Re: pentest physical security

From: nospam@nospam.org
Date: Wed Aug 02 2006 - 09:28:46 EDT

Next message: Tim: "Let's exploit this"
Previous message: shiri_yacov@hotmail.com: "Re: What to spend on a pentest"
Maybe in reply to: scott: "pentest physical security"
Next in thread: Neil: "Re: pentest physical security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) >From a high level, you will be testing two areas most likely:

1) Physical Security controls (the actual devices) and
2) Implementation of physical security controls (how the devices are implemented as well as physical security policies and procedures)

Generally speaking, these controls (e.g., fences, cameras, biometrics, card scanners, man traps, etc.) form are or are part of a "secure" perimeter that protects an area to which access is restricted.

The object of a physical security penetration test is to gain access to the secured area while noting flaws in the system, procedures and/or how procedures are followed. There are several ways of doing this:

A. Exploiting a flaw in the security control or implementation thereof. For example a control is set to fail open instead of closed. Or my favorite, over sensitive motion sensors that actively control door locks.
B.Bypassing or disabling the control. One should be wary of disabling any controls as this could damage customer property.
C. Exploiting the weakest link in the chain, which is generally the human factor.

This is not an exhaustive list by any means, but gives some ideas. Obviously the client may want to limit your methodologies based upon the agreed scope of the test.

Hope this helps.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: Tim: "Let's exploit this"
Previous message: shiri_yacov@hotmail.com: "Re: What to spend on a pentest"
Maybe in reply to: scott: "pentest physical security"
Next in thread: Neil: "Re: pentest physical security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:29 EDT