at night? </li></ul></ul></ul></ul>
  16. 16. Penetration Test Phase <ul><li>After on-site recon, determine the plan! </li></ul><ul><ul><ul><li>Create multiple scenarios based on your objectives </li></ul></ul></ul><ul><ul><ul><li>Some examples: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Tailgate (easiest) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Look like you belong (goes great with tailgating) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Printer repair man </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I’m late for a meeting!” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Chat with the smokers </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I forgot my badge” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>I’m here to see <INSERT NAME OF EXECUTIVE> </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a business card (faked) as ID </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Create a fake ID </li></ul></ul></ul></ul></ul>
  17. 17. Penetration Test Phase Continued… <ul><li>Take photos if you can </li></ul><ul><li>Use conference rooms to your advantage </li></ul><ul><li>Be prepared to be compromised </li></ul><ul><ul><ul><li>If you feel someone wants to challenge you…quickly turn around and walk the other way! </li></ul></ul></ul><ul><ul><ul><li>If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter. </li></ul></ul></ul><ul><ul><ul><li>Be ready to make a phone call if needed </li></ul></ul></ul><ul><ul><ul><li>Do not endanger yourself or others! (Beware of big dogs!) </li></ul></ul></ul>
  18. 18. Walk Through Phase <ul><li>Conducted after the penetration test </li></ul><ul><ul><ul><li>Time frame depends on objectives and location </li></ul></ul></ul><ul><li>One team member should be coordinating the walk through with the designated contact during the pen test </li></ul><ul><ul><ul><li>Ensure you will have someone available </li></ul></ul></ul><ul><ul><ul><li>No chance of pen test compromise </li></ul></ul></ul><ul><ul><ul><li>Be prepared to escalate to management </li></ul></ul></ul>
  19. 19. Walk Through Phase Continued… <ul><li>Conducted by at least two team members with the facility contact </li></ul><ul><li>What are we looking for? </li></ul><ul><ul><ul><li>Perimeter controls </li></ul></ul></ul><ul><ul><ul><li>Confidentiality control of hard-copy data </li></ul></ul></ul><ul><ul><ul><li>Internal access controls </li></ul></ul></ul><ul><ul><ul><li>Cameras/Alarms </li></ul></ul></ul><ul><ul><ul><li>Personnel practices (security awareness) </li></ul></ul></ul><ul><ul><ul><li>Emergency procedures (evacuation) </li></ul></ul></ul><ul><ul><ul><li>Fire extinguishers (expired?) </li></ul></ul></ul><ul><li>OSSTMM is a good place to start for creating a physical security checklist </li></ul><ul><ul><ul><li>No one standard, dependent on your organization </li></ul></ul></ul>
  20. 20. Walk Through Phase Continued… <ul><li>Ask questions! </li></ul><ul><ul><ul><li>“ Do you have any security concerns?” </li></ul></ul></ul><ul><li>Take notes and pictures </li></ul><ul><ul><ul><li>Ask for permission prior to taking pictures </li></ul></ul></ul><ul><li>Tell them about the penetration test </li></ul><ul><ul><ul><li>Prepare for “hostility”! </li></ul></ul></ul><ul><ul><ul><li>Put an awareness spin to it. “Your not getting in trouble” </li></ul></ul></ul>“ Full Metal Jacket” © 1987 Warner Bros. Pictures
  21. 21. Reporting and Lessons Learned <ul><li>Team Leader compiles notes and results from team members </li></ul><ul><ul><ul><li>Prepare the final report ASAP </li></ul></ul></ul><ul><li>Setup meetings shortly after the assessment with management of the facilities </li></ul><ul><ul><ul><li>Don’t wait too long! You will loose the effectiveness of the assessment. </li></ul></ul></ul><ul><ul><ul><li>Keep them in the loop </li></ul></ul></ul><ul><li>Lessons learned with the assessment team! </li></ul><ul><ul><ul><li>Setup a meeting – include third-party if used </li></ul></ul></ul><ul><ul><ul><li>What went well? What didn’t? </li></ul></ul></ul>
  22. 22. Standards and Books <ul><li>OSSTMM </li></ul><ul><ul><ul><li>Open-Source Security Testing Methodology Manual </li></ul></ul></ul><ul><ul><ul><li>Version 2.2 http://www.isecom.org/osstmm/ </li></ul></ul></ul><ul><li>NIST 800-12 (Chapter 15 – Physical Security) </li></ul><ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-12/ </li></ul></ul></ul><ul><li>NIST 800-42 (Guideline on Network Security Testing) </li></ul><ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf </li></ul></ul></ul><ul><li>Physical Security for IT </li></ul><ul><ul><ul><li>Michael Erbschloe </li></ul></ul></ul><ul><li>The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems </li></ul><ul><ul><ul><li>Mary Lynn Garcia </li></ul></ul></ul>
  23. 23. <ul><li>Questions? Email: tom@spylogic.net </li></ul>

×