What is Physical penetration testing?

JUMPSEC’s physical penetration test follows a four-phased delivery approach:

• Open-source intelligence gathering - Reconnaissance exercise designed to identify and collect useful information about your organisation to guide the attack. JUMPSEC will search both online and offline public information including premises, planning, building control, service contracts, employees, contractors, partners, customers and third parties, as well as conducting covert observations of target facilities and their access control.
• Scenario design – JUMPSEC will create scenarios for each of the facilities in-scope, designed to expose security flaws relating to the organisation’s physical security, including processes, people and infrastructure.
• Attack execution – Undertake the planned attacks on your organisation to test its level of security and awareness in a safe and controlled way so as to minimise disruption.
• Reporting – Provide a comprehensive report addressing the level of risk posed by any flaws identified, as well as the likelihood of exploitation in a real-world scenario, and its potential business impact. We include evidential support and practical recommendations to help your organisation improve its physical security posture.

JUMPSEC can deliver black, white, and grey box assessments in order to satisfy a range of client requirements.

• Black Box – testing resembling a real-world attacker with no prior information about the facilities in-scope besides what can be gathered through open-source methods, designed to realistically the actions of a covert external attacker.
• Grey Box – testing is informed by some information about the facilities to guide JUMPSEC towards assessing particular access control mechanisms and physical safeguards, or validate whether specific end-goals can be achieved that are of concern to the organisation.
• White Box – testing is performed with the full support, knowledge, and visibility of the client, with JUMPSEC performing a walk-through audit of physical security controls rather than a covert offensive simulation.

Examples of the common methods that are applied to assess access controls and physical safeguards include:

• Tailgating - Following an authorised individual through doors or other obstacles to bypass security measures.
• Unfettered access - Unchallenged and unquestioned access to the target location.
• Distract and deflect - A decoy or distraction is used to deflect interest and awareness of the true attacker.
• Impersonation - Breach of physical security controls by means of falsified credentials.
• Environment exploitation - Vulnerabilities in security using shared spaces or on-site third parties.

The cost of a physical application penetration test is determined by the number of days it takes to fulfil the agreed scope of the engagement. It will vary depending on the type of testing (black / grey / white box) and the associated level of reconnaissance, as well as the number of facilities in scope, and the amount of exploitation required. To receive a quotation, your organisation will need to complete a pre-evaluation questionnaire. JUMPSEC experts are available to guide you through this process.

The risks associated with an attacker infiltrating a physical site will vary depending on the site in question (e.g. whether it is a corporate or regional office, manufacturing plant, warehouse, etc.), but can include, for example:

• Theft of physical documents – Exfiltration of unsecured physical copies of digital documents, such as sensitive customer records.
• Compromise of hardware – Attackers with access to hardware devices such as unsecured workstations, servers, and other physical IT infrastructure can often bypass robust virtual controls to gain privileged access to your IT systems.
• Planting of remote gateways – Installation of devices enabling an attacker to directly access the internal corporate network in order to reliably gain access to the organisation’s systems from which to conduct further digital attacks.
• Disruption or destruction of site operations – Depending on the nature of the site, attackers may look to impair the operation of the facility itself. Real-world examples include disabling hospital equipment, tampering with ventilation systems, sabotaging power grids, and disabling fault detection systems in oil pipelines.
• Surveillance and bugging – Plant microphones and monitoring equipment in meeting rooms and offices to record conversations for blackmail purposes and access to insider information.

The particular methods deployed by JUMPSEC will vary based on the scope and the potential weaknesses identified during intelligence gathering. Where relevant, a blended attack pathway may use virtual methods to manipulate or disable digital elements of the physical protection system (e.g., detectors, alarm annunciators, or locks) in order to enable the physical attack to be accomplished more easily.

Many potential attack scenarios will involve an attacker leveraging physical access to progress a cyber attack targeting digital assets and information. As part of a standard physical assessment, JUMPSEC will identify potential next steps and communicate the impact were an attacker to continue an attack from a privileged position on the internal network, or with direct access to physical servers and user devices.

To assess the effectiveness of internal network security controls and validate the risk posed by a hybrid attack, a physical penetration test can also be combined with a Red Team exercise to more accurately simulate an end-to-end hybrid attack and demonstrate its business impact.

Yes, in addition to the final report JUMPSEC can design and deliver security workshops to raise awareness of the importance of physical access controls and employee vigilance in preventing unauthorised access to physical locations.

The methods used can be tailored to meet the requirements of the organisation. Generally, JUMPSEC refrain from using any attack techniques which would cause permanent damage to the target location, such as breaking and entering. If this is specifically requested then JUMPSEC will take to ensure that safeguards are put in place to preserve the safety of JUMPSEC employees, client staff members, and limit damage to the property. 

When conducting an attack, JUMPSEC will aim to reach a position from which a malicious action could be performed, without executing the action itself where this may incur any damage or disruption. Similar to a virtual attack, JUMPSEC will leave 'flags' or take 'trophies' to demonstrate that a malicious action could have been performed by a genuine attacker. This could include, for example, placing a dummy device to indicate that access was gained without actually planting a bug, or establishing a remote access point.

The safety of personnel (both for JUMPSEC and the client) is of highest priority when planning and executing a physical security assessment. For this reason JUMPSEC will not conduct a black box covert assessment of high security facilities, such as those with armed guards. Facilities with higher security requirements will always be assessed in a white box manner with the full knowledge and consent of the client and site staff.