CompTIA PenTest+ Chapter 3 Section 3.6 , Summarise physical security attacks related to facilities.

All throughout this course we have only been considering the virtual , the software based approaches but this is where we shall direct our attention to the physical side of a pen test. This involves looking at the facilities themselves, looking at how we could break into offices, what is the security at the doors of the office like ? Do we need IDs etc.

This chapter can teach you things which may break corporate property, such as door locks or sensors so it is very important that you get an agreement with your client beforehand specifying exactly what they want you to test, that you have the permission to conduct those experiments. It is unlikely that you would actually break anything but it does coincide with the stress-level of the test itself , there have been tests on military bases which wanted to see if the client could bust through the wall !

Most a physical penetration test would probably be documenting - the pre-documentation stating the tasks , the task documentation making note of all progress and discoveries and the post-documentation phase which would show the results of the work.

Common Terms

  • Target. This is an incredibly broad term and it is merely the object which is being tested on. So it could be :
    • Employees / Staff
    • A section of the building
    • Particular room
    • Machines
    • Network
    • Other systems such as sensors. If in a factory it could be messing with a particular process.
  • Scope. This will define the devices, areas, time of attack that our engagement will be conducted in and around. This is why it is also called the Rules of Engagement (RoE). They will need formal agreement between client and tester but over the course of the test they can change (with approval from all parties). Questions that often come up are:
    • What assets to test?
    • What length of time ?
    • Security clearances ?
    • When is the test finished?
    • When is it time for the report?
  • Goals. These are the key points of a test, the things which we want to achieve from it. Usually set by the organisation, a goal could be - “Our biometric sensors shouldn’t accept any other input than an employee’s actual fingerprint”. Then we would go about testing whether this was true or not. Other goals could be to see whether the tester could steal a laptop from the office , then the attacker would have to set smaller goals to achieve that.
  • Assets. Something of value - like the laptop above - and goals can be oriented around protecting particular assets. Physical assets could be documents, machines - but the assets that we have been used to are things like databases, root access etc.
  • Teams. There can be a few teams that make up the physical penetration testing team. The types of teams include:
    • Planning team. These would be doing the work of documenting and assembling a plan of attack.
    • Operating team. This is the team which goes to the site and performs the tests.
    • Support team. Supports the operating team through some line of communication , for help like breaking a particular safe.
  • Security posture. This is an assessment of the level of security of the target. So we’d be looking for security staff, security systems like CCTV possibly and other security awareness ideas like strong locks, mantraps etc.

Understanding the threats to this target

Threats can include

  • Espionage. This is where information and private property information is trying to be stolen from them, the people trying to acquire the information could be competing companies or nation states.
  • Sabotage could be done by employees, third-party companies or customers.
  • Theft.
  • Destruction

We need to get an understanding about what the target prioritises the most, which could be based on their assets, their industry , what they value - hence tests must be able to verify their protection.

As with any type of penetration test, it is immensely important that you understand the cyber security laws for the country your client is operating as the last thing you want to do is end up in prison. Contractual agreements that the clients make cannot be breaking any industrial, national or international laws either… This is why a lawyer can be a good way to subvert all these problems.

You will almost always be asked by the client to show some sort of Security clearance - which is usually done and established with you when you join a company - but legalities have to be met on both sides. We have to be trustworthy enough to show a company we won’t run off with their secrets, we should make it clear we have the training to properly handle the cases where we unearth sensitive data.

The Information Gathering Phase

  • Company websites, DNS to show geo-locations
  • Social media
  • OSINT
  • HUMINT. Intelligence gathered via humans - extracted via social engineering.
  • IMINT. This stands for Imagery Intelligence and it is to do with gathering data from satellite photography, aerial photos - from a range of sources to narrow down the location of the target, the building etc.

It’s time to build a plan . We will need strategy , based on the goals put out by the company . By outlining our operations we can also make out what contingencies we need to plan ahead for - maybe a team member gets hurt trying to climb that fence , maybe our tests to bypass sensors won’t work , what then ?

