Why?

· To identify any weaknesses in the physical security of a company.

· To prove the current systems.

What is it that needs protecting?

· Information

· Product

· Systems

· Staff

What is a penetration test?

A Physical penetration test or PPT is a simulated attack against your company's security defences. It is designed to replicate an attack to see if your security can be compromised. The primary aim is to identify security weaknesses before real attackers have the chance to. Once security weaknesses have been identified, your organisation can start treating the associated risks.

An example attack may be to target a specific service, process or operation within your business, site or plant by using 'social engineering', or 'deception' e.g. an employee holds a secure door open for visitor or someone they do not know, but that person looks like they should be there, inspector, auditor etc, so what is the harm? 'Tailgating' as it is known, is a simple method of bypassing building security systems or following employees to lunch, eating near them, and taking notes.

Why conduct a PPT?

A PPT identifies the security weaknesses and strengths of a company's physical security. The goal of the test is to demonstrate the existence or absence of deficiencies concerning physical security. Penetration testing should be considered an important part of any ongoing security programme. These tests can be particularly useful in attracting the attention of senior

management. The results of a penetration test can show the organisational wide consequences of a breach and help to ensure buy-in from all levels of the organisation.

Remember "an ounce of prevention is worth a pound of cure"

Organisations typically conduct PPT with the aim of identifying vulnerabilities which could result in some form of loss. Loss may be specific to each business but there are some forms of loss that can apply to all businesses.

Immediate financial loss is obvious in the case of an attack to remove money or stock from an organisation. However, there can also be indirect costs associated with a security incident. For example, the cost associated with increased insurance premiums or the costs of possible regulatory breaches which could run into tens, if not hundreds, of thousands of pounds.

Losses are not just financial. An organisation can suffer significant reputation damages particularly in the food, pharmaceuticals and IT industries. A security breach could lead to a decrease in client trust which could then lead to a drop in sales.

PPT Execution

PPT is typically conducted using a structured approach around the following key phrases:

· Discovery

· Enumeration (listing of findings one by one)

· Vulnerability Mapping

· Exploitation

Each phase feeds into the next making it an integrated process.

Discovery

The discovery phase can be thought of as reconnaissance. The discovery process will aim to map out the attack for the test. The discovery phase will highlight possible attack vectors based on the information gathered.

Enumeration

The enumeration phase will gather more detailed information about the information gathered in the discovery phase such as detail of sensitive/vital information, product, systems and staff that can directly and/or immediately affect the operations of an organisation including access, information, product, systems and staff.

Vulnerability Mapping

The vulnerability mapping phase will attempt to identify weaknesses in the services/systems/procedures/facilities enumerated in the previous phase.

Once sufficient detail has been obtained, the tester can identify weaknesses in the service/system/procedure/facility being tested

This information can then be fed into the final test phase, exploitation.

Exploitation

The exploitation phase is designed to demonstrate that a security weakness exists and can be used by an attacker. The tester aims to compromise the system using a weakness identified in the previous phases, i.e. the testing officer could obtain unauthorised physical access to a facility using non-technical means.

Post PPT

The final and most important deliverable to an organisation who has commissioned a penetration test is the final report. The final report is so significant because it conveys and documents the security risks identified during the test in a way that is meaningful to the organisation.

A PPT report is likely to be read by senior management down through to junior managers who are responsible for remedial changes. A good PPT report will provide information for all the intended audience types.

What to consider when being PPT?

When an organisation decides to conduct a PPT there are several key points to consider prior to the commencement of the test:

· Use an independent security provider. They will be immune from internal distractions and are focussed on the key issues of your security.

· Seek demonstration of providers' experience. Proven experience will help to understand the providers' capabilities and will provide confidence in the providers' abilities.

· Ensure the testing provider utilises proven sting methodologies. Proven testing methodologies ensure that the tests being conducted will produce consistent and reliable results.

· Never utilise penetration tests as a substitute for an holistic security programme. A penetration test is an important part of your security programme, not a substitute for one.

A well planned PPT can help an organisation identify their security vulnerabilities. This pro-active approach can help identify risks before malicious attacks occur and protect an organisation from post attack fall-out.