When I retired from law enforcement and became a Private Investigator in my home state of Oregon, I started conferring with business owners and managers on a regular basis as most of my cases were workplace theft and fraud investigations. Because of my background in physical security, business owners and managers started asking me if I could help them with security issues. One common theme that came up was that many of these business owners and managers really had no idea if their company’s security policies and practices were comprehensive enough and whether they were being consistently adhered to. In some cases these business owners and managers decided that conducting security penetration testing was the only real way to know how good (or how bad) their security was.
What is Penetration Testing?
Penetration testing, commonly referred to “pen-testing,” is very common in the computer and network security world. Pen-testing is the active real-life process of testing, measuring, and evaluating security measures with the goal of identifying and exploiting security vulnerabilities so that security lapses can be corrected. In very simple terms, pen-testing involves hiring trained operatives to attempt to thwart security and uncover and expose vulnerabilities.
In network security businesses often hire “ethical hackers” who attempt to hack into a computer network to identify security vulnerabilities. Can a firewall be defeated? Can passwords be beaten? How easy is it for a malicious virus to be introduced into the system? This is the type of invaluable information that network security professionals need to know to create more resilient networks. But penetration testing is not just for computer networks.
Physical Security Penetration Testing.
Long before “pen-tests” became common place in network security it was used to test physical security policies and practices, physical security controls, and the level of security awareness in businesses and organizations. It has proven so effective that the Federal Aviation Administration, the Department of Homeland Security, and other government agencies use “Red Teams” to attempt to penetrate physical security at airports, nuclear facilities, and other high-level facilities. The Federal Aviation Administration maintains a robust pen-test program where federal agents pose as passengers and attempt to smuggle guns, fake bombs, and assorted contraband past security checkpoints. For security reasons the program is shrouded in secrecy but there have been reports over the years that these pen-test agents have been able to smuggle hand grenades, bombs, and guns past security checkpoints and have been able to gain access to and wonder in restricted areas without being immediately challenged.
What a business or organization does not know can be costly.
A business or organization can have the most sophisticated electronic locks, high-tech surveillance cameras, armed guards, and good security policies and procedures, but that does not make the slightest difference if someone can use tailgating or piggyback techniques or deception to gain access to offices, warehouses, or other buildings. Likewise, if an intruder can use ruses and social engineering techniques to scam or “charm” their way into unauthorized areas they are free to commit theft of physical or intellectual property, industrial espionage, and do any number of other “bad things.” Often, when this type of security breach occurs, you do not hear about it. In many cases businesses never learn that their premises have been compromised. When a business learns that their security has been penetrated, the business is so embarrassed that they do not even call the police for fear that it will become public.
The harm that can occur to a business – even if it is just a two or three person business, is inestimable. And in some cases, this harm can also be perdurable. Physical security penetration testing for private businesses and organizations tests the real-world effectiveness of existing security and can answer questions like:
• Can physical security controls like locked doors, surveillance cameras, and alarms be circumvented? For example: if an employee enters a door code how easy is it for an unauthorized person to “tailgate” or “piggyback” the first person inside?
• Once an unauthorized person gains access to a business, how long can they wonder around offices, warehouses, or other facilities before someone even bothers to ask the person who they are and what they are doing?
• The weakest point of any security system is often the human element. Are security policies being followed after hours? Are adequate measures in place to detect an intrusion?
• Will a phone call to the front desk pretending to be an employee, or showing up at the front door with a package, get a clever intruder through the front door and maybe even into a sensitive data center?
Consider this Real-Life Example:
While performing a pen-test to test security of an office building, the operative spent several days covertly watching the building from across the street and observing behaviors and those coming and going – just like a real person with nefarious intent could do.
The operative noticed that in the morning when people came to work and later when they returned from lunch, groups of office workers would enter the building one right after the other, swiping their ID cards as they entered the front door. The next day, dressed like a typical office worker, and carrying a lunch sack, the operative attempted to gain access to the building with the morning workers. Since she had no electronic ID card to swipe at the front door, her plan was to follow a worker after that worker swiped their ID card to unlock the front door and slip inside.
When she saw a group of workers start to enter the building, the operative slid in behind one of the workers and got inside the lobby. But as soon as she got inside she realized there was another layer of security she had to pass before she could get to the elevators. To get to the elevators she had to get past a uniformed security guard who was watching as every worker again swiped their ID card to get past another door. Clearly, whoever designed this building’s physical security, knew about the principle of “layered security” where each layer of security supports another layer to lessen the chance of successful unauthorized intrusion.
Because the operative was well trained for unexpected occurrences, she was not deterred. Without hesitation and displaying a nice warm smile, she walked up to the security guard and said that it was her first day at work and she did not have an ID card yet. The security guard did not ask her how she got through the outer door and seemed unsure what to do. The operative showed the guard her lunch sack and mentioned that she did not want to be late on her first day. The security guard then used his ID card to swipe the door and wished her “good luck” on her first day of “work.”
The operative then spent the next FOUR HOURS wondering the building without being challenged despite not displaying an ID card on her attire. During this time she could have gained access to many sensitive areas. On her way out for “lunch” the operative thanked the guard for helping her make it to work on time.
This pen-test revealed a serious flaw in building security that the building manager had never contemplated. As a result, new security protocols were developed and security personnel received enhanced training. This is just one real-life example of how a rather simple pen-test uncovered a security vulnerability that could have resulted in grave damage to a company.
Physical Security Penetration Testing is NOT for Every Business or Organization.
Physical security penetration testing is a very specialized field. To be effective it requires well trained operatives, meticulous planning, and well defined goals and parameters. It also requires a thorough understanding of the human and legal aspects of conducting a “real life” security test. There are very few companies in the United States that have the knowledge and experience to provide this service.
I have found that many companies genuinely want to know how good their security really is. Once they understand the real-life benefits of a well developed physical security penetration test designed to test specific vulnerabilities, they are more than willing to spend the money to get it done right.
Unfortunately, I have also encountered some business owners and managers who do not really want to know how well their security would stand up to a real-life “attack.” Sometimes it is just easier to maintain the status quo instead of acting upon security concerns. Other times business managers dismiss physical security concerns and are willing to accept the risk instead of approving (or seeking approval) of a penetration test. I even encountered one high level “manager” of a large quasi-public organization who confided that he knew the organization had serious physical security vulnerabilities. His rational for not wanting to know more (especially not in an official report) was that they could no longer claim ignorance when something bad happened and would be easy targets for inadequate security lawsuits!
If a business or organization really wants to know how well their security policies, practices, and controls will perform under real life intrusions or espionage attempts, penetrating testing will positively give the business or organization the knowledge they need to reduce security vulnerabilities – knowledge that simply cannot be obtained by any other means, unless you wait for a loss to occur.
A penetration test can be tailored to the individual needs of a business or organization and can be comprehensive or limited in scope. While investigations remain the main focus of my business, planning and conducting physical penetration testing for businesses and organizations is an important adjunct to my investigations and physical security consulting business. More and more businesses and organizations are realizing only this type of testing can provide the real-life information that is invaluable in ensuring that their business assets are really secure.