Nexon blog – Physical Testing: A Must-Have for Comprehensive Penetration Tests

Most organisations typically take a standard approach to penetration testing each year to satisfy their organisational and compliance requirements. More often, this refers to standard systems and infrastructure testing, such as external networks, internal networks and devices, cloud services, and sometimes includes wireless and social engineering attacks, such as phishing and vishing. It covers the main areas that most auditors and insurance companies will be looking at, but what about the less common areas that organisations typically miss?

Organisations often miss less common areas such as physical security testing, advanced social engineering attacks, wireless network security, and insider threats just to name a few.

The team at Nexon is often engaged by organisations to perform advanced threat emulation attacks, such as physical access testing. Essentially, a physical access test evaluates an adversary’s ability to gain physical entry into your office or business locations. You can have the toughest security controls in the world protecting your network, but if an adversary can walk in and plug a device into a network point, it potentially defeats all of those controls. We know that humans are often the weakest link, as most employee training focuses on electronic threats but often misses these types of attacks, including physical access testing.

Why Including Physical Penetration Testing in Your Annual Security Regime is Crucial: A 4-Stage Approach

A physical penetration test typically consists of a 4-stage approach:

1. Reconnaissance / Preparation

Reconnaissance / Preparation

In this phase, our team will perform reconnaissance or Open-Source Intelligence Gathering (OSINT) from the internet to fingerprint and gain insight into:

  • Which staff members are potential avenues?
  • What locations does the organisation have?
  • Do recent case studies mention their location, contracts, or technologies?
  • What is posted to social media?
  • Are there pictures online showing uniforms or lanyards that can be imitated?
  • Our team will look for anything that we can use to build a successful scenario.

2. Pre-staging and Laying Groundwork

Pre-staging and Laying Groundwork

Next, once our team has the scenario, we pre-stage and generate any props needed for a successful entry. This can start simply by:

  • Viewing locations with Google images to identify information on their physical security (such as prox card readers, gates, etc.), then sending a tester to the site to physically scout the location over one or multiple days.
  • Observing the comings and goings throughout the day.
  • Noting what uniforms people are wearing.
  • Determining what time staff come and go for the day.
  • Identifying when employees take smoking breaks or go for a coffee.
  • Seeing if large groups go to lunch each day, allowing us to tailgate in with them.
  • What sort of deliveries arrive?

After this pre-staging, our team can then look to purchase uniforms and other equipment to ensure that our scenario is completely believable. Most times on engagements, if we have a uniform and lanyard that matches everyone else, it’s a no-questions-asked way in. If our team is using the scenario of a delivery as an example, we will arrange goods that will be delivered via the tester.

We might also contact the receptionists or other key staff members to make our scenario more believable. For instance, when the tester arrives on-site, we might call the company and say that we have an electrical test and tag person coming on a specific day, providing his name and requesting access. Sometimes, telling them that someone is coming and dropping names can be equally as effective as not telling them.

Our team has also generated voice synthesis and deepfakes on engagements, taking a video from the CEO or similar online content, then recreating a voice transcript and making a call or sending a fake voicemail email with the recording attachment to an unsuspecting victim to make it seem more legitimate.

As part of this pre-staging process, our team will schedule a date and require certain documents to be provided by the client to our tester, as well as contact details that the tester will be armed with on the day, in case they are caught or run into another challenge.

Execution

Execution

When the testing day arrives, our testers will execute using a variety of social engineering and coercion tactics that we have honed over many years of experience performing these types of engagements. An end-marker will be pre-arranged with the client, whether it be to access someone’s machine, open a Word document and take a photo, plug in a call-home device (such as a USB key), or simply take photos of the physical location where access was obtained.

Reporting

Reporting

Our testers will take a myriad of photos and potentially video footage during execution to provide proof of access, as well as document any instances where our testers were stopped or questioned, and any observed lapses in security procedures by staff members. Our findings will then empower the organisation with practical security processes and controls that they can adopt to prevent similar attacks.

Real-Life Example: How Physical Testing is Performed in Action

Here is an example of what has been performed, and the stages to access unauthorised data.

Reconnaissance

Reconnaissance: Social posts are a great way into an organisation. For instance, using Australia’s Biggest Morning Tea to support the Cancer Council of Australia, will be used for this example.

Pre-staging and Groundwork

Pre-staging and Groundwork: You can easily locate the names of the CEO, SLT, and marketing executives online through various tools. A simple call to reception for an organisation promoting Australia’s Biggest Morning Tea at their organisation is an entry point. Making a call from ‘Daniels Donuts’ and stating that the CEO has arranged for donuts to be delivered for the Biggest Morning Tea event can set the stage. Confirm the time of arrival and request to take the donuts directly to the boardroom due to the large number of boxes. To gather the uniform design, locate photos online from previous events and produce T-shirts with a similar logo.

End-marker

End-Marker: The end-marker provided by the client was to plug in a USB device facilitating remote access or to access an already logged-in workstation.

Execution

Execution: Upon arrival, the tester is warmly welcomed at reception and led to the boardroom with the donuts. On the way, they notice an unattended PC in a cubicle. After placing the donut boxes on the desk, the tester asks the receptionist for help carrying them. While the receptionist’s back is turned, the tester swiftly inserts a USB device into the PC. After delivering the donuts, the tester retrieves the USB device and exits, verifying the callback to the command and control (C2) servers from a safe distance.

As demonstrated in the scenario above, lapses in physical security policies can easily lead to entry points into an organisation’s network. Our proven experience and 98% success rate in securing these easily accessible entries highlight the importance of comprehensive penetration testing, including physical testing.

In today’s hybrid workplace, where staff might not know everyone and often rely on a brand, T-shirt, or reference to a colleague as confirmation of employment, the need for thorough physical security assessments is more critical than ever.

So, why not include physical testing in your next penetration testing exercise? Ensure your organisation’s security is robust and comprehensive.

Learn more about our proven experience, expertise, and capabilities as a CREST-Certified provider here. Alternatively, send an enquiry to pentestenquiries@corp.nexon.com.au