Re: Physical Security - Pen Test

[Marco Ivaldi <raptor () mediaservice net>]

Paul,

On Mon, 30 Mar 2009, iadcc wrote:

> Has anybody ever conducted a physical security penetration test? Do you 
> have a sample test plan you used? I have formulated some Social 
> Engineering tests we could try but anything else would be useful./

Just a few suggestions off the top of my head:

http://www.isecom.info/mirror/osstmm.en.2.2.pdf
http://www.isecom.org/osstmm3.HUMSEC.draft.pdf

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://security.ucdavis.edu/physical_security.cfm

http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/physecdoc.html
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter15.html
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
http://www.tuev-nord.com.ua/itgr/IT_grund/threat.pdf (see also www.bsi.de)

http://seclists.org/pen-test/2004/Dec/0011.html (all thread)

Watch out for OSSTMM 3.0, which will extensively cover PHYSSEC channel 
testing (encompassing both Human and Physical Security).

Cheers,

--
Marco Ivaldi, OPST
Lead Security Analyst     Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------