While there are many articles directed at assessors and consultants on “what not to do” during a penetration assessment, I haven’t seen many blogs directed towards what things clients should avoid when preparing for a penetration assessment. I wanted to address this topic, and share from experience, pitfalls that can often hinder the progress and quality of a penetration assessment.What is a "Penetration Assessment"?
Penetration assessments are a way to identify an organization’s risks by simulating common threats. These assessments can target a wide range of scenarios; such as, external service attacks, insider threats, social engineering and physical intrusion. Once these vulnerabilities have been identified and exploited, that information is then compiled into a report and passed on to the client for... read more >
Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.Assessment Background
The... read more >
When performing a social engineering assessment, you never know what type of person you’re going to encounter, especially when trying to enter the client’s facility.
Sometimes you’ll run into that person who ignores what you have to say, is a stickler for protocol, and is intent on verifying your story and your legitimacy for gaining access. These individuals are the ones who understand that security doesn’t equal convenience. They stick to their security awareness training and incident response procedures, and take the well-being of the company to heart. These are the employees that penetration testers want to avoid when playing the role of an attacker. Unfortunately, this type of employee is often rare in corporate security.
More often, you’ll encounter a very trusting and kind individual who is eager to help out without wanting to inconvenience you... read more >
A wide-open physical security assessment war story - #WarStoryWednesday
War Story Wednesday is a Solutionary Minds blog feature series. On the first Wednesday of the month, Solutionary is publishing a blog from one of our security practitioners that discusses a real-world engagement or “war story.” This blog, featuring Security Consultant Brent White, is the second submission in the series.
This physical security assessment was fun, easy and a bit alarming. It was fun and easy for how completely simple it was. On the other hand, it was alarming because of how simple it was — as well as there being no security presence.
How can we get in?
This is usually the thing we try to answer first when conducting a physical security assessment. Through basic reconnaissance, my co-worker and I quickly figured out the following information:
- The front doors automatically locked every day at 4:30 pm.
Traditional and Nontraditional Tools and Techniques
So, you’ve gotten past the front door by piggybacking, were granted access to the elevator by the receptionist, and then find yourself standing in front of another restricted area. The next step is to find a way to trigger the motion sensor from the other side of the door so that it will open for you. What would you do?
Physical Security Assessments are an essential part of a security program. If an attacker is able to gain physical access to your building and equipment, they essentially have “the keys to the kingdom.”
This blog was written to provide an overview of some tactics that assessors... read more >