Anatomy of a Penetration Test
I was talking the other day with a friend who works at an information security risk company. He shared with me the higher-level details of a physical penetration test on which he tagged along. A physical penetration test also identifies the security weaknesses and strengths of a company's physical security.
The team of six pen testers were assembled and told to try and penetrate the targeted company's headquarters (an insurance business) in the early evening. Their instructions were not just to attempt to get inside, but once inside see just how far they could go with a prepared list of target points. One guy, posing as a consultant from another company that the target company does business with, got in by walking up to the front desk and telling the person there he needed some help. He told them he had visited the company earlier in the day and had just been upstairs in the conference room and said he thought he left his wallet on a desk where he made a phone call before he left. The person at the front desk waved him on through. He got in and didn't even have to sign in!
Once upstairs, the first pen tester then walked through the office areas, found an office with an unlocked door and then proceeded to call down to the front desk, posing as the employee whose office he was occupying, saying there are two people coming in, and they should be signed in, given visitor badges and allowed upstairs to "his office." The next two pen testers approach the front desk and with the name of the office owner and the phone extension and a flash of their fake IDs and business cards were issued visitor badges and signed the visitor book and walked upstairs, unescorted, to join the first pen tester.
The other three pen testers, walking around the building outside, found a way in through an open garage door in the back of the building, and quickly ducked inside and got upstairs, walking past guards at stations to get to the stairs. No one questioned them as they passed.
Once upstairs the team of six assembled, called their contact to say they were all inside and then spent the next hour and a half seeing just how far they could go in the offices and data center areas.
Some of the testers picked locks; others checked to see if computers were left on, and installed one rogue access point. One tester could not believe his luck when he discovered laying on an open desk, out in an unsecured area, a printout of about 100 pages that contained the user names and passwords for every employee in the company for every system in the company. It was the jackpot, the mother lode, the IT golden fleece. With this, a criminal could access everything in the company.
The data center door's lock was picked and team members walked into the unmanned room (no cameras on entry door) and recorded the number of machines turned on. Using the list of user names and passwords, one team member tried to log onto a server in the data center.
Getting tired of trying out all of the things on their list, the team packed up and got ready to leave. All six went to exit the building, encountering a guard who asked them to sign out.
Ouch, I thought. Here is where he's going to tell me they got caught. But no, they talked their way through this one by saying that the four without badges walked in and there was no one at the front desk, so they went on upstairs. The guard seemed to buy the explanation, and said next time they must be sure to sign in and get a visitors badge.
I asked if all of this really happened. My friend said yes, he even videotaped everything the team managed to accomplish in the time they were there. Luckily for the target company, this video will never make it onto YouTube.
The amount of scrutiny on training, procedures and processes surrounding physical security in the target company I would imagine increased dramatically after my friend's video was shown to its senior management team.
So, your homework assignment as a financial institution is to determine what would happen at your institution if this pen test team came to call?