Physical Security Assessments

Physical Security Physical Security AssessmentsAssessments

Tom EstonTom Eston

Spylogic.netSpylogic.net

Physical Security AssesmentsPhysical Security Assesments

TopicsTopics

Convergence of Physical and Logical Convergence of Physical and Logical Assessment MethodologiesAssessment Methodologies

Planning the AssessmentPlanning the Assessment Team StructureTeam Structure ReconnaissanceReconnaissance Penetration PhasePenetration Phase Walk Through PhaseWalk Through Phase Lessons LearnedLessons Learned


Penetration Test DefinitionPenetration Test Definition

Simulate the activities of a potential Simulate the activities of a potential intruderintruder

Attempt to gain access without being Attempt to gain access without being detecteddetected

Gain a realistic understanding of a Gain a realistic understanding of a site’s security posturesite’s security posture


Why conduct a physical Why conduct a physical security assessment?security assessment?

Assess the physical security of a locationAssess the physical security of a location Test physical security procedures and user Test physical security procedures and user

awarenessawareness Information assets can now be more valuable Information assets can now be more valuable

then physical ones (USB drives, customer info)then physical ones (USB drives, customer info) Risks are changing (active shooters, disgruntled Risks are changing (active shooters, disgruntled

employees)employees) Don’t forget! Objectives of Physical Security:Don’t forget! Objectives of Physical Security:

Human SafetyHuman Safety ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability

Not limited by the size of an organization!Not limited by the size of an organization!


Convergence of MethodologiesConvergence of Methodologies

Network assessment methodology is Network assessment methodology is identical (NIST 800-42):identical (NIST 800-42):

PlanningPlanning– Objective and ScopeObjective and Scope

DiscoveryDiscovery– Remote and On-site reconnaissanceRemote and On-site reconnaissance

AttackAttack– Penetration test and walk throughPenetration test and walk through

ReportingReporting– Final report and lessons learnedFinal report and lessons learned

OSSTMM (OSSTMM (Open Source Security Testing Methodology Manual)


The Security MapThe Security Map Visual display of Visual display of

the security the security presencepresence

Six sections of the Six sections of the OSSTMMOSSTMM

Sections overlap Sections overlap and contain and contain elements of all elements of all other sectionsother sections

Proper testing of Proper testing of any one section any one section must include the must include the elements of all elements of all other sections, other sections, direct or indirectdirect or indirect* Security Map © Pete Herzog,

ISECOM


Planning the Assessment – Critical Planning the Assessment – Critical TasksTasks

What are we trying What are we trying to protect at the to protect at the locations(s)?locations(s)?

List the critical assets List the critical assets (these can be your (these can be your objectives if objectives if applicable)applicable)

Rank them (high, Rank them (high, medium, low)medium, low)

What are the threats What are the threats to the locations(s)?to the locations(s)?

Weather, Fire, High Weather, Fire, High Crime Rate, Employee Crime Rate, Employee turnoverturnover


Planning the AssessmentPlanning the Assessment

Who will conduct the assessment?Who will conduct the assessment? Third party involvementThird party involvement Team membersTeam members

What is the scope?What is the scope? Process and controlsProcess and controls Security awareness- Is the team challenged for ID?Security awareness- Is the team challenged for ID? Removal of confidential customer informationRemoval of confidential customer information Steal laptop, proprietary informationSteal laptop, proprietary information Social engineering included?Social engineering included?

Target selectionTarget selection Regional location, size of facility, dates (schedule well Regional location, size of facility, dates (schedule well

in advance)in advance)


Planning the assessment Planning the assessment continued…continued…

Escalation contact listEscalation contact list Include in the authorization to test letterInclude in the authorization to test letter

Walk through contact (very important)Walk through contact (very important) Facility person, security guard, department headFacility person, security guard, department head They should not know when you are on-site!They should not know when you are on-site!

Do not forgot! Do not forgot! The Authorization to Test The Authorization to Test LetterLetter

(aka: Get out of jail free (aka: Get out of jail free card- literally!)card- literally!)


Authorization to Test Letter Authorization to Test Letter ExampleExample


Assessment Team Structure Assessment Team Structure - Team Leader- Team Leader

Identify a team leader!Identify a team leader! Handles all coordinationHandles all coordination Sets up meetingsSets up meetings Central point of contact for feedback and Central point of contact for feedback and

problemsproblems Compile and document resultsCompile and document results Put together the final reportPut together the final report Should be your most senior member to start outShould be your most senior member to start out

To avoid burn out…rotate the team To avoid burn out…rotate the team leader position!leader position!


Assessment Team Structure Assessment Team Structure - Team Members- Team Members

Maximum of three internal team membersMaximum of three internal team members Dependent on scopeDependent on scope Assist with all phases if requiredAssist with all phases if required Document results and observations (photos..good for Document results and observations (photos..good for

keeping a log)keeping a log) Communicate issues or problems to the team lead Communicate issues or problems to the team lead

(cell phone required!)(cell phone required!)

Decide on third-party involvementDecide on third-party involvement Comfort factorComfort factor Anonymity of the testing teamAnonymity of the testing team $$$$$$


Remote ReconnaissanceRemote Reconnaissance Gather as much information as Gather as much information as

possible off-site!possible off-site! Floor plans from company documentsFloor plans from company documents Google Maps satellite viewsGoogle Maps satellite views Google searches for news and Google searches for news and

information about the target location(s)information about the target location(s)– Better yet…use Better yet…use MaltegoMaltego! !

http://www.paterva.com/web/Maltego/http://www.paterva.com/web/Maltego/ Number of employees at the Number of employees at the

locations(s) and listingslocations(s) and listings Job functions, departments at the site Job functions, departments at the site

(phone numbers)(phone numbers) Security guards? Armed?Security guards? Armed? Access Control - Card Readers? Photo Access Control - Card Readers? Photo

ID’s?ID’s? Call or email the city building Call or email the city building

department for blueprints…seriously!department for blueprints…seriously!


Maltego for ReconnaissanceMaltego for Reconnaissance Can be used to Can be used to

determine the determine the relationships and relationships and real world links real world links between:between:

PeoplePeople Groups of Groups of

people (social people (social networks)networks)

CompaniesCompanies OrganizationsOrganizations Web sitesWeb sites Internet Internet

infrastructure infrastructure such as:such as:

– DomainsDomains– DNS namesDNS names– NetblocksNetblocks– IP addressesIP addresses

PhrasesPhrases AffiliationsAffiliations Documents and Documents and

filesfiles


On-site ReconnaissanceOn-site Reconnaissance 1/2 or 1 day is recommended for on-site 1/2 or 1 day is recommended for on-site

reconrecon At a remote location or region?At a remote location or region?

Coordinate with the pen test team the night Coordinate with the pen test team the night before to discuss the recon planbefore to discuss the recon plan

Two team members maximumTwo team members maximum Ensure you have authorization to test Ensure you have authorization to test

letters in hand!letters in hand! Things to observe:Things to observe:

– Building location, parking, traffic patternsBuilding location, parking, traffic patterns– Employee entrance procedures (smokers area?)Employee entrance procedures (smokers area?)– Look for cameras and access control systemsLook for cameras and access control systems– After hours procedures? Are things different at After hours procedures? Are things different at

night?night?


Penetration Test PhasePenetration Test Phase

After on-site recon, determine the plan!After on-site recon, determine the plan! Create multiple scenarios based on your Create multiple scenarios based on your

objectivesobjectives Some examples:Some examples:

Tailgate (easiest)Tailgate (easiest) Look like you belong (goes great with tailgating)Look like you belong (goes great with tailgating) Printer repair manPrinter repair man ““I’m late for a meeting!”I’m late for a meeting!” Chat with the smokersChat with the smokers ““I forgot my badge”I forgot my badge” I’m here to see <INSERT NAME OF EXECUTIVE>I’m here to see <INSERT NAME OF EXECUTIVE> Use a business card (faked) as IDUse a business card (faked) as ID Create a fake IDCreate a fake ID


Penetration Test Phase Penetration Test Phase Continued…Continued…

Take photos if you canTake photos if you can Use conference rooms to Use conference rooms to

your advantageyour advantage Be prepared to be Be prepared to be

compromisedcompromised If you feel someone wants to If you feel someone wants to

challenge you…quickly turn challenge you…quickly turn around and walk the other around and walk the other way!way!