Time then to collect the equipment we need. Basics would include a camera, lockpicks, drone

Assemble an operations team - each member having expertise in different areas , aligning the tasks with their competencies ideally. The leader is responsible for orchestrating the test and ensuring the team members are following the plan and completing their assignments. There can also be a leader in the support team or off-site that is pulling the strings but for the majority of operations they are in the thick of it.

A coordinator is someone who assists the team with whatever is needed.

  • They could perform additional social engineering
  • research the things during the operation.
  • Answer legal questions

An ethical hacker accompanying the physical testing team who will try and access computers and networks, breaching the machines of the server room / office room they break into.

Often times we will need an expert in physical systems such as locks, sensors, biometric doors etc.

Surveillance, man who watches security guards etc.

Social engineer to manipulate and deceive targets , understand show people operate socially and how to take advantage of that.

Passive versus Active Reconnaissance

Passive recon is a type of reconnaissance against a target which should go unnoticed, it shouldn’t be traceable back to us - so this would be things like looking at a company’s twitter page, going through Google search results etc; however active reconnaissance can be noticed by the target as there is no intermediary layer which saves us - we are directly talking to the target and making connections which can be traced back to the pen tester.

A good thing to try at the start of a test is to perform a Google Maps search on the building , or get Google Earth pro for more up to date results.

Electronic Surveillance

This is where we use Cameras, microphones and other devices to gather data about the target. We could drive by and record for a couple hours, we could attach a microphone to a particular spot (inside the reception would be insane).

Equipment

There is a core set of equipment that can spread across pretty much all physical penetration tests, but each client’s needs are different and there is a degree of alteration from test to test . For example, practically every test will have a lock of some kind and so lockpick tools become very handy.

This is why having specialists are so important as we can replace more general tools for things which target the client directly.

Bypass tools

Getting around barriers such as

  • Locks
  • Doors
  • Sensors
  • Barriers
  • Access controls

For getting around doors often times you will be exposing the tiny gap in the door - sliding a wire underneath which - when stood up - we can pull it down and try to pull down on the lever. There is a similar tool for doors with knobs.

The other type of tool is a shim, which can be slid into the gap between the lock on the door and the wall, imagine something similar to sliding a credit card in. We can buy a set of shims with different thicknesses and hence we could try opening the door this way.

There is also something called a Double Door Tool

Copy key card reader like in hotels.

Quick-gems can open doors

Collection of skeleton keys which we can build pieces on top of to build the right ward on the key.

Thumb turn bypass tool

Bump keys

RFID cloning.

Wireless camera scanners and intercept video feeds. Radio scanners too.

Specialised tools

  • Keyloggers. If we see that employees have some PC’s setup , what we can do is take the USB port of the keyboard, unplug it and then - where the USB end is - attach our keylogger to it , which in turn has its own USB port that plugs into the PC and disguises the fact it is even attached. Hopefully you got the same colour as the keyboard chord which is almost always black. It would be very difficult to spot for someone who just does normal day-to-day functions , all the while that is harvesting thousands of lines of text. It doesn’t relay the data back to the attacker but it is worth keeping it on a victim computer.
  • Capture network traffic
  • Capture wireless traffic
  • Perform automated attacks.

Network implants are devices designed to be installed onto the network and capture traffic, relaying it to the attacker. LAN-turtle.

Wi-Fi Pineapple is a device which will automate a wireless attack. It can be used to MITM attacks, spoofing network devices, capturing credentials and deauthenticating users.

USB attack tools like USB rubber ducky will have scripts which run instantly when inserted onto the computer. These can be run extremely fast so we can get in and out in an instant. They aim to have the same signature as a keyboard so they will be loaded early on when the computer boots up and may bypass some security controls. Bash Bunny.

Kali comes on smartphones, called NetHunter and makes our attackers a lot more conspicuous. They can have specialised apps and hacking tools with similar power to a laptop.

