Physical Penetration Test and Physical Security Site Audits

Published by CyberCX on 23 September 2022

Most companies understand the need for robust information security. Large sums are spent on technology aimed at securing networks, systems, and information. However, one of the areas frequently overlooked is physical security.

While an organisation may implement strong authentication, secure code, and comprehensive intrusion prevention controls, even the most secure facility is often subject to vulnerabilities from gaps in physical security.

A facility with gates, guards, and cameras might have a side door with no alarm that employees use for smoke breaks. A company housing sensitive information on systems with multiple layers of authentication might not have any visible identification policy or controls against tailgating, essentially allowing a motivated individual to just walk in and physically take their information.

Rather than just acting as an additional layer, poor physical security can undermine all other controls. There is little use in investing in a comprehensive security solution to protect your vital data if someone can enter a facility unnoticed and take or destroy it from an unlocked laptop.

Physical security is subject to misconceptions that can be devastating – placing surveillance cameras around a secure site and then leaving the feed unmonitored or implementing security controls that can be easily avoided by a convincing social engineer.

Many organisations are blissfully unaware of the gaps in their physical security setup until the worst happens and they lose information or devices. But how can they predict which controls are inadequate before this happens?

Physical penetration testing, in combination with physical site audits, can provide a real-world trial of just how effective those physical security controls are in protecting your people, property, and information, as well as your physical assets.

In a site audit, a professional will inspect your premises’ security profile – observing and taking note of any vulnerabilities that could potentially be exploited to gain access to your valuable information.

During a physical penetration test, the value of the controls in place is rigorously tested by a team of experienced consultants, trained to think like an intruder. Depending on your requirements, the scope of the test can vary widely. It may involve an individual attempting to talk their way into a secure facility during business hours, or tailgate other employees, all the way to an invasive attack on your facility and systems, attempting to enter offices and computer rooms, circumvent alarms or disable cameras and essentially prove the real-world efficacy of your security controls.

In a physical penetration test, motivated individuals act like intruders in that they employ creativity and tenacity as they attempt to breach your defences and gain access. However, rather than stealing or destroying your assets, they then comprehensively report where the vulnerabilities exist so that you can fix the problems and fortify your security.

After this point, additional checks or penetration tests are recommended – to see whether issues have really been fixed, or whether new vulnerabilities have arisen.

Physical security threats include:

Personal and property crime

Intellectual property theft and corporate espionage

Workplace violence from both insiders and external parties

Civil disturbances

Natural disasters, industrial disasters, and pandemics

Terrorist acts and kidnappings

Other risks, such as disturbed people and traffic accidents

Robust physical security can help:

Keep your people, customers, and the public safe	Prevent unauthorised people accessing your premises, information, or assets
Maintain the trust and confidence of the people and organisations you serve or work with	Deliver services without disruption in the event of a heightened threat level or disaster
Meet your obligations under the Federal Work Health and Safety Act 2011 and local equivalents