Companies should periodically conduct physical penetration tests to assess the security posture of their office and data center and find any vulnerabilities. Physical security testing, while not as common as software or network pen testing, shows organizations how feasible unauthorized access is for would-be attackers.
Organizations can have the pen tester -- whether an internal red team member or an external ethical hacker -- record their actions with hidden cameras and share the footage and findings in a report with remediation recommendations to improve security.
Let's look at physical pen testing goals, two physical pen testing approaches ethical hackers use and some common tools for the exercise.
Physical pen testing goals
Physical intrusion of an organization's offices -- although risky -- can grant malicious hackers or pen testers extensive access to the computer network inside the traditional network perimeter. Once inside a building, they could plant a remote access device directly into the internal corporate network to enable outside attackers to bypass the organization's safeguards, such as multifactor authentication, and carry out external attacks.
Inside the office, ethical hackers can also demonstrate how they -- and potentially cybercriminals as well -- can steal a hard drive directly from a file server. Other tactics they can deploy once inside include the following:
- Test internal network access in common areas.
- Look through meeting rooms, trash cans -- even dumpsters outside -- and other office areas for documents containing sensitive data.
- Observe employees to see if pen testers can learn or copy account credentials.
- Attempt to gain access to more sensitive areas.
Physical penetration testing approaches
When it comes to an intrusion attempt, the physical pen tester can either boldly approach the reception area or try to sneak in.
1. Using social engineering to go through the front door
In this approach, the pen tester front-loads the risk by approaching reception staff and using a social engineering attack to get inside the office through impersonation. For example, pen testers could pretend to be a third-party contractor or an employee who has forgotten their access pass. This approach can be effective because, if the pen tester can convince the receptionist, they often get a visitor badge with legitimate access. Further risk is mitigated because the pen tester now has approval to be there and isn't likely questioned further.
2. Sneaking in
Pen testers can try deception or a break-in when attempting to access buildings:
- Tailgating. The most used technique when sneaking into a physical location is tailgating. Most employees are polite enough to hold doors open for someone following behind who appears to be a colleague, cleaner or courier -- as long as the intruder looks the part. The pen tester must do their research and plan their pretext. For example, if the pen tester pretends to be an employee, they need to match the dress code to blend in. They also need to create a copy of the ID badge and lanyard that would pass a quick visual inspection. The trick then is to time the tailgate attempt correctly -- usually joining a group returning from lunch and following them through doors. Tailgating won't work if the company uses security gates or requires all employees to scan their card on the main entry door.
- Lockpicking. Should tailgating fail, the second option is to use tools, such as lockpicks, to unlock doors on the side or rear of the building. If the building uses electromagnetic locks, pen testers can try to copy and clone microchip-based RFID or near-field communication access cards. This physical pen test method may be preferred over tailgating should a pen tester who was previously denied entrance by security guards or reception staff get recognized and pulled aside.
Physical pen testing tools
When conducting a physical pen test, the following gear proves useful to an ethical hacker:
- Mobile phone. Physical pen testers can act like they're speaking on the phone when tailgating. It helps avoid awkward questions or conversations as people don't want to be rude by interrupting calls.
- ID/lanyard printer. For pen testers attempting to tailgate, the employee pretext works well when targeting large organizations, but creating a fake ID badge is essential.
- Lockpicks and RFID scanner. A set of lockpicks and an RFID scanner in skillful hands can open up other options than tailgating or bluffing your way through reception.
- Dress-up box. Pen testers should build up an array of outfits they can use to pretend to be in different professions. This gives pen testers options for the best approach for the physical pen test.
- Network testing and attack equipment. Once you are successfully inside a building, some networks tools, such as a Wi-Fi Pineapple to dupe users, enable you to start probing the computer system for weaknesses.