After slipping past security, picking a backdoor lock and gaining access to a company’s inner sanctum, a skilled hacker can cause mayhem. They can plant malware on a network, grab physical files and walk out the front door with a donut pilfered from the employee break room.
Meet the world of a physical penetration tester. Think of them as the real world equivalent of a white hat hacker. Their job is to test the existing physical security controls of a company, such as locks, sensors and cameras. The goal is to gain unauthorized physical access to sensitive areas that could lead to data breaches or worse.
Meet Chris Pritchard
Meet Chris Pritchard, consultant with Pen Test Partners. He works as one such physical pen tester and spends his days performing reconnaissance, scoping out entry options, and stealthily looking to physically breach organizations.
“Although lots of prep is performed before going to site, actually being flexible and confident when you arrive on site to try to get in is often the hardest challenge,” Pritchard said. “You’re facing the unknown.”
During his break-ins, Pritchard often live tweets his adventures to give the security world an idea of his job. His work should give any company that thinks its cybersecurity defenses are rock solid pause. His profession is a reminder that a company’s cybersecurity is only good as its on premise defenses.
When Things Go Wrong (or Right)
The little-known world of physical pen testing was thrust into the spotlight on Sept. 11 when Justin Wynn and Gary Demercurio were arrested and jailed for breaking into Iowa courthouse during a pen testing exercise.
The two worked for security firm Coalfire, who was hired by the Iowa Judicial Branch to ensure the court’s highly sensitive data was secured against attack. The two were given permission to follow employees into the courthouse, dumpster dive and pick locks to attempt a security breach, according to reports.
The Iowa Judicial Branch has since apologized for the incident in a statement and said that the arrest stemmed from miscommunication around “interpretations of the scope of the agreement.”
Preparing For Tasks
When a client contacts Pritchard and asks him to perform a physical pen testing engagement, the final task is always agreed upfront. “It could be, get the red folder from the finance office. Or plug in to the network and look for vulnerabilities that could compromise the company,” he said. “A physical entry attempt is rarely attempted more than twice at a site – once one has been recognized, it’s hard to get in a second time.”
The timeline of engagements varies as well. Typically, preparation before an assignment itself might take a day or two before even making an attempt at entry, Pritchard said.
Pritchard said he will first perform online research about companies. That includes making social engineering phone calls and gaining physical reconnaissance of the site from the outside. “I perform a lot of OSINT (Open Source Intelligence) to gather as much information about the company and target location as possible,” he told Threatpost. “I also perform recon on site before attempting entry.”
Social media is one way to perform social engineering. In fact, lax security training for company interns – coupled with the attachment of Generation Z to social media – is providing a lucrative opportunity for hackers to collect social engineering information about offices, such as office layout, company data, and even badge information, researchers have said.
Physical reconnaissance includes actually going to the office buildings of the client and scoping out organizations’ lay of the land itself. Things he looks for are the office building’s layout and noting what different companies are on different floors. Secondly, he notes the use of surveillance cameras in buildings and access controls on doors. Then he observes the employees, paying attention to the ID badges that employees are wearing in the building’s front entrance.
In addition, Pritchard said he will scope out other observations that may be helpful, including employee dress styles (so that he can make sure to fit in with other employees) as well as other small details like the smoking spot around a building.
Entering A Site
After researching the company and getting a lay of the land, Pritchard’s next task is to prepare for the entry itself. That includes practicing a pretext – the designated role that he will be pretending to be when entering the engagement. “It could be something as saying to yourself, ‘Hi, I’m Leon from the network team, I’m here to make the internet faster,’ to something much more complex.”
Nerves before an assignment are “natural” as well, said Pritchard – including feelings of self-doubt and questioning whether the approach will work.
I’m going to be trying a fake ID badge today that the marvelous @Yekki_1 printed for me. This isn’t an electronic clone but a visual copy. Hopefully it’s enough.
From my guided tour last night (how lucky was that!) I know where the security and reception desk is.
— Chris P (@ghostie_) September 18, 2019
The entry into buildings itself can vary from picking locks to sneaking in through already-open doors into offices. In terms of the “weak points” in security for an office building, “The biggest breakdown is usually between the building front desk and the client office: processes that are supposed to prevent unauthorised people entering aren’t enforced,” he told Threatpost. “This is particularly problematic where the client uses an office in a shared building – it’s harder to enforce controls where the front desk doesn’t work directly for your organisation. It’s also a larger problem in regional and overseas office, where there are often fewer controls and fewer people, yet just the same access to the corporate network.”
In terms of the easiest physical systems to bypass, Pritchard said poorly installed systems – from front gates to security controls – are the least challenging.
“Badly installed gates are frustrating, in that someone has put the thought and effort into putting one there in the first place, but has done a poor job,” he said. “Or places where there is heavy security controls at the front entrance, but have completely ignored the side/back entrance where all the smokers come in and out.”
Pritchard said once he gets in, he interacts with the staff as often as possible. “I don’t try to make them my best friend but if I interact with staff, it re-enforces to other staff around us that I belong, and should be there (when in reality I shouldn’t)” he said.
Once in the office, Pritchard is on the lookout for a “challenge” – when an organization employee challenges him as someone who shouldn’t be in the office, after noticing that he is an intruder.
It was just a subtle question.
One that I’d thought I’d answered well, based on their satisfied nod.
Until 3 other people came over 2 minutes later to question me further!
Proper busted 👍👍👍
When presenting a challenge, employees should pose a question to the intruder, and then try to verify the information given, or pass the information on to someone who can escort the intruder out or engage with them further.
However, the concept of challenging a possible intruder can be difficult for employees, Pritchard said, because oftentimes employees feel uncomfortable with confrontation. For employees in organizations who think they may be faced with an intruder, the key is to asking multiple questions in a non-confrontational way, he said.
“Challenges come in many different forms,” he said. “My suggestion is that no matter what you’re told, accept it, question more (in a non-aggressive way) and then go away and verify that information. The more questions asked, the more likely it is that the intruder will make a mistake. If they do slip up, you don’t necessarily need to let on, but you do need to notify the right people in your organisation ASAP.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.