Guest Contributor: Chiheb Chebbi
None can deny that physical security is playing a huge role and a necessary aspect of “Information Security” in general. This article will guide us through many important terminologies in physical security and show us how to perform Physical Penetration Testing.
In this Article we are going to discover:
- Information security and Physical security: The Link
- Physical Security Overview
- Physical Penetration Testing
- Crime prevention through environmental design (CPTED)
After reading this article you can use this document that contains many useful resources to help you learn more about Physical Security and physical penetration testing: Physical Security
Information security and Physical security: The Link
Before diving deep into exploring physical security, some points are needed to be discussed to avoid any confusion. Many information security new learners go with the assumption that the main role of information security professionals is securing computers, servers, and devices in general but they neglect the fact that the role of information security professional is to secure “Information” and information can be stored using different means including Papers, paper mail, bills, notebooks and so on. Also many don’t know that the most valuable asset in an organization is not a technical device and even it is not a multi-million datacenter but it is “The Human”. Yes! In Risk management, risks against Human should be mitigated first urgently.
Thus, securing the physical environment is included in the tasks of Risk Managers and CISO’s (if I am mistaken please correct me)
For more information, I highly recommend you to check this great paper from SANS Institut: Physical Security and Why It Is Important – SANS Institute
Physical Security Overview
By definition “Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism, and terrorism.” [https://searchsecurity.techtarget.com ]
Physical security has three important components:
- Access control
As you can see from the definition your job also is to secure the enterprise from natural disasters and physical accidents.
The International Information System Security Certification Consortium, or (ISC)² describes the role of information security professionals in CISSP Study Guide (by Eric Conrad, Seth Misenar and Joshua Feldman) as the following:
“Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. We work in various roles: firewall engineers, penetration testers, auditors, management, etc. The common thread is risk: it is part of our job description.”
Risks can be presented in a mathematical way using the following formula:
Risk = Threat x Vulnerability (Sometimes we add another parameter called “Impact” but for now let’s just focus on Threats and vulnerabilities.)
In your daily basis job you will face many Threats. (To avoid confusion between the Three terms Threat, Vulnerability, and Risk check the first section of this article How to build a Threat Hunting platform using ELK Stack)
Some Physical Threats are the following:
- Natural Environmental threats:
- Politically motivated threats
- Supply and Transportation Threats
To defend against physical Threats, you need to implement and deploy the right safeguards. For example, you can use a Defense in-depth approach.
The major Physical safeguards are the following:
- Video Surveillance
- Security Guards
- Lacks and Smart Locks
- Biometric Access Controls
- Different and well-chosen Windows
- Mitigating Power Loss and Excessing
- Guard dogs
- Different Fire Suppressions and protection systems (Soda Acid, Water, Gas Halon):
- The Fire extinguishers should be chosen based on the class of fire:
- Class A – fires involving solid materials such as wood, paper or textiles.
- Class B – fires involving flammable liquids such as petrol, diesel or oils.
- Class C – fires involving gases.
- Class D – fires involving metals.
- Class E – fires involving live electrical apparatus. (Technically ‘Class E’ doesn’t exists, however, this is used for convenience here)
- Class F – fires involving cooking oils such as in deep-fat fryers.
- The Fire extinguishers should be chosen based on the class of fire:
You can check the different fire extinguishers using this useful link: https://www.marsden-fire-safety.co.uk/resources/fire-extinguishers
Access controls is vital when it comes to physical security. So I want to take this opportunity to talk a little bit about it. As you noticed maybe, many information security aspects are taking and inspired from the military (Teaming names: Red Team, Blue Team and so on). Also, Access control is inspired from the military. To represent security policies in a logical way we use what we call Security models mechanisms. These models are inspired from the Trusted Computing Base (TCB), which is described in the US Department of Defense Standard 5200.28. This standard is also known as the Orange Book.
These are the most well know security models:
- Bell-LaPadula Model
- Biba Model
- Clark-Wilson Model
To learn more about the Security model read this Document: https://media.techtarget.com/searchSecurity/downloads/29667C05.pdf
Access controls are a form of technical security controls (a control as a noun means an entity that checks based on a standard). We have three Access Control categories
- Mandatory Access Control (MAC): The system checks the identity of a subject and its permissions with the object permissions. So usually, both subjects and objects have labels using a ranking system (top secret, confidential, and so on).
- Discretionary Access Control (DAC): The object owner is allowed to set permissions to users. Passwords are a form of DAC.
- Role-Based Access Control (RBAC): As its name indicates, the access is based on assigned roles.
Physical Penetration Testing
By now we acquired a fair understanding about many important aspects of physical security. Let’s move to another point which is how to perform a Physical Penetration testing. By definition:
“A penetration test, or pen–test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior.” [ www.coresecurity.com ]
When it comes to penetration testing we have three types:
- White box pentesting: The pentester knows everything about the target including physical environment information, employees, IP addresses, Host and server information and so on (of course in the agreed scope)
- Black box pentesting: in this case, the pentester don’t know anything about the target
- Gray box pentesting: is the mix between the two types
Usually, Penetration Testers use a Pentesting standard to follow when performing a penetration testing mission. Standards are a low-level description of how the organization will enforce the policy. In other words, they are used to maintain a minimum level of effective cybersecurity. To learn the difference between: Standard, Policy, procedure and guideline check this useful link : https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/
As a penetration tester you can use from a great number of pentesting standards like:
- The Open Source Security Testing Methodology Manual (OSSTMM)
- The Information Systems Security Assessment Framework (ISSAF)
- The Penetration Testing Execution Standard (PTES)
- The Payment Card Industry Data Security Standard (PCI DSS)
If you selected The Penetration Testing Execution Standard (PTES) for example (https://media.readthedocs.org/pdf/pentest-standard/latest/pentest-standard.pdf )
You need to follow the following steps and phases:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
(Just click on any step to learn more about it)
You can’t perform a successful physical penetration testing mission without a great Team. Wil Allsopp in his great book Unauthorised Access Physical Penetration Testing For IT Security Teams gave a great operation team suggestion.
He believes that every good physical penetration testing team should contain:
- Team Leader
- Coordinator or Planner
- Social Engineer
- Computer Intrusion Specialist
- Physical Security Specialist
- Surveillance Specialist
He also gave a great workflow so you can use it in your mission:
Peerlyst is also loaded with great physical security Articles. The following are some of them:
- Most Locks are stupid easy to pick
- How to become a Hardware Security Specialist
- Hardware/Software vendor playbook: Handling vulnerabilities found in your products after launch
- The hardware security and firmware security wiki
- Becoming a Penetration Tester – Hardware Hacking Part 1
- Best practices for securing hardware devices against physical intrusion
- [TOOL] Umbrella App: Digital and Physical Security Lessons and Advice in Your Pocket!
- Physical Security Blog. Part 1: Why the Physical Security Industry is Dysfunctional
- Physical Security: The Missing Piece From Your Cyber Security Puzzle
- Physical Security = Information Security, both have almost identical requirements
- How to get started with physical security
- How Physical security fails:2 Tales from a Sneaker
Crime prevention through environmental design (CPTED)
Crime prevention through environmental design (CPTED) is a set of design principles used to discourage crime. The concept is simple: Buildings and properties are designed to prevent damage from the force of the elements and natural disasters; they should also be designed to prevent crime. [William Deutsch]
There are mainly 4 major principles:
- Natural Surveillance: Criminals will do everything to stay undetected so we need to keep them under observation by keeping many areas bright and by trying to eliminate hiding spots.
- Natural Access Control: relies on doors, fences, shrubs, and other physical elements to keep unauthorized persons out of a particular place if they do not have a legitimate reason for being there.
- Territorial Reinforcement: is done by giving spatial definitions such as the subdivision of space into different degrees of public/semi-public/ private areas
- Maintenance: the property should be well -maintained
You can find the full Crime prevention through environmental design Guide in the references section below.
In this article we explored many aspects of physical security. We started by learning the relationship between Physical security and information security. Later we dived deep into many terminologies in physical security. Then, we discovered how to perform a physical penetration testing and the required team to do that successfully. Finally, we finished the article by giving a small glimpse about Crime prevention through environmental design.
This article was originally posted on Peerlyst.