Get-out-of-jail free cards

Official signed documents that we keep on us in case we are aught. States testers are authorised. Contact information and company details should be noted to allow the total custody time to be lessened…

Types of locks

This is where we manage to unlock a lock without using the actual key. To do this we have to think about what a lock actually is and how it is designed. The aim is to allow only one type of key - which only the owner should have - and the cuts done to the key have a unique pattern of peaks and troughs which correspond to the lock. More specifically, when you put the key through the plug (the slit which the key enters) it will line up a series of pins called driver pins as seen here

diagram-of-key-in-lock

The bottoms of the driver pins should all be lined up equally on the shear line when the right key is inserted , this will mean there is no driver pins stopping the key pin cylinders from turning and opening the lock. When there is no key in the lock the driver pins will be at different heights above and below the shear line . The manufacturer will set specific heights for all the driver pins and thus a key needs to have the correct series of cuts to push them all up to the same point when inserted.

Before the key is inserted

before-key-is-put-in

Then they line up

lining-up-the-pins

Which allows us to turn the cylinder and hence the lock is no longer active. When people try to push against a door to break these pins inside - they don’t realise they have to get through the shell of the lock, and the plug which holds all those pins … It’s much easier , though a bit fiddly , to use a lockpick to mimic a key .

lock-is-opened

Tubular locks

There are tubular locks which look like this

tubular-locks

The same concept of key-pins (red) and driver pins (blue) are the same. They key pins are so called because they link up to the key to align the drivers. Here though the indentations are spread out and around the face of the tube.

tubular-lock-is-in

The same alignment happens , raising the driver pins to the shear line and allowing us to turn the lock.

turning-tubular-lock

Wafer Locks

Usually seen on file cabinets these require the key slide in and lift these slats into place

wafer-locks

These are easier to lock pick as they have fewer elements, just need to add the bumps on top of the key rather than along the ward.

Combination locks / dials

These have rotating disks which will need to line up - there is a gap in each of the disks by which the bar which holds the tension in the lock will fall into and release the lock

dial-combination-locks

You can see that the first bar has slipped into place , usually by turning the dial clockwise. Then, for the second we turn anti-clockwise, then to access the third lock we turn clockwise etc. Until it looks like this

now-the-bar-can-drop

Now the bar will drop and the weight underneath will come forward and release the tension, allowing you to turn and open.

Electronic Locks

These don’t use the age-old pin design but operate with combinations and will use smartphones, badges , sensor triggers and other methods. This may be where an ethical hacker comes in, but a physical penetration tester can still drain the lock of all power which may cause a fail-safe functionality to occur and it opens the door (as may be in the case of a fire you would want the door to open). For things like server rooms such electronic locks wouldn’t open the door as they presume the power has gone out but nobody is in that room and the servers will be enclosed until maintenance get there …

Picking locks

The goal is to take our key pick and to push the driver pins clear of the sheer line by pushing the key pins a certain amount. Pins can be picked one at a time or many at once, but as the grooves tend to be unique at each point - and if you’re a beginner - take it one step at a time.

pushing-driver-pins-clear

The item below is the tension wrench which is the thing you’ll rotate to open the lock when you think the pins are in the right place. You’ll probably be continuously applying a little pressure on the tension wrench which will tell you of your progress.

different-tension-wrenches

The first three are the standard ones which we put in at the bottom of the keyway, but in the event we can’t do that the fourth one is to be put in through the top. You will need to carry different widths and diameters so that you can find which one provides the most amount of tension for that lock. You can gauge that a tension wrench is working as with little force we can see that the plug is beginning to move in response to the force.

By turning the wrench as we work a little , that will help keep in place those pins that we have moved pass the shear line , if we take the wrench out during operations then the plug returns to its base position and the driver pins fall back…

This will be the first thing you want to get right before fiddling with lockpicks … Speaking of which - these are the different options.

the-lockpicks-themselves

  • The first two are called diamond lock picks are these are used for a technique called scrubbing which is just the rapid application of pressure along the shear line to push pins up while applying pressure with the tension wrench. You want to work on your technique with the pick to push the pins themselves and to stay calm - don’t have your shoulder and elbow wobbling around, keep it to your wrist and fingers. Also, the only thing that should be moving pins is the pick end itself.
  • The third and fourth picks are single-hook picks - which are for manipulating one pin at a time, which is obviously a lot more time-consuming but will work on a greater number of doors.
  • The remaining pins are called waves or snakes and they are used for raking. This is where the waves / bumps in those picks are trying to establish the distances required by moving many different picks at one time , we can stick the pick along different points so a particular groove can interact with a particular pin which will help us build a mental image of the internal design.

When using the single-pick for a pin lock you may find that the key that would be used to open the lock would have groves which push - for example - the second pick , then the fifth , then the first etc. It depends on the positions, and this will be the same order that you will probably have to pick at. Obviously you won’t know this at the start so you’re looking for distinct clicks as you run through each pin, seeing which ones have gone past the shear line. So trying each one, keeping pressure on the tension wrench and keeping an ear out for those clicks.

This is why you might decide to go for the snakes as we can scrub - jiggle the lock - and hence test all the pins at once applying enough force to push them all up without caring for order. On weak locks that are vulnerable to such methods it can be very quick to open with rake picks.

Security pins

This is where the conventional, smooth pin is replaced by something which has a more serrated edge and will hit against the shear line making it harder to push up. It is supposed to make them harder to single-pick, and much harder to rake.

These are the different types of security pin you might come across

different-security-pins

This is what is supposed to happen when someone tries to pick away at it…

security-pins

Sometimes a lock will have more than one type of security pin , so be patient when some fall back down as you’re trying to grapple with the next type !

Questions

  • What is the name of the tool which is used to apply torque to the core of a lock when picking? Tension wrench.
  • What is the term used for picking a single pin at a time? Single pin picking.
  • What is the term used when you try to randomly set pins? Raking.
  • This type of pick profile is usually used when single pin picking. Hook.
  • When single pin picking, this term refers to when you feel like you have set a pin and the core rotates slightly? False Set.
  • What non-shimmable elements do padlocks use to keep the shackle in place? Ball bearings.
  • What is the piece that allows locking lugs to retract when the core is turned? Actuator.
  • What piece of a standard door latch should remain completely depressed when the door is closed to prevent slipping of the latch? Dead latch.
  • What is the locking mechanism that has a bolt which protrudes into the frame of the door preventing it from opening? Deadbolt.
  • What bypass method uses a key cut to the lowest depths and kinetic energy to bounce the driver pins above the shear line and allow a lock to be opened? Bumping.
  • Locks which have spring loaded locking lugs can be opened by tapping a hammer on the side of the lock. What is this attack method called? Rapping.
  • What type of pick takes advantage of lazy manufacturing practices by lifting all the key pins and driver pins above the shear line to bypass a lock? Comb.

For more information on dead latches and deadbolts see here.

Bypassing Tools and Strategies

Over the course of our penetration test there will be a variety of obstacles which we will need to bypass , and while there are several ways to do it we need to know what specialised tools to bring - as space is important.

Door bypass tools

Gaps can exist on the bottom or the sides of doors , the under-the-door tools (UTDs) normally work on interior doors as they need to be openable from the inside , otherwise there is no point trying to pull the lever or knob (this is the premise of UTDs). UTDs for working with knobs are called Mule Tools , whereas the new tool which works with levers is called the Modern Under-the-door tool.

Door shimming tools work for the gap near the latch. It pushes the latch back into the door and allows the door to open. The door must only be locked with the latch. There are shims of different shapes, sizes and thicknesses. Shims can be plastic or metal.

