Penetration Testing mailing list archives

Re: pentest physical security

From: nospam () nospam org
Date: 2 Aug 2006 13:28:46 -0000

From a high level, you will be testing two areas most likely:

1) Physical Security controls (the actual devices) and
2) Implementation of physical security controls (how the devices are implemented as well as physical security policies
and procedures)

Generally speaking, these controls (e.g., fences, cameras, biometrics, card scanners, man traps, etc.) form are or are
part of a "secure" perimeter that protects an area to which access is restricted.

The object of a physical security penetration test is to gain access to the secured area while noting flaws in the
system, procedures and/or how procedures are followed. There are several ways of doing this:

A. Exploiting a flaw in the security control or implementation thereof. For example a control is set to fail open
instead of closed. Or my favorite, over sensitive motion sensors that actively control door locks.
B.Bypassing or disabling the control. One should be wary of disabling any controls as this could damage customer
property.
C. Exploiting the weakest link in the chain, which is generally the human factor.

This is not an exhaustive list by any means, but gives some ideas. Obviously the client may want to limit your
methodologies based upon the agreed scope of the test.

Hope this helps.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

Re: pentest physical security nospam (Aug 02)
- <Possible follow-ups>
- Re: pentest physical security Neil (Aug 02)
- Re: pentest physical security Cedric Blancher (Aug 16)
  - RE: pentest physical security Upadhyaya, Vijay (Aug 23)
- Re: pentest physical security JJacoby (Aug 24)
  - Re: pentest physical security intel96 (Aug 25)
    - Message not available
    - Re: pentest physical security intel96 (Aug 26)