Physical Penetration Testing can be performed as a covert exercise designed to simulate a realistic attempt by a malicious party to infiltrate the target facility, or as a more collaborative exercise designed to more comprehensively audit the implementation and effectiveness of physical access controls and safeguards.
Physical Penetration Testing
Secure your offices and facilities by assessing the security controls protecting your physical assets to prevent malicious actors from bypassing your digital controls.
What is Physical Penetration Testing?
A Physical Penetration Test simulates the activities that an attacker is likely to undertake when attempting to gain access to an organisation’s facilities (e.g. offices, plants, warehouses) to assess the effectiveness of physical security controls.
An attack chain involving physical breach will typically overlap with virtual methods to progress the attack, leveraging direct access to the internal network and physical devices to gain privileged access to internal systems to be able to perform malicious actions. JUMPSEC will identify potential actions which, if performed by a real attacker, are likely to result in a real business impact.
Once the physical segment of the attack has been concluded, JUMPSEC will identify the likely follow-on actions and the probable impact. If beneficial, JUMPSEC can separately continue the digital attack from the point of compromise (as per a typical Red Team engagement). This enables testing of internal network security controls and, should the attack succeed, clearly demonstrates the business risk and impact of any deficiencies identified to non-security stakeholders.
Why should you undertake Physical Penetration Testing?
Organisations often assume that cyber attackers are constrained to virtual methods of achieving their goals.
While virtual attack vectors often represent the route of least complexity and risk for an attacker, cyber criminals will turn to physical methods where it benefits them.
Attackers will often utilise physical methods to bypass virtual controls protecting an organisation’s digital assets, gaining direct access to internal systems and physically stored information.
Implementing effective physical security controls is a core component of a layered ‘defence-in-depth’ approach and contributes to the resilience of the wider cyber security operating model.
JUMPSEC recommends that organisations audit and test their physical security controls on a regular basis, particularly when operating in highly targeted industry sectors known to be susceptible to physical and hybrid attacks, e.g. Critical National Infrastructure (CNI) organisations likely to be targeted by state-sponsored actors with the intention of causing political, economic, and social disruption.
Outcomes You Achieve
Discover flaws in your physical security controls
Security operations could be exploited by a malicious actor using covert, hybrid (physical and virtual) techniques.
Complex technical risks translated into business terms
Demonstrating the value of cyber security investment in terms of business risk reduction.
Enable the timely identification and remediation of vulnerabilities
Which could be exploited by an attacker to cause harm to your business.
Build resilience against realistic attacker techniques
By simulating the ways that a real-world attacker will target your network.
Satisfy a range of compliance requirements
With a comprehensive report detailing vulnerabilities identified and recommended remedial actions prioritised by risk.
Increased awareness of physical security threats
Understanding of their potential business impact.
Want to know more?
Frequently Asked Questions
How is a Physical Penetration Test delivered?
JUMPSEC’s physical penetration test follows a four-phased delivery approach:
- Open-source intelligence gathering – Reconnaissance exercise designed to identify and collect useful information about your organisation to guide the attack. JUMPSEC will search both online and offline public information including premises, planning, building control, service contracts, employees, contractors, partners, customers and third parties, as well as conducting covert observations of target facilities and their access control.
- Scenario design – JUMPSEC will create scenarios for each of the facilities in-scope, designed to expose security flaws relating to the organisation’s physical security, including processes, people and infrastructure.
- Attack execution – Undertake the planned attacks on your organisation to test its level of security and awareness in a safe and controlled way so as to minimise disruption.
- Reporting – Provide a comprehensive report addressing the level of risk posed by any flaws identified, as well as the likelihood of exploitation in a real-world scenario, and its potential business impact. We include evidential support and practical recommendations to help your organisation improve its physical security posture.
What types of physical attack be simulated?
JUMPSEC can deliver black, white, and grey box assessments in order to satisfy a range of client requirements.
- Black Box – testing resembling a real-world attacker with no prior information about the facilities in-scope besides what can be gathered through open-source methods, designed to realistically the actions of a covert external attacker.
- Grey Box – testing is informed by some information about the facilities to guide JUMPSEC towards assessing particular access control mechanisms and physical safeguards, or validate whether specific end-goals can be achieved that are of concern to the organisation.
- White Box – testing is performed with the full support, knowledge, and visibility of the client, with JUMPSEC performing a walk-through audit of physical security controls rather than a covert offensive simulation.
How are physical controls assessed?
Examples of the common methods that are applied to assess access controls and physical safeguards include:
- Tailgating – Following an authorised individual through doors or other obstacles to bypass security measures.