The next door bypass is called the crash bar tool or the double-door tool and it works to unlock two doors sat horizontally next to each other - this is a generic double-door with the crash bar

generic-double-door

The DDT will slide into the gap in the middle and then we rotate around 90 degrees so that the curved end bit should hook over that bar (on the inside of the building) and then we can pull down and hopefully unlock the door. If you went to a night club and wanted to get in from the back you could try this …

Thumbturn bypass tools also work for double-doors but they look like this on the inside:

thumbturn-lock-from-inside

Where you would lock the door with your finger and thumb. Moreover the tool we use needs to be able to hook onto and rotate this part.

Lock bypass tools

The first method is called key bumping, which is where we take our bump key which is made to have all but one of the “teeth” present and we combine this with the bump key hammer which taps on the key once it has slid in to jolt all the pins up in one motion - when combined with rotating the plug we should see the lock open if we managed to hit it right and clear all driver pins above the shear line.

If you don’t want to use the bump key and hammer combination you can use a bump gun which does the same thing. Attach an end to the gun which resembles a rake pick and insert it into the lock , and you can specify the amount of force that the gun will shoot with - matching the jolt to the lock. Push down the trigger and you should hear the pins click up …

Padlock shims are thin pieces of metal that can be placed into the lock like so

padlock-shim

So the one thinner piece went down and tried to sit in the gap of the lock as best possible, then we grab onto those two ends and twist and pull until we hear it click out. Then repeat for the second one. The shims below are all of different sizes so we can find the perfect match.

Combination locks can be decoded by sticking a piece of metal into the bottom bit of each combination dial , listening out for when we hit the gate which indicates the number has lined up to the shackle. Repeat this for all the numbers in the row and we should be able to open it.

Warded keys

Wafer keys

Sensor Bypass methods

  • Cut power
  • Improperly placed sensors may mean the attacker can move around by crawling if they are set too high.
  • Enter before they are armed
  • Block sensors with something
  • Trip sensors to make them appear like they are malfunctioning.
  • We can blow smoke or canned air into the sensor area to make it seem like someone is coming. This works for a Request to Exit (REX) sensor - something which looks for changes in temperature to detect motion. Other sensors may use light.
  • We could slide a tape measure under the door and lift it up toward the sensor and trigger it to allow us in.

Bypass badge access controls

It would help if we knew what the badge looked like , which we would hope to find through information gathering, onsite visits etc. After we have researched the badge’s appearance and what type it is we need to figure out the best way to clone one.

So are simple with a template and laminated which get “checked” by half-awake security guards. Others have an RFID code in them. There are PVC cards , ones with barcodes etc.

We can buy an RFID cloner which can copy chips , save the code and with that same device walk up to the door, press the button and voila !

Gates, Fences and other barriers

Gates can be scaled, if they are barbed just make sure to wear thicker clothing or take a blanket to cover the top.

Gates made of wire can be cut through .

Need to time fence jumping with any security patrol timetable.

Mantraps are a type of access control where people walk into the first reception room and from there to get to the second door they have to use some form of credentials. This intermediate zone is where anyone tailgating can be caught and they are stuck in this middle zone …

Questions

  • What item can be used to widen the gaps between doors and door frames or between double doors to allow for other bypass tools to be used? This tool is also common for automobile entry. Air wedge.
  • An improperly hung door which opens away from you can be bypassed using this type of tool? Traveller hook.
  • What type of material can be used to go over the door to grab the secure side handles when an under the door tool is not able to be used? Film.
  • Adams Rite hardware fixtures are susceptible to a bypass where a wire is snaked through the keyway and actuates the locking mechanism behind it, what could prevent this bypass?

Social Engineering skills for Physical Penetration tests

This is where we manipulate targets to give info or do some action , using anything from psychological tricks to biases (a common one being a confirmation bias) and essentially relying on our ability to paint reality the way we want to portray a trustworthy , natural exchange of information.

