In a continuing effort to provide relevant and valuable information to our clients in multiple formats, this blog brings together our Penetration Testing social media posts. Penetration tests are an important part of any comprehensive security strategy. Connect with Pinkerton’s Investigations team to learn more about pen testing and how it can help your organization.
Do you ever wonder just how secure your facility is? Well, you don’t need to wonder. There’s a way to find out.
What is a penetration test?
Penetration testing, also known as physical penetration testing or red teaming, and sometimes shortened to "pen testing", is a type of security assessment that simulates a real-world attack on a physical location and allows a low-risk learning opportunity. Physical penetration testing identifies vulnerabilities and weaknesses in the physical security of office buildings, campuses, factories, or data centers that could be exploited by an attacker to gain unauthorized access or disrupt the operations of the organization. The results can be invaluable and are intended to drive consistent security awareness and provide independent feedback.
“Most global enterprises do penetration tests,” said Joanna Paczesniak, Practice Leader, Pinkerton Global Investigations Unit. “The main ultimate goal is to penetrate the outer perimeter, including access controls measures, CCTV systems, security guarding procedures where there are weaknesses. From a physical point of view, the client wants to determine the effectiveness of these security measures and what needs to be improved. It may sound simple, but the process is quite complex.”
Who conducts penetration testing?
“Pen testing is carried out by a covert team of security experts who check an organization’s physical security measures — how they work, whether they work — to keep places, people, and assets safe,” explains Paczesniak.
It is important to note that penetration testing is only carried out with the permission of the organization being tested as part of their comprehensive security strategy.
What are the stages of a penetration test?
Broadly speaking, penetration testing is conducted in two phases: reconnaissance and the physical penetration test itself. The general scope is focused on gathering site-relevant information, discreet on-site surveillance, soft penetration attempts with minimal compromise, and finally moving through to more direct and assertive attempts to penetrate.
“Operatives stay outside the buildings during recon. It’s important for operatives not to be discovered,” says Paczesniak. “And we have the best in the industry. Our operatives are highly trained and very experienced. They are experts at going unnoticed.”
Pinkerton operatives spend hours researching and observing facilities where they will conduct physical penetration tests. Once recon is complete, the team moves to the next step in the pre-surveillance phase — developing the plan.
“Operatives also outline the different methods, and they are expected to get creative — for example, using fake employee/visitor passes, bogus appointments, or posing as delivery drivers with unordered supplies or food,” says Paczesniak. “Sometimes the plan is simply to walk into the building. Our operatives are that good.”
All actions are lawful, and the general method is always agreed upon with the client prior to the test.
“Each pen test is different. Organizations will let us know specific areas that should not be accessed. Some do not allow operatives to enter further into the offices, only pass through the first line of defense. Others may or may not allow operatives to take photos,” Paczesniak said. “However, contact with direct employees, third-party security, and general public should be realistic, respectful, and reliable.”
Then the second and final phase begins: the test.
What is the most important tool in penetration testing?
During a physical penetration test, a covert team of security experts attempts to gain unauthorized access to a facility to simulate a real-world attack on a physical location.
“Testing is only carried out under the direction of the organization being tested. We try to breach their defense. Sometimes it's easy, sometimes not,” says Paczesniak.
“An important factor in penetration testing is psychology. It is a combination of knowledge about security measures and their proper functioning, security management systems, investigative skills, creativity, and even the appearance of the operative.”
How long does a penetration test take?
Using the information obtained through social engineering and recon, operatives have one day to breach the facility. Clients expect multiple attempts to be made to gain entry to the site — not just one successful entry or one attempted entry unless the operative or operatives are compromised.
“As a rule, there is very little time to carry out the test. When implementing certain scenarios, we should remember that, in reality, bad guys spend much more time preparing unauthorized entry. Whether we are successful or not, win or fail, it’s always an added value for the client. The client has an opportunity to find out how effective its security measures are and how to improve the system,” explains Paczesniak.
What is a successful penetration test?
“When it comes to penetration testing, we prefer a team approach. It means more opportunity to be successful — or gain unauthorized access to a client facility,” says Paczesniak. “In addition to testing security personnel and security measures, we test the first line of defense, the reception desk and receptionists, who are often not trained security professionals.”
If agents are successful, they are expected to visit as many areas as possible, including sensitive areas, before being challenged or detained by on-site security or staff. At the same time, the penetration test is organized and secured in such a way as to ensure the safety of both the company and its employees as well as agents, especially in an escalating situation.
If operatives are unsuccessful, the pen test is not considered a failure. It demonstrates good security measures are in place and practiced.
“In many cases, technical measures are effective, and the company is well protected. However, the tendency toward routine, easy, and pleasant conversation, as well as the creativity of operatives, allows them to break the first line of defense relatively easily,” Paczesniak explains.
Penetration tests are an important part of any comprehensive security strategy. Connect with Pinkerton’s Investigations team to learn more about pen testing and how it can help your organization. Know your risk. Be safe.