- Unfettered access – Unchallenged and unquestioned access to the target location.
- Distract and deflect – A decoy or distraction is used to deflect interest and awareness of the true attacker.
- Impersonation – Breach of physical security controls by means of falsified credentials.
- Environment exploitation – Vulnerabilities in security using shared spaces or on-site third parties.
How much does a Physical Penetration Test cost?
The cost of a physical application penetration test is determined by the number of days it takes to fulfil the agreed scope of the engagement. It will vary depending on the type of testing (black / grey / white box) and the associated level of reconnaissance, as well as the number of facilities in scope, and the amount of exploitation required. To receive a quotation, your organisation will need to complete a pre-evaluation questionnaire. JUMPSEC experts are available to guide you through this process.
What are the security risks of a cyber attacker gaining access to a physical facility?
The risks associated with an attacker infiltrating a physical site will vary depending on the site in question (e.g. whether it is a corporate or regional office, manufacturing plant, warehouse, etc.), but can include, for example:
- Theft of physical documents – Exfiltration of unsecured physical copies of digital documents, such as sensitive customer records.
- Compromise of hardware – Attackers with access to hardware devices such as unsecured workstations, servers, and other physical IT infrastructure can often bypass robust virtual controls to gain privileged access to your IT systems.
- Planting of remote gateways – Installation of devices enabling an attacker to directly access the internal corporate network in order to reliably gain access to the organisation’s systems from which to conduct further digital attacks.
- Disruption or destruction of site operations – Depending on the nature of the site, attackers may look to impair the operation of the facility itself. Real-world examples include disabling hospital equipment, tampering with ventilation systems, sabotaging power grids, and disabling fault detection systems in oil pipelines.
- Surveillance and bugging – Plant microphones and monitoring equipment in meeting rooms and offices to record conversations for blackmail purposes and access to insider information.
Can you deliver hybrid attacks involving both physical and virtual methods?
The particular methods deployed by JUMPSEC will vary based on the scope and the potential weaknesses identified during intelligence gathering. Where relevant, a blended attack pathway may use virtual methods to manipulate or disable digital elements of the physical protection system (e.g., detectors, alarm annunciators, or locks) in order to enable the physical attack to be accomplished more easily.
Many potential attack scenarios will involve an attacker leveraging physical access to progress a cyber attack targeting digital assets and information. As part of a standard physical assessment, JUMPSEC will identify potential next steps and communicate the impact were an attacker to continue an attack from a privileged position on the internal network, or with direct access to physical servers and user devices.
To assess the effectiveness of internal network security controls and validate the risk posed by a hybrid attack, a physical penetration test can also be combined with a Red Team exercise to more accurately simulate an end-to-end hybrid attack and demonstrate its business impact.
Can you provide any follow-on activities such as awareness training?
Yes, in addition to the final report JUMPSEC can design and deliver security workshops to raise awareness of the importance of physical access controls and employee vigilance in preventing unauthorised access to physical locations.
How do you conduct a Physical Penetration Test without causing disruption of operations or destruction of property?
The methods used can be tailored to meet the requirements of the organisation. Generally, JUMPSEC refrain from using any attack techniques which would cause permanent damage to the target location, such as breaking and entering. If this is specifically requested then JUMPSEC will take to ensure that safeguards are put in place to preserve the safety of JUMPSEC employees, client staff members, and limit damage to the property.
When conducting an attack, JUMPSEC will aim to reach a position from which a malicious action could be performed, without executing the action itself where this may incur any damage or disruption. Similar to a virtual attack, JUMPSEC will leave ‘flags’ or take ‘trophies’ to demonstrate that a malicious action could have been performed by a genuine attacker. This could include, for example, placing a dummy device to indicate that access was gained without actually planting a bug, or establishing a remote access point.
What safeguards do you put in place to ensure the exercise is performed in a safe and secure manner?
The safety of personnel (both for JUMPSEC and the client) is of highest priority when planning and executing a physical security assessment. For this reason JUMPSEC will not conduct a black box covert assessment of high security facilities, such as those with armed guards. Facilities with higher security requirements will always be assessed in a white box manner with the full knowledge and consent of the client and site staff.
What they've said about us
“Whether we’re developing our security strategies, assuring our development lifecycle processes or continually improving our SOC activities, having industry leader JUMPSEC by our side as our security partner gives us the confidence to move forward in an increasingly challenging environment.”
“JUMPSEC consistently provides high quality and reliable support, demonstrating expert knowledge in their field and composure in challenging situations, which gives us full confidence that they are the right security partner for the job!”
“They don’t just give you something out of a box; they’re quite willing to work with you to provide you with a solution that meets your needs.”