advertisement

Physical Security Assessments

57 %
43 %
advertisement
Information about Physical Security Assessments

Published on December 2, 2008

Author: agent0x0

Source: slideshare.net

Description

Presentation I did for the 2007 Information Security Summit in Cleveland, Ohio on Physical Security Assessments.
advertisement

Physical Security Assessments Tom Eston Spylogic.net

Topics Convergence of Physical and Logical Assessment Methodologies Planning the Assessment Team Structure Reconnaissance Penetration Phase Walk Through Phase Lessons Learned

Convergence of Physical and Logical Assessment Methodologies

Planning the Assessment

Team Structure

Reconnaissance

Penetration Phase

Walk Through Phase

Lessons Learned

Penetration Test Definition Simulate the activities of a potential intruder Attempt to gain access without being detected Gain a realistic understanding of a site’s security posture

Simulate the activities of a potential intruder

Attempt to gain access without being detected

Gain a realistic understanding of a site’s security posture

Why conduct a physical security assessment? Assess the physical security of a location Test physical security procedures and user awareness Information assets can now be more valuable then physical ones (USB drives, customer info) Risks are changing (active shooters, disgruntled employees) Don’t forget! Objectives of Physical Security: Human Safety Confidentiality Integrity Availability Not limited by the size of an organization!

Assess the physical security of a location

Test physical security procedures and user awareness

Information assets can now be more valuable then physical ones (USB drives, customer info)

Risks are changing (active shooters, disgruntled employees)

Don’t forget! Objectives of Physical Security:

Human Safety

Confidentiality

Integrity

Availability

Not limited by the size of an organization!

Convergence of Methodologies Network assessment methodology is identical (NIST 800-42): Planning Objective and Scope Discovery Remote and On-site reconnaissance Attack Penetration test and walk through Reporting Final report and lessons learned OSSTMM ( Open Source Security Testing Methodology Manual)

Network assessment methodology is identical (NIST 800-42):

Planning

Objective and Scope

Discovery

Remote and On-site reconnaissance

Attack

Penetration test and walk through

Reporting

Final report and lessons learned

OSSTMM ( Open Source Security Testing Methodology Manual)

The Security Map Visual display of the security presence Six sections of the OSSTMM Sections overlap and contain elements of all other sections Proper testing of any one section must include the elements of all other sections, direct or indirect * Security Map © Pete Herzog, ISECOM

Visual display of the security presence

Six sections of the OSSTMM

Sections overlap and contain elements of all other sections

Proper testing of any one section must include the elements of all other sections, direct or indirect

Planning the Assessment – Critical Tasks What are we trying to protect at the locations(s)? List the critical assets (these can be your objectives if applicable) Rank them (high, medium, low) What are the threats to the locations(s)? Weather, Fire, High Crime Rate, Employee turnover

What are we trying to protect at the locations(s)?

List the critical assets (these can be your objectives if applicable)

Rank them (high, medium, low)

What are the threats to the locations(s)?

Weather, Fire, High Crime Rate, Employee turnover

Planning the Assessment Who will conduct the assessment? Third party involvement Team members What is the scope? Process and controls Security awareness- Is the team challenged for ID? Removal of confidential customer information Steal laptop, proprietary information Social engineering included? Target selection Regional location, size of facility, dates (schedule well in advance)

Who will conduct the assessment?

Third party involvement

Team members

What is the scope?

Process and controls

Security awareness- Is the team challenged for ID?

Removal of confidential customer information

Steal laptop, proprietary information

Social engineering included?

Target selection

Regional location, size of facility, dates (schedule well in advance)

Planning the assessment continued… Escalation contact list Include in the authorization to test letter Walk through contact (very important) Facility person, security guard, department head They should not know when you are on-site! Do not forgot! The Authorization to Test Letter (aka: Get out of jail free card- literally!)

Escalation contact list

Include in the authorization to test letter

Walk through contact (very important)

Facility person, security guard, department head

They should not know when you are on-site!

Do not forgot! The Authorization to Test Letter

(aka: Get out of jail free card- literally!)

Authorization to Test Letter Example

Assessment Team Structure - Team Leader Identify a team leader! Handles all coordination Sets up meetings Central point of contact for feedback and problems Compile and document results Put together the final report Should be your most senior member to start out To avoid burn out…rotate the team leader position!

Identify a team leader!