Hopefully they make subjective choices and gauging which biases they could fall for. The confirmation bias is where we have a given set of ideas and perspectives , by which the reality around us begins to shape in a similar way and we attribute this to our own theory being accurate and true. But really, it is me playing with all this from the shadows - you are subject to a concentrated, well-orchestrated scheme…

Theories of influence:

  • Reciprocity. This refers to the idea of exchanging something with mutual benefit to each party. By giving, you may give someone the sense of obligation and will return the favour.
  • Commitment and consistency. This means introducing yourself via some small commitment and making your appearance seem normal. By being consistent and having some commitment , like if you knew that the company was big on JavaScript - you could begin holding weekly JavaScript workshops and build rapport with the employees. You’d have to have some big cahones to quickly put a Rubber Ducky USB into their laptop…
  • Social proof. This is where we rely on people looking to others for how to think/act to some degree, that when we perform such an action as a form of “social proof” it calms then down and allows them to imagine themselves doing the task.
  • Authority. If we can imply our authority or have some bogus way to prove it, then we can use this gravity of power to influence the decisions of others as they may wish to :
    • Avoid punishment
    • Be on amicable terms with the “higher-ups”
    • Be so silly as to think they would get a return favour…
  • Liking. Persuaded by people they like. Hopefully we can build a professional or personal relationship - but this could take a lot of extra work.
  • Scarcity. This is where we highlight the fact whatever resource is scarce (time , event , appointment could be anything) and so this causes them to override any rebukes to performing the action as it won’t be here long. The fleeting aspect also helps in the reverse, that the effects of such an event will probably not be too consequential too …

Additional principles of influence:

  • Trust
  • Relying on a certain degree of ignorance. I don’t just mean being stupid , but being overwhelmed by details or complexity and need to defer to someone they think is more specialised.
  • Desire to help
  • Desire to be liked
  • Gullibility
  • Greed

Cognitive Dissonance is the state where a person will hold contradictory beliefs, ideas or values and this causes a degree of psychological stress when they participate in an action that goes against one or more of them. When there is this state of inconsistency , people tend to regress to any answer or resolve to until they become consistent. The discomfort is triggered by the person’s belief clashing with new information perceived , wherein they try to find a way to resolve the contradiction to reduce their discomfort.

We offer them a way out of this conflict, bonus points if we can create that moment of tension itself, which then makes people do something they ordinarily (and rationally) wouldn’t.

Methods of Social Engineering

Principles before deciding on a method

  • You need to be able to think on your feet
  • Look at the specific problem
  • Be patient

Provoking fear. Try to create a problem , which is the incident that would cause some consequence which people are afraid of. Whatever it is, the target has to seem to be the reason for the problem and so they’ll want to correct it.

Power of authority. Know the hierarchy. Pretend to be authority or act on their behalf . Target low level of new employees

Inflating a target’s sense of authority. Giving someone a big head may make them more impressionable and by boosting their self-worth. If the power is only imagined we probably need to create a scenario that would incite them to act and take them from idea to action.

Politeness. Respectful and courteous , which can increase someone’s liking to the tester.

Sexual Manipulation . Now this isn’t as extreme as the title sounds it may just be the tester is flirting with the target with a light touch on the shoulder or arm which would probably distract them and this subtlety is enough to take someone’s imagination out of the moment - thus making it easier for them to perform actions they ordinarily wouldn’t.

Executing a Physical Penetration test

Types of approaches, though these tactics may differ from test these are the options we have when deciding how to execute the test.

  • Overt testing is when the method of entry causes damage or destruction. This could be damage or destruction to locks, doors, windows, walls or other objects. Obviously this is quite a high risk scenario so make sure to stick to the security controls agreed within the contract. This type of testing would be detectable to both trained and untrained people.
  • Covert testing. This is where we are working in plain sight but that doesn’t mean we want to draw attention to ourselves. A common example is dressing up as a lift engineer and getting out all your tools in plain sight, but people will think you’re doing your job … Well , you are … The better we can blend into the crowd the longer we can continue testing. Some social engineering may be required to keep our alibi sound. This type of testing would be detectable by trained but not necessarily untrained people as the disguise should be enough to fool most.
  • Surreptitious or unseen testing is where the tester aims to be completely out of view. They are actively trying to avoid people as we will probably be doing something which would be considered suspicious, clipping cables, lock picking, bypassing controls etc. This is why they are usually done after hours. This type of testing should be undetectable to both untrained and trained people.
ApproachDetectable by trained staffDetectable by untrained staff
Overt testing
Covert testing
Unseen testing

