Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Necessity of Conducting a Physical Security Assessment

Having the most advanced, artificially intelligent-featured security software certainly makes a company “sound” secure, and in fact, those defenses do help stop most advanced attacks.

But not all attacks involve complicated ransomware, spearfishing, or DDoS attacks.

What organizations have to remember is their computer network is only one threat vector they have to worry about. And it’s not even the most obvious.

Attackers are constantly looking for the simplest form of invasion and even the most proficient hacker is not above opening an unlocked door if he or she believes it will lead to the information they want.

This is why a building’s physical security policies must not only be in place but strong enough to withstand a persistent attacker.

While most attacks do occur over the Internet, whether it is a misconfigured system that’s publicly accessible, or a phishing email sent with a complex payload to be downloaded and executed; physical security is also an important aspect considered in the cybersecurity arena. A lack of physical security can lead to something as simple as an attacker walking off the street into a building and plugging an unrecognised device into the network or removing sensitive materials.

This could include taking an internal phone listing off a receptionist’s desk, which would give a hacker enough information to develop a social engineering scheme that can lead to a major breach.

The good news is Trustwave SpiderLabs consultants over the years have conducted hundreds of physical security assessments so we can glean some great information and perhaps some helpful recommendations from these efforts.

Case Scenarios

The following are examples SpiderLabs social engineers have faced during their engagements.

Case Scenario #1

Office parking lots tend to be the prime target to gain access into a building. Depending on the barrier used, timing the entry into the building can be quite easy as barriers close slowly. Once the first layer of security is breached, a tailgating attempt is made to access the parking lot elevators which are often access controlled. In this scenario, the social engineer would either pretend to be an employee of the organization and follow the legitimate employee in, or due to inadequate security awareness, follow a legitimate employee inside. Once completed, this leads to the second layer of security being circumvented. The third layer could either be access controlled in the internal elevators where employees use their access card or an access-controlled door on the office floor which could both be circumvented by tailgating.

Case Scenario #2

Emergency exits are another prime target an attacker can use to gain access into a building. While generally these exits should not be used by employees, several assessments our teams have carried out found that emergency exits are often used by employees for smoke breaks and to leave the building during normal hours as it can sometimes be more convenient to access shops or car park areas. Social engineers can loiter around emergency exits and wait for an employee to leave and due to inadequate security awareness, employees most often do not wait for the door to close to stop any tailgating attempts.

Case Scenario #3

Reception can sometimes be abused into thinking a person belongs in the building once access is gained. Some barriers have flaws allowing two or more people to walk past together if the sensors are blocked, leaving the barriers to be open for some time. There are also instances where barriers tend to be open for a longer period than usual and this has allows a pentester to time their attack and make their way into the building, by utilising the barrier’s flaws and moving past the reception area and security guards

Case Scenario #4

Obviously, in the prior case study, the pentester had to deal with on- security. This means security guards and receptionists are also targeted during these assessments.

We often test their security awareness to check if they are adhering to the security policies, or to find out if in fact any are in place.

Social engineers do have several tricks up their sleeve when dealing with the human element of this test. For example, a social engineer would show up at a building with an access card that looks exactly like those held by other employees in the building. Except that it wouldn’t be registered or working on the RFID scanners.

In this scenario, this card was created during the Open-Source Information (OSINT) gathering phase when the social engineer found an employee access card on social media enabling it to be duplicated.

Social engineers can then dupe the receptionist into thinking that they are an employee with a broken access card. If no proper policy or process is in place, then it is likely the guard will not check the social engineer’s actual status and the access card will be registered, or the person given a temporary pass, allowing them into the building with a valid access card.

How Are the Assessments Carried Out?

Physical security assessments are normally broken down into 3 phases. Phase 1 is where the client and Trustwave SpiderLabs decide on the scope of work and objectives to be carried out during the assessment. The objectives can play a role in the number of phases needed during an assessment. For example, a more complex objective will require more complex reconnaissance, sophisticated planning, and careful execution. Once the scope of work and objectives have been agreed to, the engagement moves into phase 2, known as the delivery phase.

The delivery phase will be broken into two parts which is planning and execution. The planning phase consists of performing reconnaissance offsite and onsite. The offsite reconnaissance utilises open-source information (OSINT) gathering to capture information about the organisation and employees. The information captured can range from building plans/layouts, street view pictures, company events pictures, workplace video interviews, to employee’s social media where they potentially upload building/site-related information. This information is then analysed, and scenarios are planned out. Once the different scenarios are prepped, the information is provided back to the client for approval before the green light is given to perform the tasks.

The execution phase consists of reviewing the security awareness of the staff, where the social engineer with attempt to tailgate into the building, loiter around secure areas, access meeting rooms, observe employee’s desk policy, secure usage etiquettes etc., and based on the objectives, remove sensitive materials and devices from the building. Secure areas are accessed through tailgating techniques, lock picking, or access door bypass.

Additionally, Trustwave SpiderLabs will also attempt to connect unregistered devices on the network in an attempt to find issues such as authentication bypass, Man-in-the-Middle attacks, attacks against Windows Domain-joined systems, or other attack vectors in which one could gain unauthorized access to these physical security control systems.

How can Trustwave SpiderLabs help?

Trustwave's elite security team, SpiderLabs, can scope and execute thorough testing of the environment with their deep, specialized knowledge and provide recommendation to strengthen the security posture.

For more information on Trustwave SpiderLabs Physical Security Assessment and Penetration Testing in general, please click the  image below.



Latest Trustwave Blogs

The Two Sides of ChatGPT: Helping MDR Detect Blind Spots While Bolstering the Phishing Threat

ChatGPT is proving to be something of a double-edged sword when it comes to cybersecurity.

Read More

Trustwave MailMarshal Email Security Protects Against WinRAR Vulnerability CVE-2023-38831

The importance of email security cannot be understated. Proof of this can be seen in some recent research conducted by the Trustwave SpiderLabs team around our email security product MailMarshal.

Read More

Bah, Humbug! Grinchbots and Freebie Bots Attempt to Ruin Holiday Shopping for Consumers and Retailers

If the holiday classic “How the Grinch Stole Christmas” was remade in 2023, the mean green guy might be played by an Internet bot.

Read More