23
Physical Security Physical Security Assessments Assessments Tom Eston Tom Eston Spylogic Spylogic .net .net

Physical Security Assessments - SpyLogic.netspylogic.net/downloads/physical-security-assessments.pdf · Physical Security Assesments Topics Convergence of Physical and Logical Assessment

Embed Size (px)

Citation preview

Physical SecurityPhysical SecurityAssessmentsAssessments

Tom EstonTom EstonSpylogicSpylogic.net.net

Physical Security AssesmentsPhysical Security Assesments

TopicsTopics

Convergence of Physical and LogicalConvergence of Physical and LogicalAssessment MethodologiesAssessment Methodologies

Planning the AssessmentPlanning the Assessment Team StructureTeam Structure ReconnaissanceReconnaissance Penetration PhasePenetration Phase Walk Through PhaseWalk Through Phase Lessons LearnedLessons Learned

Physical Security AssesmentsPhysical Security Assesments

Penetration Test DefinitionPenetration Test Definition

Simulate the activities of a potentialSimulate the activities of a potentialintruderintruder

Attempt to gain access without beingAttempt to gain access without beingdetecteddetected

Gain a realistic understanding of a siteGain a realistic understanding of a site’’sssecurity posturesecurity posture

Physical Security AssesmentsPhysical Security Assesments

Why conduct a physical securityWhy conduct a physical securityassessment?assessment?

Assess the physical security of a locationAssess the physical security of a location Test physical security procedures and user awarenessTest physical security procedures and user awareness Information assets can now be more valuable thenInformation assets can now be more valuable then

physical ones (USB drives, customer info)physical ones (USB drives, customer info) Risks are changing (active shooters, disgruntledRisks are changing (active shooters, disgruntled

employees)employees) DonDon’’t forget! Objectives of Physical Security:t forget! Objectives of Physical Security:

Human SafetyHuman Safety ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability

Not limited by the size of an organization!Not limited by the size of an organization!

Physical Security AssesmentsPhysical Security Assesments

Convergence of MethodologiesConvergence of Methodologies

Network assessment methodology is identicalNetwork assessment methodology is identical(NIST 800-42):(NIST 800-42):

PlanningPlanning–– Objective and ScopeObjective and Scope

DiscoveryDiscovery–– Remote and On-site reconnaissanceRemote and On-site reconnaissance

AttackAttack–– Penetration test and walk throughPenetration test and walk through

ReportingReporting–– Final report and lessons learnedFinal report and lessons learned

OSSTMM (OSSTMM (Open Source Security TestingMethodology Manual)

Physical Security AssesmentsPhysical Security Assesments

The Security MapThe Security Map Visual display of theVisual display of the

security presencesecurity presence Six sections of theSix sections of the

OSSTMMOSSTMM Sections overlap andSections overlap and

contain elements ofcontain elements ofall other sectionsall other sections

Proper testing of anyProper testing of anyone section mustone section mustinclude the elementsinclude the elementsof all other sections,of all other sections,direct or indirectdirect or indirect

* Security Map © Pete Herzog, ISECOM

Physical Security AssesmentsPhysical Security Assesments

Planning the Assessment Planning the Assessment –– Critical Tasks Critical Tasks

What are we trying toWhat are we trying toprotect at theprotect at thelocations(s)?locations(s)?

List the critical assetsList the critical assets(these can be your(these can be yourobjectives if applicable)objectives if applicable)

Rank them (high,Rank them (high,medium, low)medium, low)

What are the threatsWhat are the threatsto the locations(s)?to the locations(s)?

Weather, Fire, HighWeather, Fire, HighCrime Rate, EmployeeCrime Rate, Employeeturnoverturnover

Physical Security AssesmentsPhysical Security Assesments

Planning the AssessmentPlanning the Assessment

Who will conduct the assessment?Who will conduct the assessment? Third party involvementThird party involvement Team membersTeam members

What is the scope?What is the scope? Process and controlsProcess and controls Security awareness- Is the team challenged for ID?Security awareness- Is the team challenged for ID? Removal of confidential customer informationRemoval of confidential customer information Steal laptop, proprietary informationSteal laptop, proprietary information Social engineering included?Social engineering included?

Target selectionTarget selection Regional location, size of facility, dates (schedule well inRegional location, size of facility, dates (schedule well in

advance)advance)

Physical Security AssesmentsPhysical Security Assesments

Planning the assessmentPlanning the assessmentcontinuedcontinued……

Escalation contact listEscalation contact list Include in the authorization to test letterInclude in the authorization to test letter

Walk through contact (very important)Walk through contact (very important) Facility person, security guard, department headFacility person, security guard, department head They should not know when you are on-site!They should not know when you are on-site!

