Last month, a client asked us to conduct physical penetration testing (PPT) at their semi-rural work site. The client had recently taken over the place, suffered from several break-ins resulting in theft, and found evidence that the site was being used for drug taking.
Physical penetration testing assesses all physical security controls, processes and protocols that a company or location has in place to identify vulnerabilities and, if identified, recommend remediation options. During a PPT, attempts are made to thwart these controls to gain physical access. Physical penetration testing is generally conducted in phases – initial reconnaissance, active reconnaissance, attack planning, targeted testing & reporting.
Once we spoke to the client and conducted an initial recce of the site, it quickly became clear that the client required not a PPT but a site security assessment. The client had been in a rush to get the site up and running and by his own admission had not considered security a priority until the incidents of theft.
During the initial meeting/recce, we found a host of security issues such as no accesses control or booking in, human-sized holes in fences, overgrown foliage covering fences and providing covered approaches, fences located too close to trees/buildings, which also aided access to the site, unattended heavy-plant which, again, assisted access to the site, dark/unlit areas where access could be gained without anyone’s knowledge; to name but a few.
So, for this case, it was ‘back to basics’ and we advised the client against physical penetration testing and conducted a site security assessment, highlighting the many security issues and allowing the client to remediate them. Ultimately, conducting an assessment over a PPT was the correct course of action and assisted the client in securing the site and saving him money; the task was also a good reminder of the importance of scoping the job thoroughly and reconfirmed that time spent on reconnaissance is never wasted.