We conducted a physical penetration test (PPT) last month. The client gave us a 2-week window to collect intel and execute the PPT. During the reconnaissance phase, our team quickly identified that the office aspect on the 1st floor faced out over a busy road (not uncommon for offices). From the road you could identify a large open-plan office space and a meeting room running along this aspect. The floor had large windows facing out across the road. This immediately interested the team who set about trying to find a better vantage point. Luckily, opposite was a vacant office building, and the team were able to gain access and locate a good vantage point. Clearly the aim during this phase was to gain as much intel as possible without entering the building, looking for vulnerabilities but also with a view to working out/identifying the best attack strategy for the next phase (gaining entry), in essence, acting and thinking like a criminal. They teach in the military ‘to let the enemy show you the layout of somewhere’ (camp/base etc.) when conducting a close target recce – find a vantage point and just observe. Usually, the occupants of the camp will map out the target for you, the same can be said when targeting an office/residence etc.
From our vantage point (tech aides to assist), we were able to look directly into the 1st floor and confirm the following in a short space of time: layout, employees desk locations, exit/entry points, presence of CCTV, location of TV screens/whiteboards, expensive items of IT eqpt, several desk monitors facing out towards the window etc. In a short space of time, we were able to confirm/deny important info for the next phases.
So, the main point of the post, ‘think Room layout from a security perspective’, it’s often overlooked, or not viewed as important when it comes to designing the room/office layout. However, doing the basic well will minimise risk e.g. position desks/briefing-screens/whiteboards at right angles to windows so they cannot be viewed, make use of window blinds especially at the end of the day and weekends, use privacy screens, and minimise personal/expensive items in the office.
The client was shocked when we showed images of what we had obtained without penetrating the building. We were then asked to do a security audit of the internal workings of the buildings, and a lot more recommendations were made.