Handles all coordination

Sets up meetings

Central point of contact for feedback and problems

Compile and document results

Put together the final report

Should be your most senior member to start out

To avoid burn out…rotate the team leader position!

Assessment Team Structure - Team Members Maximum of three internal team members Dependent on scope Assist with all phases if required Document results and observations (photos..good for keeping a log) Communicate issues or problems to the team lead (cell phone required!) Decide on third-party involvement Comfort factor Anonymity of the testing team $$$

Maximum of three internal team members

Dependent on scope

Assist with all phases if required

Document results and observations (photos..good for keeping a log)

Communicate issues or problems to the team lead (cell phone required!)

Decide on third-party involvement

Comfort factor

Anonymity of the testing team

$$$

Remote Reconnaissance Gather as much information as possible off-site! Floor plans from company documents Google Maps satellite views Google searches for news and information about the target location(s) Better yet…use Maltego ! http://www.paterva.com/web/Maltego/ Number of employees at the locations(s) and listings Job functions, departments at the site (phone numbers) Security guards? Armed? Access Control - Card Readers? Photo ID’s? Call or email the city building department for blueprints…seriously!

Gather as much information as possible off-site!

Floor plans from company documents

Google Maps satellite views

Google searches for news and information about the target location(s)

Better yet…use Maltego ! http://www.paterva.com/web/Maltego/

Number of employees at the locations(s) and listings

Job functions, departments at the site (phone numbers)

Security guards? Armed?

Access Control - Card Readers? Photo ID’s?

Call or email the city building department for blueprints…seriously!

Maltego for Reconnaissance Can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files

Can be used to determine the relationships and real world links between:

People

Groups of people (social networks)

Companies

Organizations

Web sites

Internet infrastructure such as:

Domains

DNS names

Netblocks

IP addresses

Phrases

Affiliations

Documents and files

On-site Reconnaissance 1/2 or 1 day is recommended for on-site recon At a remote location or region? Coordinate with the pen test team the night before to discuss the recon plan Two team members maximum Ensure you have authorization to test letters in hand! Things to observe: Building location, parking, traffic patterns Employee entrance procedures (smokers area?) Look for cameras and access control systems After hours procedures? Are things different at night?

1/2 or 1 day is recommended for on-site recon

At a remote location or region?

Coordinate with the pen test team the night before to discuss the recon plan

Two team members maximum

Ensure you have authorization to test letters in hand!

Things to observe:

Building location, parking, traffic patterns

Employee entrance procedures (smokers area?)

Look for cameras and access control systems

After hours procedures? Are things different at night?

Penetration Test Phase After on-site recon, determine the plan! Create multiple scenarios based on your objectives Some examples: Tailgate (easiest) Look like you belong (goes great with tailgating) Printer repair man “I’m late for a meeting!” Chat with the smokers “I forgot my badge” I’m here to see <INSERT NAME OF EXECUTIVE> Use a business card (faked) as ID Create a fake ID

After on-site recon, determine the plan!

Create multiple scenarios based on your objectives

Some examples:

Tailgate (easiest)

Look like you belong (goes great with tailgating)

Printer repair man

“I’m late for a meeting!”

Chat with the smokers

“I forgot my badge”

I’m here to see <INSERT NAME OF EXECUTIVE>

Use a business card (faked) as ID

Create a fake ID

Penetration Test Phase Continued… Take photos if you can Use conference rooms to your advantage Be prepared to be compromised If you feel someone wants to challenge you…quickly turn around and walk the other way! If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter. Be ready to make a phone call if needed Do not endanger yourself or others! (Beware of big dogs!)

Take photos if you can

Use conference rooms to your advantage

Be prepared to be compromised

If you feel someone wants to challenge you…quickly turn around and walk the other way!

If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter.

Be ready to make a phone call if needed

Do not endanger yourself or others! (Beware of big dogs!)

Walk Through Phase Conducted after the penetration test Time frame depends on objectives and location One team member should be coordinating the walk through with the designated contact during the pen test Ensure you will have someone available No chance of pen test compromise Be prepared to escalate to management

Conducted after the penetration test

Time frame depends on objectives and location

One team member should be coordinating the walk through with the designated contact during the pen test

Ensure you will have someone available

No chance of pen test compromise

Be prepared to escalate to management

Walk Through Phase Continued… Conducted by at least two team members with the facility contact What are we looking for? Perimeter controls Confidentiality control of hard-copy data Internal access controls Cameras/Alarms Personnel practices (security awareness) Emergency procedures (evacuation) Fire extinguishers (expired?) OSSTMM is a good place to start for creating a physical security checklist No one standard, dependent on your organization

Conducted by at least two team members with the facility contact

What are we looking for?