Examples

  • Using an angle grinder to cut a lock open is what type of entry ? Overt , as this will be very suspicious even to the untrained eye…
  • Lock picking and lock bypassing could be considered what type of entry? Covert as the untrained person wouldn’t always be able to figure out you’re breaking in and some methods can be subtle enough.
  • Taking a photo of a key, decoding it and duplicating it can be considered what type of entry? Taking photos can be mistaken for many different things and so this would be unseen.
  • Determining the combination of a safe through surveillance can be considered what type of entry? Again, this would be unseen as we haven’t needed to engage in this instance to get information.

Exploring target sites

Try and extract as much as possible from the reception desk

Guard stations. Rich source of info and items. Usually have video footage, keys, badges, communication traffic. All the questions we have can usually be answered by getting into the station.

Meeting rooms. Empty meeting rooms can still be valuable as we can setup equipment and explore the network . Even just listening to office chatter and to not be bothered is quite nice … We may have hours of access to this room and when someone comes in just say - “Oh sorry, I didn’t see the schedule” and leave.

Supervisor offices may be in scope of the test and would provide a goldmine of info and assets. Offices can be used to imply authority over other employees.

Server rooms / switch closets are usually the main targets of physical penetration tests today as when we implant devices into these rooms we can watch the flow of traffic, we can get unrestricted access to the organisation’s data and probably get access to routers, shutdown firewalls etc.

Storage areas , warehouses etc.

Examples of Access Methods

Tailgating is where we follow an authorised person into the building. This relies on our ability to blend in, to not arouse suspicion and essentially the only credentials we need are context , timing and confidence. Often times by tailgating we mean following someone into a building , lagging behind them and as the door is closing we hope that they won’t be rude and keep the door open for us.

Disguises should be appropriate , believable and looking like part of the group. Usually a nice suit and suitcase would do the trick … Other times on a construction site a high-visibility vest and hard-hat is necessary.

We may need a few disguises , the first would be the disguise of a delivery person to get into the door and then we could change into our suit or lab coat to walk around inside.

We could hide in an elevator , maybe to do a costume change ! We try and hack into an elevator and go the management level and then we wait for everyone to leave the waiting area so we can emerge later and do the penetration test.

Pretend to have an appointment with an employee or boss - but can we get past the receptionist ? She may defer to her supervisor (to avoid punishment) . Best for large companies with many staff and high turnover. The fake meeting doesn’t always have to be with a specific person but could be a shared work-space , let’s just hope the schedule is malleable.

Defending against these attacks

The first and foremost should be having a security-oriented attitude and openness to make changes…

Limiting information exposure would reduce exposure and hence leakage. We need to have a hold on the information streams that the company emits , and hence the type of content that is released will make remediations much easier. Social networks have a wealth of information , but we need to train employees and tell them to be mindful of what they’re releasing. Things like LinkedIn though, which release things like CV information, what technologies companies used etc is incredibly valuable …

Enforce security policy to defend against social engineering attacks, train staff on the different ways they can be caught … They shouldn’t be flustered with typical psychological attacks, they should have a culture which can challenge people for a form of identity or clear explanation and thus check it with the higher-ups. This way you can confirm whether or not they are an attacker.

Always use two factor authentication for anything corporate …

Use encryption on all outbound communication streams.

Train security staff to track and detect electronic monitoring devices.

Secure your garbage bins to stop dumpster divers

Use badges for staff entry to thus employ better mantraps

Have red-team tests (physical or virtual tests) and use the report to iteratively improve the security posture.

Incident response policies.