Thursday, 20 November 2014

Enhancing your cyber defence through a physical security assessment

Physical Security Assessments can be viewed as a penetration test against the physical infrastructure of an organisation. Instead of the assessment of computer networks and services, buildings and physical locations are being assessed. During this type of assessment the overall physical security of the location of a building, the facilities and the access controls are in scope. Physical security is often overlooked and the consequences of a physical breach can have the same impact as a computer breach.

A common occurrence during a physical breach, is when an unauthorised person walks into a restricted area, gains access to sensitive systems and information, and walks out of the area without being stopped. Sometimes these individuals manage to get access to server rooms, install remote access devices in the internal network infrastructure or even walk out with storage mediums containing confidential information.

Companies tend to have a number of security controls and mechanisms in place to detect and prohibit access to unauthorised third parties. Common effective security measures involve the use of access control systems, CCTV cameras, security guards, authorised personnel badges, keypads on doors and alarmed doors.

During a Physical Security Assessment all the aforementioned security controls in place are assessed, their effectiveness is tested and their overall performance is evaluated. The assessments can be categorised as non-invasive and invasive, depending on the tasks set forth.
  • Most of the time Physical Security Assessments are non-invasive and involve a walk-through of a client’s premises accompanied by the staff responsible for the physical security of the establishment. During this non-invasive assessment the aforementioned security controls are evaluated and any potential security issues are pointed out.
  • In the case of invasive Physical Security Assessments, a security consultant attempts to “break-in” to the physical location of the target in scope. They do this by identifying a way to infiltrate the computer network, get access to sensitive information and if it is part of the assessment leave while remaining unnoticed. During this type of security assessment there are different stages involved. Publicly available information is gathered about the target beforehand. Information that can be found on public records, satellite images and social networks are only the starting point. This reconnaissance phase includes the consideration of a number of plausible scenarios for gaining access to the target’s premises, taking into consideration a combined approach to logical and physical security.
Social Engineering is a key element during this type of assessment, as it is often used to gain access to the premises and to sensitive information. Depending on what has been agreed beforehand with the client, the security consultant follows different methods/tactics and take the necessary steps in order to be successful. Undoubtedly the security consultant will need to be familiar with a number of physical security controls, have experience in Social Engineering tactics and last but not least, have a good understanding of the latest technologies surrounding these types of assessments.

Spending significant amount of money on physical security controls cannot ensure their effectiveness if they are not tested appropriately and preferably on an annual basis. It is not uncommon to find controls in place that can be easily evaded, misconfigured systems that can be bypassed and alternative access routes where security hasn't been implemented correctly. Security is an ongoing process and a reoccurring Physical Security Assessment should take into consideration the latest technological advances capable of bypassing the existing controls in place.

Last but not least, the use of the Cloud for storing data doesn't take the Physical Assessment fully out of scope. Especially, if the premises of the physical infrastructure reside in a data centre which can be visited by anyone. Data theft is still possible if the security controls in the data centre are not properly implemented or followed strictly to the letter. Consequently, assessing the accessibility and security of the servers in this shared physical environment, should also be considered in scope.
Corporate espionage, untrusted third-parties, malicious insiders, human error or security weaknesses due to the lack of physical security awareness, exposes the physical infrastructure to a number of threats. The physical security of data should be always considered as a critical aspect for every infrastructure and most importantly when it comes to data security. When it comes to assessing and better safeguarding the physical security of data and critical information, Sysnet’s Physical Security Assessments are invaluable.

Sysnet Global Solutions provides a complete range of information security consultancy and assurance services. A special focus for us is the various Payment Card Industry (PCI) standards. Where we use pragmatic and risk based solutions to help acquires, independent sales organisations (ISO’s), global financial institutions, payment service providers and merchants across all industries, in achieving and maintaining their compliance. To learn more about our Consulting solutions or for more information about our services, please visit Consulting services or email

-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here.

No comments:

Post a Comment