Securing the Corporate Environment
As a physical pentester, a question you may encounter is, "What is the best and most cost affective thing our company can do to improve security?"
Often companies will have tight budgets, and the things you are recommending may cost huge amounts when taken at scale.
Other times, you may find that you are listing 10-20 things to improve security, which will inevitably get the client to ask which are the most important, because they cannot afford them all.
The method I am proposing in this blog is most effective for companies and organizations that are regularly populated with people, this is far less effective for things like substations or remote facilities.
When you think about how an attacker would get inside, it might be things like:
badge cloning
lock picking
bypassing
social engineering
etc
While each of these things may be secure today, a new method / tool / method may come around tomorrow to make things vulnerable.
If you tell a company to spend 200 thousand dollars upgrading their Access Control Systems to a currently unclonable card, how sure are you that in 3 years it will remain uncloneable?
Day vs Night - Man vs Machine
As I have said in the previous posts, when breaking into a facility you start off with a big picture question, “should we break in during the day or at night?”
This question will inevitably bring you to the question of fighting the men or the machines (mostly). Meaning are you more comfortable and confident to do things like social engineer humans, or attack the alarms and sensors?
This solution will mostly secure daytime hours (and any after hours with third parties such as cleaning staff), but in my opinion it is the single best thing you can do to increase overall security.
Empowering People
Yes yes, if i say security awareness or empowerment I immediately get an eye role, but hear me out. Why do people roll their eyes when they hear, the best thing for security is security awareness and empowering the staff?
Because we have all sat in on mandatory security training, mostly goofing off or multitasking and praying their wont be some kind of quiz at the end since we weren’t paying attention.
To actually empower your employees you need two things:
In writing, inform every employee that they will never be punished for asking (in a professional manner) for someone to identify themselves if they look suspicious or aren’t wearing a badge.
Periodically have a non employee wander the office / facility, and which ever employee catches them will get something they actually want, like extra vacation time.
With the above methods, you have removed the two main concerns employees have when it comes to approaching and asking someone for identification.
“I might get in trouble for asking if that person turns out to be a VIP”
“Its not my job and i have no reason to do it”
Its not your job to be the janitor of your office, but if i told you the person who picks up a specific piece of trash will get a month paid leave … suddenly the floors are spotless.
Game On
By having a non employee wander the facility once a month, employees begin to actively look for suspicious people and it has become a game with a reward they actually want to get (normally vacation away from work).
By doing this, you have instantly created a building full of security guards who are actively scanning and looking for anyone they don’t know, and with the addition of the letter saying they will never be punished for questioning people, they aren’t afraid to do so.
I recommend this approach to every company I infiltrate, and have found that those that actually adopt this policy have far more success than others.
My Experience
Having done this job for nearly 2 decades, and recommending this approach to everyone I work for, I have gotten to see for myself its affects.
When you think of a high security facility, security cameras & guards are inevitably apart of the mental image. By employing this concept, you have transformed your work force into surveillance cameras and guards.
The organizations I have performed follow up testing on who actively do the above, are significantly more difficult to penetrate, especially because without prior knowledge that their staff will be very security alert most intruders, and yes this includes pentesters, will get caught quickly.
When you run a pentest, you don’t want to inform the staff of whats going on because everyone will be on high alert … but with the above method your staff is most often on high alert (or at least enough of them).
I have seen many inexperienced physical pentesters get caught going into facilities who’s staff is on alert because enough of their employees are actively scanning.
I have gotten calls from old client contacts who will inform me years later that they ran a physical pentest with another company to test their staff, and the pentester got caught almost immediately from entering the building, because the pentester assumed if they breached the perimeter the employees would leave him alone to wander the building (front heavy security).
The Costs
When companies run these types of simulations they often give up a few days to weeks of vacation per year depending on how often they run the game and what intensive they offer. But consider how little that costs the company compared to the potential risk of catastrophic compromise from someone who got inside their building.
Put into a cyber perspective, the average global cost of a data breach is 4.45 million dollars. Now remember that anything you can do over the internet, I can very likely do faster and easier from inside your building, including injecting ransomware or causing a data breach.
Compare that cost to a few days or weeks of extra vacation annually and it seems like a bargain. If there was a way to give a few employees some extra vacation time and decrease the probability of a ransomware attack by 90%, i think its obvious what choice the organization would make.
Conclusion
While the above idea isn’t going to single handedly protect from all physical attacks, I have found that it both greatly increases physical security in corporate environments and even increases moral of staff.
Of course corporations should invest in things like: locks, access control systems, security cameras etc, but when asked what is the one thing they aren’t currently doing that would increase security the most, this is my answer.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing


