Physical Security Assessments

1
Physical Security Assessments

• Eric Hulse
• Phn1x
• SAHA 0x01

2
Physical Security

• Physical Security Assessment
• Part Of The Risk Management Process Which Tests
  Components Of Physical Security For Potential
  Vulnerabilities
• Types Of Assessments
• Black Box
• White Box

3
Benefits of Assessment

• Build and Broaden Awareness
• Establish or Evaluate Against a Baseline
• Identify Vulnerabilities
• Develop Response/Countermeasures
• Promote Action

4
Components

• Intelligence Collection
• Social Engineering
• Patience
• Dynamic Thinking

5
Legal Matters

• General Liability Insurance
• Letter Of Authorization
• Coordination
• Scope
• Rules Of Engagement

6
Gathering Information

• Dumpster Diving
• Google / Searching Engines
• Job Boards
• Company Web Site
• Social Engineering

7
Scouting

• Looking For Existing Controls
• Security Guards, Alarm Systems, Camera's
• Looking For Procedures
• Security Badges, Parking Permits, Entry and Exit
  Procedures, Formal Entry Points as well as
  Potential Entry Points.

8
OSINT

• Maps Of Area
• Google Maps, Satelite, and Now Street View
• Building Records (Blue Prints, County Records)?
• Pictures
• Personnel Lists / Employee Rosters
• Operations, Contracts or Achievements
• Other General Information

9
Initial Entry

• Many Potentials
• Job Interview
• Contractor
• Management Companies
• Walk In

10
Just Going In

• Entry Points Identified Through OSINT and
  Surveillance.
• Walk In With Morning Crowd
• Smokers
• Lunch Time
• Print Fake Badge

11
Further Intelligence

• Upon Entry
• Identify layout of Building
• Security Systems
• Wiring Closets or Coat Closets

12
Further Intelligence

• Once The Coast Is Clear Let The Pilfering Begin
• Documents and Information Of Value Should Have
  Been Identified In Scope
• Identify Documents, Notes, White Boards
• Unlocked or Un Secured Area's
• The Building Is Your Oyster

13
Potential Problems

• Small Companies
• Getting Caught
• Over Zealous Security Guards
• Bathroom Breaks
• Boredom

14
Reporting

• Reports Make Or Break Assessment
• The Report Is The Deliverable
• Highlight Positives With Negatives
• Non Attributable
• Cite Regulations
• Use Lot's Of Pictures

15
War Story
16
Questions

• Questions

17
References

• U.S Dept Of Energy VULNERABILITY ASSESSMENT AND
  SURVEY PROGRAM
• Vulnerability Assessment of Physical Protection
  Systems By Mary Lynn Garcia