Penetration Tests
Penetration Testing: A physical penetration test is a non-invasive, comprehensive assessment of the physical measures and procedures in place at a facility/location.
The purpose of a physical penetration test is to audit the fortification and resilience of security measures on a site, verifying documentation and operating procedures and to identify weaknesses and vulnerabilities to such through exploitation in an auditable manner.
Evidence obtained through this process can help senior management implement mitigation to reduce the effect of incidents, lost time, negative publicity and accidents, ensuring profit protection through their loss prevention and health and safety strategies.
Penetration tests are carried out by the specialist services department and utilise a combination of experienced surveillance operatives and specific technology to aid the process. Such technology may include infrared and thermal imagery, Unmanned Aerial Systems (UAS), GPS tracking and parabolic microphones, to name a few. The recommended use of equipment will always be discussed and agreed with the client during the planning phases.
During operational planning, we will liaise with the local relevant emergency services and ensure that the plans and objectives are logged against relevant databases. Prior to starting and on completion of the test, the relevant agencies will be informed to ensure that unnecessary resource is not directed to the site, in response of the test.
The penetration test can be embedded into a full threat-risk assessment or as a standalone task. A Threat-Risk Assessment (TRA) is a comprehensive report compiled to assess and identify specific security weaknesses in structure, design, manning, contractors, suppliers, geographical siting and IT systems which could be exploited to have an impact on the likelihood of a threat against the client or its business.
The purpose of a physical penetration test is to audit the fortification and resilience of security measures on a site, verifying documentation and operating procedures and to identify weaknesses and vulnerabilities to such through exploitation in an auditable manner.
Evidence obtained through this process can help senior management implement mitigation to reduce the effect of incidents, lost time, negative publicity and accidents, ensuring profit protection through their loss prevention and health and safety strategies.
Penetration tests are carried out by the specialist services department and utilise a combination of experienced surveillance operatives and specific technology to aid the process. Such technology may include infrared and thermal imagery, Unmanned Aerial Systems (UAS), GPS tracking and parabolic microphones, to name a few. The recommended use of equipment will always be discussed and agreed with the client during the planning phases.
During operational planning, we will liaise with the local relevant emergency services and ensure that the plans and objectives are logged against relevant databases. Prior to starting and on completion of the test, the relevant agencies will be informed to ensure that unnecessary resource is not directed to the site, in response of the test.
The penetration test can be embedded into a full threat-risk assessment or as a standalone task. A Threat-Risk Assessment (TRA) is a comprehensive report compiled to assess and identify specific security weaknesses in structure, design, manning, contractors, suppliers, geographical siting and IT systems which could be exploited to have an impact on the likelihood of a threat against the client or its business.
Penetration tests are divided into two categories; Cyber and Physical. Within each category are sub sections as follows:
A penetration test will audit the fortification and security posture of a site, measuring and stress testing the mitigation in situ, such as:
- CCTV
- lighting
- streetscape
- access control
- manned presence
- processes and procedures
- documentation
- standards, deportment and expectation
- control of sensitive information
- any other factor bolstering the security resilience.
Vulnerabilities are exposed through physical auditing, therefore providing opportunity to indorse change before the exposure is exploited by an adversary.
Evidence obtained through this process can help senior management implement mitigation to reduce the effect of incidents, lost time, negative publicity and accidents, ensuring profit protection through their loss prevention and health and safety strategies.
Evidence obtained through this process can help senior management implement mitigation to reduce the effect of incidents, lost time, negative publicity and accidents, ensuring profit protection through their loss prevention and health and safety strategies.
The Process
Methodology
Passive Reconnaissance
Open Source Intelligence (OSINT)
Active Reconnaissance
Covert Observation
Infiltration Planning
Pretexting
Infiltration, Exploitation and Post-Expolitation
During these phases, the team carries out the plan by exploiting exposed vulnerabilities (using information and intelligence previously captured). Exploitation involves penetrating further into the environment and setting up to maintain a persistent vulnerability. Examples of this may be through social engineering or technical surveillance measures (clandestine recording devices).
|