As a physical social engineer my job on the surface is simple, gain physical access to an organisation’s premises and complete a set of pre-determined tasks from there.
These tasks can range from planting devices on a client’s corporate network in an attempt to gain remote access through to collating real time evidence such as clear desk policies, workstations left logged on and unattended confidential literature left out for anyone to read and generally a lack of security best practice.
I say on the surface my job is simple as performing these types assessments generally are. the hard part seems to be convincing clients that a physical cyber security assessment is as critical as performing an external or internal penetration test.
Over my time as a physical cyber security specialist, I have assessed some very mature organisations who have undertaken multiple penetration tests over a number of years and are therefore very secure in these areas but had not taken physical cyber security into account for a number of reasons.
The main reason for this is a lack of skills in this field to perform such an assessment and therefore physical cyber security assessments are either being performed by consultants whose skill sets lay in a much different area of information security and through no fault of their own are not capable of performing such assessments. More often than not, cyber security organisations are not offering these assessments and their clients are being left in the knowledge that what they are currently doing is enough to secure their cooperate network and confidential data, putting the bad guys at a serious advantage.
However when a company does undertake a physical red team assessment, there is what I would describe as a light bulb moment, when I am describing how I have gained access to what was thought to be a secure premises, planted a device on the corporate network and maintained remote access over a number of days, weeks and even months without the clients knowledge that I had ever stepped foot into the building or provide image of sensitive documentation that has been discarded without a second thought, these organisations quickly realise the importance of physical cyber security and put it much higher on their cyber security agenda, with regular assessments and prioritising remediation projects.
One major bonus is that rather than other penetration testing which is normally invisible to the general population of a organisation, physical testing requires personal face to face interaction which stimulates interest in cyber security and promotes training thereafter with employees eager to tell their story about the time they came face to face with a hacker/intruder.
In the current information security climate, physical cyber security really is the missing piece of the puzzle and without taking it seriously, organisations are literally leaving the front door open for threat actors to walk straight in.
This has not escaped the criminal fraternity either, with a higher probability for success, criminal organisations are quickly adding this to their kit bag with physical attacks rapidly on the increase.
If you would like to learn about physical security testing then get in touch!