From: marc spamcatcher (junk@zounds.net)
Date: Wed Dec 01 2004 - 21:41:28 EST
I am performing a pentest of the physical security at a hospital. Can
anyone offer procedures, methodologies, tips, etc on this?
I plan to break the day into two parts:
1) physical security pentesting
2) physical security assessment
Partially because I think I may run out of things to attempt in 1. In 1 I
plan to attempt to enter secure areas, plug into the network, take
hardware, etc. 2 will be the more standard checks for cameras, guards, etc.
I think social engineering will be a big part of 1. A friend lent me a
lab coat. :) I did some searches, and below are my notes and what others
have said (sorry not to give credit).
The hospital was not informed, but a VP will be on the premises to vouch
for me if caught. I plan to read Mitnick's book on SE before the next
one.
Thanks,
marc in zounds.net
-----------------------------------------------
physical security pen-testing
[ ] design audit program
link to cobit?
divide it up by pen-test and vulnerability assessment actions
[ ] read isaca pentest pdf
dumpster diving
small screwdriver / credit card for opening doors
follow employees to lunch, eat near them, take notes
plant keylogger?
pretend to be the tape storage vendor?
:: look for
look for for usable copy machines or fax machines, etc.
look for passwords
on stickies
look in trash cans
shredded files to reassemble
unattended computers with users logged in.
Try to find targets:
wiring closets
computer room
telephone equipment
IT offices
Executive offices
network jacks
wireless networks
backup media
pop up ceiling tile, go over wall
detect with ceiling motion detectors
stand outside secure door smoking until you can tailgate someone (or a
group) in.
"Once in though, how do you gain access to the swipe card protected
area? Simple. Stand near the door and look like a 'little boy
lost'. Some nice person always asks if you want to get in."
work the receptionist, the 'security guard'
Generating fake access badges
--------------
SOCIAL ENGINEERING
-------------------------------------------
I'm no expert, but I think you should start with some SE goals or targets,
and list techniques that are used to attack them. Goals and techniques
might be:
1. Gain physical access
tester->guard: "I forgot my card today"
guard->tester: card
2. Gain credentials remotely
tester->helpdesk: "This is Joe Blow CEO, I forgot my password"
helpdesk->tester: new password
3. Gain access to sensitive information such as source code,
sales/customer
history, pricing structure, salary info.
tester->engineer: "I'm with the new enterprise QA team and we're doing
a
source audit"
engineer->tester: source code
tester->helpdesk: "I'm salesperson X and I can't get into the contact
database"
helpdesk->tester: contact database access
--------
-Write down the contact's name and their department,
you can keep this contact for further information
gathering later.
-Keep refering to them by first name (common name) on
the phone, this will sometimes build up an informal
environment in which they are comfortable giving you
information.
-Don't be afraid to ask for a supervisor if things
aren't going your way, go all the way to the top if
you have to, but don't back down.
-Also, if you are not doing this from a business
environment, you can try to create an office type
dialog to seem more professional. Have a "secretary"
call, get the contact on the phone, and then transfer
the contact to your office. If you have a secretary
making your calls, you must be doing something right,
or so they would assume.
- will the organisation.s help desk will assist an unauthorised or
unidentified user?
------------------
A Physical Penetration Test identifies the security weaknesses and
strengths of the client's physical security. The goal of the test is to
demonstrate the existence or absence of deficiencies in operating
procedures concerning physical security.
---------------------------------------------------------
VULN ASSESSMENT
---------------------------------------------------------
:: look for
cameras
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT