Pen Testing – Is It Telling You Want You Need To Know?

The idea and practice of Physical Security Penetration Testing is not new and, as with most things, predates the cyber age. However, whether it’s due to cyber security penetration testing, regulatory requirements or perhaps just seen as method of re-assurance, pen testing is something that captures the imagination, but how much emphasis should be placed on it?

Undertaking a Pen Test, can be an in depth process, as open source research is undertaken into the targeted organisation, as well as it’s buildings and people, prior to an attempt being made to gain entry to their property. Tests will probe the response that security officers give and the awareness that staff have, as those individuals carrying out the test move around the property. While the tests might well bring out weaknesses in security, the reason why security fails is not just down to someone being able to bluff their way around a building, but can be much deeper within an organisation itself.

The Threat – Where It Begins

While the threats to organisations will vary across geography and time, it is largely determined by what it produces and who its partners and customers are.  It is this which draws in Threat Actors, whether they are protest groups, determined to disrupt business activity or nation states, intent on stealing intellectual property.  Those threat actors not only have different expectations, but their resources and the professionalism they display are probably at either ends of a spectrum.

It is probably the case that the more professional the threat actor and what it is they hope to gain, the longer the period of time they will target an organisation. While there is always the possibility that someone will walk in and try to bypass security that is risky and could ultimately compromise the threat actor and their operation. 

Clearly there is less risk for the threat actor if an insider is used and as a number of magazine articles and specialist business consultancies highlighted at the end of last year, the Insider Threat is being seen as a major risk in 2024. In truth, it probably always has been a major risk, as it allows trusted individuals to gather information, over a protracted period of time without raising suspicions and without needing to tailgate.

Access Control – Keeping Honest People Out

Emerge into a lift lobby or walk down a flight of stairs in an office block and it’s not unusual for entry onto each floor to be restricted by an access control system. It doesn’t matter if it’s a relatively simple card or a more sophisticated biometrics system the problem is the entrance, as it normally allows multiple people to enter or leave at a time, rather than just one person.

Tailgating, that process of simply following someone through a door, works just about everytime, as it’s human nature not only to be helpful, but a lot of people are non-confrontational. They would rather just hold the door open, not query where someone’s pass is and if asked, will probably provide directions, it’s a problem that’s difficult to overcome and one which is easily exploited. Fundamentally, a lot of access control systems are designed to keep honest people out rather than effectively restricting entry.

It’s not just access control systems, overcoming physical security systems is possible, even if there are multiple layers. Overtly, it wouldn’t be the first time that criminals have used explosives to gain entry or covertly, a trusted individual just walking out with valuables over a protracted period of time. These type of incidents tend to suggest systemic failures in the organisation as a whole rather than just security. 

Security – Why It Fails 

Whether it’s the insider threat, the individual who believes security doesn’t apply to them or even a poorly designed system and premises layout, security fails for multiple reasons. However, as a general rule, the larger and more damaging the compromise, the greater the possibility of failures across an organisation.

It could be the failure to bring security within a risk and governance regime, seeing security as part of a facilities management solution or not even realising the threat in the first place.

Failure – It’s Almost Inevitable (Video)

Pen Testing – Its Limitations

Climbing over a perimeter fence or impersonating a contractor will test the reactions of the guard force and provide an understanding of staff awareness. However, not only is that understanding limited by the period of time across which the test is undertaken, it maybe gives a false impression of the overall security regime. 

Even ordinarily, just stating that an organisation has had no security incidents maybe isn’t proof of an effective security regime. Without evidence to the contrary, it could just be that any potential threat actors haven’t attempted either to compromise an organisation or are already doing so without being noticed.

While some threat actors will not worry about being caught, in fact they might even want to be, for others, if their goal is the acquisition of information or influencing the direction an organisation takes, they will do. This is a much longer term commitment undertaken by people who are trusted, have authorised access and Pen Tests are very unlikely to pick those people up.

Understanding Security – An In Depth And Ongoing Process

Physical Security Penetration Testing does have a place, as it can graphically illustrate a limited number of deficiencies, but it does not provide an understanding of security and how that might affect an organisation. That can only come about by working methodically and logically through the Security Risk Management process.  

RedLeaf Consultancy – Advising Clients

RedLeaf Consultancy is a consultancy which is primarily concerned with advising clients on how security might impact on the risks that they have have and from that generating solutions.