physical security pentesting procedures, tips, audit programs?

From: marc spamcatcher (junk@zounds.net)
Date: Wed Dec 01 2004 - 21:41:28 EST


I am performing a pentest of the physical security at a hospital. Can
anyone offer procedures, methodologies, tips, etc on this?

I plan to break the day into two parts:
1) physical security pentesting
2) physical security assessment

Partially because I think I may run out of things to attempt in 1. In 1 I
plan to attempt to enter secure areas, plug into the network, take
hardware, etc. 2 will be the more standard checks for cameras, guards, etc.

I think social engineering will be a big part of 1. A friend lent me a
lab coat. :) I did some searches, and below are my notes and what others
have said (sorry not to give credit).

The hospital was not informed, but a VP will be on the premises to vouch
for me if caught. I plan to read Mitnick's book on SE before the next
one.

Thanks,

marc in zounds.net

-----------------------------------------------
physical security pen-testing

[ ] design audit program
        link to cobit?
        divide it up by pen-test and vulnerability assessment actions
[ ] read isaca pentest pdf

dumpster diving

small screwdriver / credit card for opening doors

follow employees to lunch, eat near them, take notes

plant keylogger?
pretend to be the tape storage vendor?

:: look for
look for for usable copy machines or fax machines, etc.
look for passwords
        on stickies
look in trash cans
        shredded files to reassemble
unattended computers with users logged in.

Try to find targets:
wiring closets
computer room
telephone equipment
IT offices
Executive offices
network jacks
wireless networks
backup media

pop up ceiling tile, go over wall
        detect with ceiling motion detectors

stand outside secure door smoking until you can tailgate someone (or a
group) in.

"Once in though, how do you gain access to the swipe card protected
area? Simple. Stand near the door and look like a 'little boy
lost'. Some nice person always asks if you want to get in."

work the receptionist, the 'security guard'

Generating fake access badges

--------------
SOCIAL ENGINEERING
-------------------------------------------

I'm no expert, but I think you should start with some SE goals or targets,
and list techniques that are used to attack them. Goals and techniques
might be:
1. Gain physical access
    tester->guard: "I forgot my card today"
    guard->tester: card

2. Gain credentials remotely
    tester->helpdesk: "This is Joe Blow CEO, I forgot my password"
    helpdesk->tester: new password

3. Gain access to sensitive information such as source code,
sales/customer
history, pricing structure, salary info.
    tester->engineer: "I'm with the new enterprise QA team and we're doing
a
source audit"
    engineer->tester: source code

    tester->helpdesk: "I'm salesperson X and I can't get into the contact
database"
    helpdesk->tester: contact database access

    --------
 -Write down the contact's name and their department,
you can keep this contact for further information
gathering later.
-Keep refering to them by first name (common name) on
the phone, this will sometimes build up an informal
environment in which they are comfortable giving you
information.
-Don't be afraid to ask for a supervisor if things
aren't going your way, go all the way to the top if
you have to, but don't back down.
-Also, if you are not doing this from a business
environment, you can try to create an office type
dialog to seem more professional. Have a "secretary"
call, get the contact on the phone, and then transfer
the contact to your office. If you have a secretary
making your calls, you must be doing something right,
or so they would assume.

- will the organisation.s help desk will assist an unauthorised or
unidentified user?

------------------
A Physical Penetration Test identifies the security weaknesses and
strengths of the client's physical security. The goal of the test is to
demonstrate the existence or absence of deficiencies in operating
procedures concerning physical security.

---------------------------------------------------------
VULN ASSESSMENT
---------------------------------------------------------
:: look for
cameras



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT