How to Perform Physical Penetration Testing

Guest Contributor: Chiheb Chebbi



None can deny that physical security is playing a huge role and a necessary aspect of “Information Security” in general. This article will guide us through many important terminologies in physical security and show us how to perform Physical Penetration Testing.

In this Article we are going to discover:

  • Information security and Physical security: The Link
  • Physical Security Overview
  • Physical Penetration Testing
  • Crime prevention through environmental design (CPTED)

After reading this article you can use this document that contains many useful resources to help you learn more about Physical Security and physical penetration testing: Physical Security

Information security and Physical security: The Link

Before diving deep into exploring physical security, some points are needed to be discussed to avoid any confusion. Many information security new learners go with the assumption that the main role of information security professionals is securing computers, servers, and devices in general but they neglect the fact that the role of information security professional is to secure “Information” and information can be stored using different means including Papers, paper mail, bills, notebooks and so on. Also many don’t know that the most valuable asset in an organization is not a technical device and even it is not a multi-million datacenter but it is “The Human”. Yes! In Risk management, risks against Human should be mitigated first urgently.

Thus, securing the physical environment is included in the tasks of Risk Managers and CISO’s (if I am mistaken please correct me)

For more information, I highly recommend you to check this great paper from SANS Institut: Physical Security and Why It Is Important – SANS Institute

Physical Security Overview

By definition “Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism, and terrorism.” [ ]

Physical security has three important components:

  • Access control
  • Surveillance
  • Testing

As you can see from the definition your job also is to secure the enterprise from natural disasters and physical accidents.

Physical Threats

The International Information System Security Certification Consortium, or (ISC)² describes the role of information security professionals in CISSP Study Guide (by Eric Conrad, Seth Misenar and Joshua Feldman) as the following:

Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. We work in various roles: firewall engineers, penetration testers, auditors, management, etc. The common thread is risk: it is part of our job description.”

Risks can be presented in a mathematical way using the following formula:
Risk = Threat x Vulnerability (Sometimes we add another parameter called “Impact” but for now let’s just focus on Threats and vulnerabilities.)

In your daily basis job you will face many Threats. (To avoid confusion between the Three terms Threat, Vulnerability, and Risk check the first section of this article How to build a Threat Hunting platform using ELK Stack)

Some Physical Threats are the following:

  • Natural Environmental threats:
    • Disasters
    • Floods
    • Earthquakes
    • Volcanoes
    • Tsunamis
    • Avalanches
  • Politically motivated threats
  • Supply and Transportation Threats

Security Defenses

To defend against physical Threats, you need to implement and deploy the right safeguards. For example, you can use a Defense in-depth approach.

The major Physical safeguards are the following:

  • Video Surveillance
  • Fences
  • Security Guards
  • Lacks and Smart Locks
  • Biometric Access Controls
  • Different and well-chosen Windows
  • Mitigating Power Loss and Excessing
  • Guard dogs
  • Lights
  • Signs
  • Man-traps
  • Different Fire Suppressions and protection systems (Soda Acid, Water, Gas Halon):
    • The Fire extinguishers should be chosen based on the class of fire:
      • Class A – fires involving solid materials such as wood, paper or textiles.
      • Class B – fires involving flammable liquids such as petrol, diesel or oils.
      • Class C – fires involving gases.
      • Class D – fires involving metals.
      • Class E – fires involving live electrical apparatus. (Technically ‘Class E’ doesn’t exists, however, this is used for convenience here)
      • Class F – fires involving cooking oils such as in deep-fat fryers.

You can check the different fire extinguishers using this useful link:

Access Control

Access controls is vital when it comes to physical security. So I want to take this opportunity to talk a little bit about it. As you noticed maybe, many information security aspects are taking and inspired from the military (Teaming names: Red Team, Blue Team and so on). Also, Access control is inspired from the military. To represent security policies in a logical way we use what we call Security models mechanisms. These models are inspired from the Trusted Computing Base (TCB), which is described in the US Department of Defense Standard 5200.28. This standard is also known as the Orange Book.

These are the most well know security models:

  • Bell-LaPadula Model
  • Biba Model
  • Clark-Wilson Model

To learn more about the Security model read this Document:

Access controls are a form of technical security controls (a control as a noun means an entity that checks based on a standard). We have three Access Control categories

  • Mandatory Access Control (MAC): The system checks the identity of a subject and its permissions with the object permissions. So usually, both subjects and objects have labels using a ranking system (top secret, confidential, and so on).
  • Discretionary Access Control (DAC): The object owner is allowed to set permissions to users. Passwords are a form of DAC.
  • Role-Based Access Control (RBAC): As its name indicates, the access is based on assigned roles.

Physical Penetration Testing

By now we acquired a fair understanding about many important aspects of physical security. Let’s move to another point which is how to perform a Physical Penetration testing. By definition:

“A penetration test, or pentest, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior.” [ ]

When it comes to penetration testing we have three types:

  • White box pentesting: The pentester knows everything about the target including physical environment information, employees, IP addresses, Host and server information and so on (of course in the agreed scope)
  • Black box pentesting: in this case, the pentester don’t know anything about the target
  • Gray box pentesting: is the mix between the two types

Usually, Penetration Testers use a Pentesting standard to follow when performing a penetration testing mission. Standards are a low-level description of how the organization will enforce the policy. In other words, they are used to maintain a minimum level of effective cybersecurity. To learn the difference between: Standard, Policy, procedure and guideline check this useful link :

As a penetration tester you can use from a great number of pentesting standards like:

  • The Open Source Security Testing Methodology Manual (OSSTMM)
  • The Information Systems Security Assessment Framework (ISSAF)
  • The Penetration Testing Execution Standard (PTES)
  • The Payment Card Industry Data Security Standard (PCI DSS)

If you selected The Penetration Testing Execution Standard (PTES) for example ( )

You need to follow the following steps and phases:

(Just click on any step to learn more about it)

The Team

You can’t perform a successful physical penetration testing mission without a great Team. Wil Allsopp in his great book Unauthorised Access Physical Penetration Testing For IT Security Teams gave a great operation team suggestion.

He believes that every good physical penetration testing team should contain:

  • Operator
  • Team Leader
  • Coordinator or Planner
  • Social Engineer
  • Computer Intrusion Specialist
  • Physical Security Specialist
  • Surveillance Specialist

He also gave a great workflow so you can use it in your mission:

Peerlyst is also loaded with great physical security Articles. The following are some of them:

Crime prevention through environmental design (CPTED)

Crime prevention through environmental design (CPTED) is a set of design principles used to discourage crime. The concept is simple: Buildings and properties are designed to prevent damage from the force of the elements and natural disasters; they should also be designed to prevent crime. [William Deutsch]

There are mainly 4 major principles:

  • Natural Surveillance: Criminals will do everything to stay undetected so we need to keep them under observation by keeping many areas bright and by trying to eliminate hiding spots.
  • Natural Access Control: relies on doors, fences, shrubs, and other physical elements to keep unauthorized persons out of a particular place if they do not have a legitimate reason for being there.
  • Territorial Reinforcement: is done by giving spatial definitions such as the subdivision of space into different degrees of public/semi-public/ private areas
  • Maintenance: the property should be well -maintained

You can find the full Crime prevention through environmental design Guide in the references section below.


In this article we explored many aspects of physical security. We started by learning the relationship between Physical security and information security. Later we dived deep into many terminologies in physical security. Then, we discovered how to perform a physical penetration testing and the required team to do that successfully. Finally, we finished the article by giving a small glimpse about Crime prevention through environmental design.

This article was originally posted on Peerlyst.