Do not forgot!Do not forgot!The Authorization to Test LetterThe Authorization to Test Letter

(aka: Get out of jail free card-(aka: Get out of jail free card-literally!)literally!)

Physical Security AssesmentsPhysical Security Assesments

Authorization to Test Letter ExampleAuthorization to Test Letter Example

Physical Security AssesmentsPhysical Security Assesments

Assessment Team Structure -Assessment Team Structure -Team LeaderTeam Leader

Identify a team leader!Identify a team leader! Handles all coordinationHandles all coordination Sets up meetingsSets up meetings Central point of contact for feedback andCentral point of contact for feedback and

problemsproblems Compile and document resultsCompile and document results Put together the final reportPut together the final report Should be your most senior member to startShould be your most senior member to start

outout

To avoid burn outTo avoid burn out……rotate the teamrotate the teamleader position!leader position!

Physical Security AssesmentsPhysical Security Assesments

Assessment Team Structure -Assessment Team Structure -Team MembersTeam Members

Maximum of three internal team membersMaximum of three internal team members Dependent on scopeDependent on scope Assist with all phases if requiredAssist with all phases if required Document results and observations (photos..good forDocument results and observations (photos..good for

keeping a log)keeping a log) Communicate issues or problems to the team lead (cellCommunicate issues or problems to the team lead (cell

phone required!)phone required!)

Decide on third-party involvementDecide on third-party involvement Comfort factorComfort factor Anonymity of the testing teamAnonymity of the testing team $$$$$$

Physical Security AssesmentsPhysical Security Assesments

Remote ReconnaissanceRemote Reconnaissance Gather as much information as possibleGather as much information as possible

off-site!off-site! Floor plans from company documentsFloor plans from company documents Google Maps satellite viewsGoogle Maps satellite views Google searches for news and informationGoogle searches for news and information

about the target location(s)about the target location(s)–– Better yetBetter yet……use use MaltegoMaltego!!

http://www.http://www.patervapaterva..com/web/Maltego/com/web/Maltego/ Number of employees at the locations(s) andNumber of employees at the locations(s) and

listingslistings Job functions, departments at the site (phoneJob functions, departments at the site (phone

numbers)numbers) Security guards? Armed?Security guards? Armed? Access Control - Card Readers? Photo IDAccess Control - Card Readers? Photo ID’’s?s? Call or email the city building department forCall or email the city building department for

blueprintsblueprints……seriously!seriously!

Physical Security AssesmentsPhysical Security Assesments

Maltego Maltego for Reconnaissancefor Reconnaissance Can be used toCan be used to

determine thedetermine therelationships and realrelationships and realworld links between:world links between:

PeoplePeople Groups of peopleGroups of people

(social networks)(social networks) CompaniesCompanies OrganizationsOrganizations Web sitesWeb sites InternetInternet

infrastructure suchinfrastructure suchas:as:

–– DomainsDomains–– DNS namesDNS names–– NetblocksNetblocks–– IP addressesIP addresses

PhrasesPhrases AffiliationsAffiliations Documents andDocuments and

filesfiles

Physical Security AssesmentsPhysical Security Assesments

On-site ReconnaissanceOn-site Reconnaissance 1/2 or 1 day is recommended for on-site1/2 or 1 day is recommended for on-site

reconrecon At a remote location or region?At a remote location or region?

Coordinate with the pen test team the night before toCoordinate with the pen test team the night before todiscuss the recon plandiscuss the recon plan

Two team members maximumTwo team members maximum Ensure you have authorization to test lettersEnsure you have authorization to test letters

in hand!in hand! Things to observe:Things to observe:

–– Building location, parking, traffic patternsBuilding location, parking, traffic patterns–– Employee entrance procedures (smokers area?)Employee entrance procedures (smokers area?)–– Look for cameras and access control systemsLook for cameras and access control systems–– After hours procedures? Are things different at night?After hours procedures? Are things different at night?

Physical Security AssesmentsPhysical Security Assesments

Penetration Test PhasePenetration Test Phase

After on-site recon, determine the plan!After on-site recon, determine the plan! Create multiple scenarios based on your objectivesCreate multiple scenarios based on your objectives Some examples:Some examples:

Tailgate (easiest)Tailgate (easiest) Look like you belong (goes great with tailgating)Look like you belong (goes great with tailgating) Printer repair manPrinter repair man ““II’’m m late for a meeting!late for a meeting!”” Chat with the smokersChat with the smokers ““I forgot my badgeI forgot my badge”” II’’m here to see <INSERT NAME OF EXECUTIVE>m here to see <INSERT NAME OF EXECUTIVE> Use a business card (faked) as IDUse a business card (faked) as ID Create a fake IDCreate a fake ID

Physical Security AssesmentsPhysical Security Assesments

Penetration Test PhasePenetration Test PhaseContinuedContinued……

Take photos if you canTake photos if you can Use conference rooms to yourUse conference rooms to your

advantageadvantage Be prepared to beBe prepared to be

compromisedcompromised If you feel someone wants toIf you feel someone wants to

challenge youchallenge you……quickly turnquickly turnaround and walk the other way!around and walk the other way!