Perimeter controls

Confidentiality control of hard-copy data

Internal access controls

Cameras/Alarms

Personnel practices (security awareness)

Emergency procedures (evacuation)

Fire extinguishers (expired?)

OSSTMM is a good place to start for creating a physical security checklist

No one standard, dependent on your organization

Walk Through Phase Continued… Ask questions! “ Do you have any security concerns?” Take notes and pictures Ask for permission prior to taking pictures Tell them about the penetration test Prepare for “hostility”! Put an awareness spin to it. “Your not getting in trouble” “ Full Metal Jacket” © 1987 Warner Bros. Pictures

Ask questions!

“ Do you have any security concerns?”

Take notes and pictures

Ask for permission prior to taking pictures

Tell them about the penetration test

Prepare for “hostility”!

Put an awareness spin to it. “Your not getting in trouble”

Reporting and Lessons Learned Team Leader compiles notes and results from team members Prepare the final report ASAP Setup meetings shortly after the assessment with management of the facilities Don’t wait too long! You will loose the effectiveness of the assessment. Keep them in the loop Lessons learned with the assessment team! Setup a meeting – include third-party if used What went well? What didn’t?

Team Leader compiles notes and results from team members

Prepare the final report ASAP

Setup meetings shortly after the assessment with management of the facilities

Don’t wait too long! You will loose the effectiveness of the assessment.

Keep them in the loop

Lessons learned with the assessment team!

Setup a meeting – include third-party if used

What went well? What didn’t?

Standards and Books OSSTMM Open-Source Security Testing Methodology Manual Version 2.2 http://www.isecom.org/osstmm/ NIST 800-12 (Chapter 15 – Physical Security) http://csrc.nist.gov/publications/nistpubs/800-12/ NIST 800-42 (Guideline on Network Security Testing) http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf Physical Security for IT Michael Erbschloe The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems Mary Lynn Garcia

OSSTMM

Open-Source Security Testing Methodology Manual

Version 2.2 http://www.isecom.org/osstmm/

NIST 800-12 (Chapter 15 – Physical Security)

http://csrc.nist.gov/publications/nistpubs/800-12/

NIST 800-42 (Guideline on Network Security Testing)

http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

Physical Security for IT

Michael Erbschloe

The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems

Mary Lynn Garcia

Questions? Email: tom@spylogic.net

Questions? Email: tom@spylogic.net

Add a comment

Related pages

Physical Security Assessment | SecureState

Physical Security Assessments are a holistic look into the overall physical security of buildings, facilities, and locations. The Physical Security ...
Read more

Physical Security Assessment - ASIS Online

Task 01/01: Identify assets to determine their value loss impact and criticality. Knowledge of: 01/01/01 - The nature and types of assets (tangible and ...
Read more

Physical Security Assessment | Corporate Risk Solutions, Inc

Today, more than ever, companies are concerned about the safety and security of their employees and corporate assets. Corporate Risk Solutions is made up ...
Read more

Physical Security Assessment, Sample Physical Security ...

Physical security assessment refers to the process of examining the efficiency of those employees in an organization who are responsible for physically ...
Read more

Physical Security Assessment | McAfee Technology ...

Bei der Bewertung der physischen Sicherheit mit Physical Security Assessment von McAfee Foundstone wird die Ausstattung vor Ort einer Prüfung unterzogen.
Read more

Checklist for Physical Security Risk Assessments

What are the most overlooked areas for physical security? Ken Stasiak, president of Secure State, an Ohio-based information security firm that performs ...
Read more

Physical Security Assessments - SpyLogic.net

Physical Security Assesments Topics Convergence of Physical and Logical Assessment Methodologies Planning the Assessment Team Structure Reconnaissance
Read more

How to Perform a Physical Security Risk Assessment

Physical Security -- it's often described as the "forgotten side of security" at some financial institutions, and yet it is a key element of an overall ...
Read more

Physical Security Assessments by Silva Consultants

Physical security assessments including review of security policies and procedures, security guard staffing, doors, locks, safes, video surveillance ...
Read more