The last couple of years have seen a surge of increased interest in penetration testing, an exercise where trained security professionals attempt to access a client’s facility to look for vulnerabilities and test the efficacy of existing security measures.
Penetration testing provides a real-world opportunity to evaluate how well an organization is protecting not only its personnel and facilities but also the sensitive information that could be exposed if a bad actor gains access. Unsurprisingly, facilities like data centers and financial institutions are most likely to recognize the value of penetration testing and proactively seek out the services of trusted security professionals.
Pinkerton has seen more than a 50% increase in penetration testing requests, with corporate clients frequently not just asking for penetration testing on one or two locations, but sometimes across a large network of sites. Some of that might be due to an increased awareness of the role of physical security in protecting sensitive assets and preventing digital crimes, however, a big factor seems to be a renewed focus on physical security prompted by the influx of employees returning to brick-and-mortar workplaces in the aftermath of the pandemic.
What does penetration testing look like? How does it work? And what are the benefits for companies that invest in professional penetration testing?
Testing processes and protocols
Most penetration testing is designed to “penetrate” the security infrastructure in place to gain access to the site and to sensitive locations and materials on the premises. Places like the IT room, data storage facility, and secure or employees-only areas are prime targets for a penetration test. Some organizations will provide the security testing team with a thumb drive or similar device to plug in when and if a secure area has been reached.
To provide realistic data, security testing needs to remain largely secretive outside of executive buy-in. Generally speaking, the fewer people who know a test is planned or underway, the better. The client typically provides the testing team with a letter of authorization and contact information for their own protection in the event they are stopped by security. A penetration test could take place over the course of a single day or be a multi-day exercise. The number of people involved varies as well, from a single individual to a team of testers.
For larger facilities with multiple buildings, floors, and entry points, a multi-day test with at least two testers is recommended. Typically, the first few days would be dedicated to detailed research and reconnaissance, and the following day would include actual attempts to enter the premises. A team of two or more testers with more time for recon often yields better results, both because they can gather more information and because two people allows for a wider range of access strategies (e.g. one person distracting a security guard while another slips in undetected).
The testing team will usually arrive early and study “patterns of life” as employees arrive for the day. Testers will observe how many employees arrive, where they park, and what entrances they use, paying close attention to the nature and rigor of security protocols. How security reacts to employees entering and exiting parking lots is a particular point of focus, and testers will observe details such as how attentive the guard is and how long it takes the parking gate to come down. Lunch hour is another important period for recon and information gathering. Testers will monitor patterns of people leaving for lunch or food deliveries arriving. How deliveries are received is especially important, as security personnel often become accustomed to food deliveries and will simply buzz drivers or delivery people right in.
A uniform provides the kind of anonymity that bad actors may be able to take advantage of. In one recent penetration test Pinkerton conducted, reconnaissance revealed a landscaping crew doing work on site. All it took to access the facility was a quick change of clothes to fit in with the landscapers and a story about leaving equipment inside and security let the team right in.
Reconnaissance also looks for structural or site vulnerabilities like gaps in fence lines and cameras that aren’t working or are facing the wrong direction. Are emergency exits used by employees as a shortcut or for smoke breaks? Socializing with a talkative employee on a smoke break or lunch break can also provide valuable information about executives that the testing team can leverage or supplement with details gathered from social media.
Social media data mining is an extremely important part of penetration testing. Employees who post images to LinkedIn or Instagram wearing their lanyard or security badge could allow testers to recreate authentic-looking replicas that will let them walk right in.
An experienced investigator can determine what kind of network the company is using from outside the facility. In one case, that information allowed a tester to build a copy of the company website and claim he was the head of security. Showing that site to a guard was enough to get him a guided tour of the facility’s sensitive areas on a company golf cart!
Finally, the security team will compile the results of its testing and present it to the client in a post-test client meeting. That meeting will include an explanation of the testing and how it was conducted, as well as a detailed breakdown of security vulnerabilities and recommendations to address them.
Vulnerabilities and deficiencies
While every site is different, there are consistent security deficiencies and points of vulnerability that tend to recur. The most common deficiency is the employees themselves. A polite employee being helpful by holding a door open for someone pretending to be on a phone call could allow unauthorized personnel to easily “tailgate” personnel inside a secure facility.
Another common point of vulnerability is lax security. Far too many guards are not full-time or are inexperienced due to high turnover. Routine can lull guards into inattentiveness, and a guard who is bored or on their phone is prone to mistakes and lapses in judgment. Some may not subject vendors to the appropriate level of scrutiny. Sometimes simply carrying a pizza box will let you walk right through.
Every access point should have some kind of access restriction. Anti-tailgating mechanisms are often missing, cameras frequently aren’t working, and camera networks tend to have blind spots. Often, regardless of the security apparatus, employees are the last line of defense. This is why, whether it's steps to prevent tailgating or being more careful about what information can be gathered through social engineering, simple employee and security team training can make a huge difference. And it’s an investment that is well worth making. A gap in the fence or a gap in the security procedures doesn’t just potentially expose sensitive or valuable information, it could put the safety of your most important asset at risk: your employees.