If you are asked for ID..fake itIf you are asked for ID..fake itfor a minute. If you think itfor a minute. If you think it’’ssover, pull out the authorizationover, pull out the authorizationletter.letter.

Be ready to make a phone call ifBe ready to make a phone call ifneededneeded

Do not endanger yourself orDo not endanger yourself orothers! (Beware of big dogs!)others! (Beware of big dogs!)

Physical Security AssesmentsPhysical Security Assesments

Walk Through PhaseWalk Through Phase

Conducted after the penetration testConducted after the penetration test Time frame depends on objectives and locationTime frame depends on objectives and location

One team member should be coordinatingOne team member should be coordinatingthe walk through with the designatedthe walk through with the designatedcontact during the pen testcontact during the pen test

Ensure you will have someone availableEnsure you will have someone available No chance of pen test compromiseNo chance of pen test compromise Be prepared to escalate to managementBe prepared to escalate to management

Physical Security AssesmentsPhysical Security Assesments

Walk Through PhaseWalk Through PhaseContinuedContinued……

Conducted by at least two team members withConducted by at least two team members withthe facility contactthe facility contact

What are we looking for?What are we looking for? Perimeter controlsPerimeter controls Confidentiality control of hard-copy dataConfidentiality control of hard-copy data Internal access controlsInternal access controls Cameras/AlarmsCameras/Alarms Personnel practices (security awareness)Personnel practices (security awareness) Emergency procedures (evacuation)Emergency procedures (evacuation) Fire extinguishers (expired?)Fire extinguishers (expired?)

OSSTMM is a good place to start for creating aOSSTMM is a good place to start for creating aphysical security checklistphysical security checklist

No one standard, dependent on your organizationNo one standard, dependent on your organization

Physical Security AssesmentsPhysical Security Assesments

Walk Through PhaseWalk Through PhaseContinuedContinued……

Ask questions!Ask questions! ““Do you have any securityDo you have any security

concerns?concerns?””

Take notes and picturesTake notes and pictures Ask for permission prior to takingAsk for permission prior to taking

picturespictures

Tell them about theTell them about thepenetration testpenetration test

Prepare for Prepare for ““hostilityhostility””!! Put an awareness spin to it. Put an awareness spin to it. ““YourYour

not getting in troublenot getting in trouble””

““Full Metal JacketFull Metal Jacket”” © 1987 © 1987 Warner Bros. PicturesWarner Bros. Pictures

Physical Security AssesmentsPhysical Security Assesments

Reporting and Lessons LearnedReporting and Lessons Learned

Team Leader compiles notes and results fromTeam Leader compiles notes and results fromteam membersteam members

Prepare the final report ASAPPrepare the final report ASAP

Setup meetings shortly after the assessmentSetup meetings shortly after the assessmentwith management of the facilitieswith management of the facilities

DonDon’’t wait too long! You will loose the effectiveness of thet wait too long! You will loose the effectiveness of theassessment.assessment.

Keep them in the loopKeep them in the loop

Lessons learned with the assessment team!Lessons learned with the assessment team! Setup a meeting Setup a meeting –– include third-party if used include third-party if used What went well? What didnWhat went well? What didn’’t?t?

Physical Security AssesmentsPhysical Security Assesments

Standards and BooksStandards and Books OSSTMMOSSTMM

Open-Source Security Testing Methodology ManualOpen-Source Security Testing Methodology Manual Version 2.2 http://www.Version 2.2 http://www.isecomisecom..org/osstmm/org/osstmm/

NIST 800-12 (Chapter 15 NIST 800-12 (Chapter 15 –– Physical Security) Physical Security) http://csrc.nist.gov/publications/nistpubs/800-12/http://csrc.nist.gov/publications/nistpubs/800-12/

NIST 800-42 (Guideline on Network Security Testing)NIST 800-42 (Guideline on Network Security Testing) http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdfhttp://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

Physical Security for ITPhysical Security for IT Michael Michael ErbschloeErbschloe

The Design and Evaluation of Physical Protection SystemsThe Design and Evaluation of Physical Protection SystemsVulnerability Assessment of Physical Protection SystemsVulnerability Assessment of Physical Protection Systems

Mary Lynn GarciaMary Lynn Garcia

Physical Security AssesmentsPhysical Security Assesments

Questions?Questions?

Email:Email: tom@[email protected]