If you are asked for ID..fake it If you are asked for ID..fake it for a minute. If you think it’s for a minute. If you think it’s over, pull out the over, pull out the authorization letter.authorization letter.

Be ready to make a phone call Be ready to make a phone call if neededif needed

Do not endanger yourself or Do not endanger yourself or others! (Beware of big dogs!)others! (Beware of big dogs!)


Walk Through PhaseWalk Through Phase

Conducted after the penetration testConducted after the penetration test Time frame depends on objectives and Time frame depends on objectives and

locationlocation

One team member should be One team member should be coordinating the walk through with the coordinating the walk through with the designated contact during the pen designated contact during the pen testtest

Ensure you will have someone availableEnsure you will have someone available No chance of pen test compromiseNo chance of pen test compromise Be prepared to escalate to managementBe prepared to escalate to management


Walk Through Phase Walk Through Phase Continued…Continued…

Conducted by at least two team members Conducted by at least two team members with the facility contactwith the facility contact

What are we looking for?What are we looking for? Perimeter controlsPerimeter controls Confidentiality control of hard-copy dataConfidentiality control of hard-copy data Internal access controlsInternal access controls Cameras/AlarmsCameras/Alarms Personnel practices (security awareness)Personnel practices (security awareness) Emergency procedures (evacuation)Emergency procedures (evacuation) Fire extinguishers (expired?)Fire extinguishers (expired?)

OSSTMM is a good place to start for OSSTMM is a good place to start for creating a physical security checklistcreating a physical security checklist

No one standard, dependent on your organizationNo one standard, dependent on your organization


Walk Through Phase Walk Through Phase Continued…Continued…

Ask questions!Ask questions! ““Do you have any security Do you have any security

concerns?”concerns?”

Take notes and picturesTake notes and pictures Ask for permission prior to Ask for permission prior to

taking picturestaking pictures

Tell them about the Tell them about the penetration testpenetration test

Prepare for “hostility”!Prepare for “hostility”! Put an awareness spin to it. Put an awareness spin to it.

“Your not getting in trouble”“Your not getting in trouble”

““Full Metal Jacket” © 1987 Full Metal Jacket” © 1987 Warner Bros. PicturesWarner Bros. Pictures


Reporting and Lessons Reporting and Lessons LearnedLearned

Team Leader compiles notes and results Team Leader compiles notes and results from team membersfrom team members

Prepare the final report ASAPPrepare the final report ASAP

Setup meetings shortly after the assessment Setup meetings shortly after the assessment with management of the facilitieswith management of the facilities

Don’t wait too long! You will loose the effectiveness of Don’t wait too long! You will loose the effectiveness of the assessment.the assessment.

Keep them in the loopKeep them in the loop

Lessons learned with the assessment team!Lessons learned with the assessment team! Setup a meeting – include third-party if usedSetup a meeting – include third-party if used What went well? What didn’t?What went well? What didn’t?


Standards and BooksStandards and Books OSSTMMOSSTMM

Open-Source Security Testing Methodology ManualOpen-Source Security Testing Methodology Manual Version 2.2 http://www.isecom.org/osstmm/Version 2.2 http://www.isecom.org/osstmm/

NIST 800-12 (Chapter 15 – Physical Security)NIST 800-12 (Chapter 15 – Physical Security) http://csrc.nist.gov/publications/nistpubs/800-12/http://csrc.nist.gov/publications/nistpubs/800-12/

NIST 800-42 (Guideline on Network Security Testing)NIST 800-42 (Guideline on Network Security Testing) http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdfhttp://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

Physical Security for ITPhysical Security for IT Michael ErbschloeMichael Erbschloe

The Design and Evaluation of Physical Protection SystemsThe Design and Evaluation of Physical Protection SystemsVulnerability Assessment of Physical Protection SystemsVulnerability Assessment of Physical Protection Systems

Mary Lynn GarciaMary Lynn Garcia


Questions?Questions?

Email: [email protected]: [email protected]

Physical Security Assessments

Technology

Transcript of Physical Security Assessments