Penetration Testing mailing list archives
RE: physical security pentesting procedures, tips, audit programs?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Tue, 7 Dec 2004 14:56:56 -0600
Very good idea xyberpix, I like the business card idea. Growing off of xyberpix's idea - If you have time...write the date and the time on the back of the card while placing it. The dates could be written on the cards beforehand to reduce the time it takes. Then you will have a written account of time you were in a area. -Todd
-----Original Message----- From: xyberpix [mailto:xyberpix () xyberpix com] Sent: Saturday, December 04, 2004 9:55 AM To: Vic N Cc: Pen-Test[List] Subject: RE: physical security pentesting procedures, tips, audit programs? Hi, If by physical security, you mean "physical security" and not physical access to computers and the like, here's what I would suggest. Get a stack of your business cards, and then get into the hospital, pick up a white coat from the changing room, grab a bucket and a mop from the cleaning cupboard, and just walk around everywhere where you're not supoosed to be. Once you start getting into secured areas, where a malicious person could do some serious damage, which in a hospital is anywhere where a doctor or nurse would be allowed, stick a business card somewhere out of site, and make a note of it. Spend a few days doing this, and people will get to know you as "the cleaner" if you get questioned by security gaurds, make sure you have a decent reason for being wherever you are, and don't come accross as nervous at all. Act like you are meant to be there, and they are interferring with your work, you're only doing your job after all, how can they expect you to clean places when you keep getting harrassed? In these situations image and attitude are everything, if you can be confident about those you've got nothing to worry about. Also make sure you have a "get out of jail" letter from one of the high up people who aggreed to the physical security test, and carry it around with you wherever you go, just in case someone wises up to the idea that you're not who you say you are. Usually at hospitals this isn't an issue, so long as you look the part, you usually get away with it. HTH xyberpix On Fri, 2004-12-03 at 06:39 -0800, Vic N wrote:From: marc spamcatcher <junk () zounds net> To: pen-test () securityfocus com Subject: physical security pentesting procedures, tips,audit programs?Date: Wed, 1 Dec 2004 20:41:28 -0600 (CST) I am performing a pentest of the physical security at a hospital. Can anyone offer procedures, methodologies, tips, etc on this?I'd suggest you look at the challenge from the viewpoint of an unattended patient left alone in an examination room. I've seen instances where IP #'s are plainly labelled on wireless devices in public areas (such as an ER) and these IP's match simpleARIN lookups (do the ARIN lookups before you go in).Patient rooms sometimes have multiple RJ45 jacks to secondary equipment networks that could easily be plugged into.While it mightnot grant access to information, gaining access to and DOS'ing a network that say provides access to vitals monitoring could be a hospitals worst nightmare (and to be clear, I don'trecommend doing itfor a pen-test!) and should make your client take note. In this mode, I'm sure you'll see numerous HIPPA violations with workstations being left unlocked too. My experience has been that you're not separated from your possessions even in an ER situation (it's just put in a bag and you hold on to it). A standardnotebookw/wireless and an RJ-45 cable idling ready to go in a non-descript bag... If you go in as a non-critical patient needing observationand not asa "stranger" you're bound to be left unattended in the"hurry up and wait"nature of treatement and have more than a few minutes to test.-- For Security and Open Source news and tips visit: http://xyberpix.demon.co.uk
Current thread:
- physical security pentesting procedures, tips, audit programs? marc spamcatcher (Dec 02)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Eric Greenberg (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Vic N (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Don Lord (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Jose Maria Lopez (Dec 09)
- <Possible follow-ups>
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- Re: physical security pentesting procedures, tips, audit programs? nicola (Dec 12)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)