Fidelis Risk Advisory
Aligning Information Security Risk with Business Strategy
Intrusion-one.jpg

Physical Intrusion & Penetration Testing

Physical Intrusion Testing

 

Purpose of Physical Intrusion / Penetration Testing

Organizations invest in protecting their digital infrastructure while often ignoring their physical security controls intended to prevent malicious on-site attacks.

The primary purpose of conducting physical intrusion testing lies in its ability to uncover and identify deficiencies and susceptibilities within physical security measures, encompassing elements such as personnel, door locks, motion sensors, cameras, barricades, etc. The ultimate goal is to become a hard target.

These assessments aim to furnish clients with an actionable plan for remediating identified issues. Physical intrusion assessments, also referred to as physical penetration tests, simulate real-world situations to illustrate the potential repercussions of a malicious actor's activity within an organization's systems and infrastructure.

What can malicious individuals do with physical access to corporate facilities and infrastructure?

  • Social engineer employees to build trust

  • Gain access to confidential information in printed documents or files

  • Attempt to install malware on servers, workstations, or systems

  • Sabotage building infrastructure and business operations by tampering with electricity, climate controls, water distribution, internet connectivity, etc. 

  • Gain access to unlocked employee workstations and maneuver undetected within the corporate network

  • Disable existing security controls to allow for follow-on malicious activities

  • Steal confidential information, plans, products, devices, tools, etc. 

  • Create/install backdoor entry points (physical or digital) for future access

  • Tamper with or manipulate workflows in business-critical systems to prevent or disrupt revenue generating operations

  • Bypass access controls to gain entry to internal confidential areas within the building

  • Steal and use company gear to appear as an insider and increase efficacy of social engineering tactics

Assessment Criteria

Each assessment will have unique goals, objectives, timelines, and success criteria. As a rule, the Fidelis Risk team will assess the following criteria:

  • Can we gain entry undetected?

  • What kind of open source intelligence (OSINT) can be used to aid the team in social engineering?

  • Do employees adhere to the company’s approved security policies, procedures, and protocols?

  • Can we gain access to unauthorized areas?

  • Can we gain physical access to on-premise network infrastructure (IT closets, servers, firewalls, switches, SCADA systems, etc.)?

  • Can we get access to confidential files?

  • Do we have freedom of movement with access-controlled areas?

  • Can we effectively bypass existing security controls (locks, RFID access controls, security guards, CCTV cameras, sensors, man traps, etc.)

  • Can we gain access to the company’s “crown jewels” and successfully exfiltrate these crown jewels undetected?

  • Do we get challenged by employees?

  • Can we successfully egress undetected?