From: xyberpix (xyberpix@xyberpix.com)
Date: Sat Dec 04 2004 - 10:54:50 EST
Hi,
If by physical security, you mean "physical security" and not physical
access to computers and the like, here's what I would suggest.
Get a stack of your business cards, and then get into the hospital, pick
up a white coat from the changing room, grab a bucket and a mop from the
cleaning cupboard, and just walk around everywhere where you're not
supoosed to be. Once you start getting into secured areas, where a
malicious person could do some serious damage, which in a hospital is
anywhere where a doctor or nurse would be allowed, stick a business card
somewhere out of site, and make a note of it. Spend a few days doing
this, and people will get to know you as "the cleaner" if you get
questioned by security gaurds, make sure you have a decent reason for
being wherever you are, and don't come accross as nervous at all. Act
like you are meant to be there, and they are interferring with your
work, you're only doing your job after all, how can they expect you to
clean places when you keep getting harrassed?
In these situations image and attitude are everything, if you can be
confident about those you've got nothing to worry about. Also make sure
you have a "get out of jail" letter from one of the high up people who
aggreed to the physical security test, and carry it around with you
wherever you go, just in case someone wises up to the idea that you're
not who you say you are. Usually at hospitals this isn't an issue, so
long as you look the part, you usually get away with it.
HTH
xyberpix
On Fri, 2004-12-03 at 06:39 -0800, Vic N wrote:
> >From: marc spamcatcher <junk@zounds.net>
> >To: pen-test@securityfocus.com
> >Subject: physical security pentesting procedures, tips, audit programs?
> >Date: Wed, 1 Dec 2004 20:41:28 -0600 (CST)
> >
> >I am performing a pentest of the physical security at a hospital. Can
> >anyone offer procedures, methodologies, tips, etc on this?
>
> I'd suggest you look at the challenge from the viewpoint of an unattended
> patient left alone in an examination room. I've seen instances where IP #'s
> are plainly labelled on wireless devices in public areas (such as an ER) and
> these IP's match simple ARIN lookups (do the ARIN lookups before you go in).
> Patient rooms sometimes have multiple RJ45 jacks to secondary equipment
> networks that could easily be plugged into. While it might not grant access
> to information, gaining access to and DOS'ing a network that say provides
> access to vitals monitoring could be a hospitals worst nightmare (and to be
> clear, I don't recommend doing it for a pen-test!) and should make your
> client take note.
>
> In this mode, I'm sure you'll see numerous HIPPA violations with
> workstations being left unlocked too. My experience has been that you're
> not separated from your possessions even in an ER situation (it's just put
> in a bag and you hold on to it). A standard notebook w/wireless and an
> RJ-45 cable idling ready to go in a non-descript bag...
>
> If you go in as a non-critical patient needing observation and not as a
> "stranger" you're bound to be left unattended in the "hurry up and wait"
> nature of treatement and have more than a few minutes to test.
>
>
-- For Security and Open Source news and tips visit: http://xyberpix.demon.co.uk
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT