From: ctg (plumme@gmail.com)
Date: Fri Dec 03 2004 - 05:57:41 EST
Heya Mark,
> I am performing a pentest of the physical security at a hospital. Can
> anyone offer procedures, methodologies, tips, etc on this?
I did get from your email that you're going to do this only in one
day. The thing is that, you might not notice all the things in just
one day, if you have any change to use camera then use it to document
and make a plan for your test.
The idea also could consist of getting floor plans for the hospital,
the main goal in those plans is to get electrical drawings and if you
have any change, then try to obtain security network plans for the
hospital. You could pose as a building constructor for the
authorities. In the other hand hospital just isn't like a bank, so
think about it, they do have awful lot of valuable
information/equipments/drugs etc. in the building.
> I plan to break the day into two parts:
> 1) physical security pentesting
> 2) physical security assessment
Good plan. I would recommend you think what is your goal. Think about
what would you do, if you would be breaking in the hospital, what
would be your goal(s). Then think about has the hospital made anything
to secure those goals.
> I think social engineering will be a big part of 1. A friend lent me a
> lab coat. :) I did some searches, and below are my notes and what others
> have said (sorry not to give credit).
Just a lab coat, what if you would be just regural visitor who got
lost? or patient, security guard, secretary, janitor. I would
recommend you to practise some lockpicking or obtaining at least
automated tool for that. Also think about it, is it easier to get in
certain places during different times of days. You could even try to
enlist to them as new employee and get a position. Note that many
organisations doesn't have security measures for the attacker from the
inside and when they test their security, they do it from the outsider
point of view.
> The hospital was not informed, but a VP will be on the premises to vouch
> for me if caught.
Another good plan.
> dumpster diving
>
> small screwdriver / credit card for opening doors
screwdriver leave marks, and you don't want to leave marks. Do you
know how to use piece of plastic to open locks?
> follow employees to lunch, eat near them, take notes
Don't just stalk, socialize with them if you can, you get more
information by using that method.
> plant keylogger?
> pretend to be the tape storage vendor?
Are these your goals? Plant a keylogger, why not trying to get access
in the wiring closet and plant a laptop there with a sniffer, if that
is what you want to do.
> pop up ceiling tile, go over wall
> detect with ceiling motion detectors
This can be quite obvious and hazardous and might blow your cover. Do
you want to do that or just casually observe and get it from the
drawings.
These are just ideas, so please don't take them in wrong way.
- ctg. -
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT