Home page logo

pen-test logo Penetration Testing mailing list archives

Re: pentest physical security
From: nospam () nospam org
Date: 2 Aug 2006 13:28:46 -0000

From a high level, you will be testing two areas most likely:

1) Physical Security controls (the actual devices) and 
2) Implementation of physical security controls (how the devices are implemented as well as physical security policies 
and procedures)

Generally speaking, these controls (e.g., fences, cameras, biometrics, card scanners, man traps, etc.) form are or are 
part of a "secure" perimeter that protects an area to which access is restricted.

The object of a physical security penetration test is to gain access to the secured area while noting flaws in the 
system, procedures and/or how procedures are followed. There are several ways of doing this:

A. Exploiting a flaw in the security control or implementation thereof. For example a control is set to fail open 
instead of closed. Or my favorite, over sensitive motion sensors that actively control door locks.
B.Bypassing or disabling the control. One should be wary of disabling any controls as this could damage customer 
C. Exploiting the weakest link in the chain, which is generally the human factor. 

This is not an exhaustive list by any means, but gives some ideas. Obviously the client may want to limit your 
methodologies based upon the agreed scope of the test.

Hope this helps.

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]