Hacking ebook unauthorised access physical penetration testing for it security teams

The purpose of this book is twofold: toprovide auditing teams with the skills and the methodology they need to conduct successful physical penetration testing and to educate thoserespons

Unauthorised Access

Registered office

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.

All rights reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form

or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available

in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners The publisher is not associated with any product or vendor mentioned in this book This publication is designed

to provide accurate and authoritative information in regard to the subject matter covered It is sold on the understanding that the publisher is not engaged in rendering professional services If professional advice or other expert assistance is required, the services of a competent professional should be sought.

ISBN 978-0-470-74761-2

Typeset in 10/12 Optima by Laserwords Private Limited, Chennai, India

To Nique for being herself and to my family for supporting

and inspiring me.

Contents

4 An Introduction to Social Engineering

Tactical Approaches to Social Engineering 61

Finding Information From Public Sources and the

Understanding the Sources of Information Exposure 230

Protecting Against Electronic Monitoring 239

Protecting Against Tailgating and Shoulder Surfing 241

European Network and Information Security Agency 261

Appendix D: Security Clearances 265

Clearance Procedures in the United Kingdom 266Levels of Clearance in the United Kingdom 266Levels of Clearance in the United States 268

Certified Information Systems Security Professional 271Communication–Electronics Security Group CHECK 272Global Information Assurance Certification 274

This is a book about penetration testing There is nothing innately newabout that – there are dozens of books on the subject but this one isunique It covers in as much detail as is possible the oft overlooked art ofphysical penetration testing rather than, say, ethical hacking We won’tteach you how to use port scanners or analyze source code There areplenty of places you can learn about that and, to a certain degree, ifyou’re reading this book then I’m going to assume you have grounding

in the subject matter anyway The purpose of this book is twofold: toprovide auditing teams with the skills and the methodology they need

to conduct successful physical penetration testing and to educate thoseresponsible for keeping attackers out of their facilities

My personal experience in physical penetration testing began aboutseven years ago when, following a scoping meeting to arrange an ethicalhacking engagement at a data centre in London, the client asked almost

as an aside, ‘By the way, do you guys do social engineering, that sort ofthing – you know try and break in and stuff?’ I responded (like any juniorconsultant sitting next to a senior salesman) that of course we did! As it

turned out we thought about it, decided to give it a shot and failed.

Miserably Not surprisingly

My team and I were hackers, lab rats In effect, we didn’t know the firstthing about breaking into buildings or conning our way past securityguards This is a situation now facing an increasing number of ethicalhacking teams who are being asked to perform physical testing We know

it needs to be done and the value is obvious, but where to begin? Thereare no books on the subject, at least none available to the general public(other than the dodgy ones on picking locks published by Loompanics

Unlimited) So I decided to fill the void and write one It has a specialemphasis on combining physical testing with information security testingsimply because ethical hacking teams are most likely to be employed forthis kind of work (at least in the private sector) and because ultimately it’syour information systems that are the most likely target for any attacker.However, anyone with a need to understand how physical security canfail will benefit from this book – the culmination of a number of years

of experience performing all manner of penetration testing in all kinds ofenvironments

Who this Book Is For

Anyone who has an interest in penetration testing and what that entailswill benefit from this book You might have an interest in becoming

a penetration tester or you might work in the industry already with anaim to learn about physical penetration testing You might want to learnhow attackers gain access to facilities and how this can be prevented

or perhaps you’re considering commissioning a physical penetration testand want to learn what this involves

This book is written for you

What this Book Covers

Unauthorized Accessdiscusses the lifecycle of a physical penetration testfrom start to finish This starts with planning and project managementand progresses through the various stages of execution Along the way,you’ll learn the skills that are invaluable to the tester including socialengineering, wireless hacking, and lock picking

The core subjects discuss what takes place during a physical penetrationtest, what you can expect and how to deal with problems Equipmentnecessary to carrying out a test is given its own chapter

Chapter 9 includes case studies that draw on my own personal testingexperience, which I hope will inspire you Chapters 10 and 11 focus onprotecting against intruders and corporate spies and how this relates tothe cornerstone of information security; the security policy

The appendices deal with miscellaneous subjects such as law, tions and security clearance

accredita-PREFACE xiii

How this Book Is Structured

The two most important chapters in this book are Chapter 2 and Chapter 3.These contain the core theory and practice of physical penetration testing.The chapters that follow it discuss in depth the skill sets you will berequired to master:

• Chapter 4 – This chapter discusses how to manipulate human nature.

Social engineering is the art of the con man and probably the singlemost crucial set of skills you will learn The practice of these skills is

at the core of any successful operating team

• Chapter 5 – Generally this concerns defeating locks This chapter

assumes no previous knowledge and these skills are not difficult tomaster This is a crash course

• Chapter 6 – Knowledge is power; the more you have the more

pow-erful you become This chapter covers the basics of how and where togather information, from how to successfully leverage Internet searchtechnologies and databases through to the physical surveillance oftarget staff and facilities

• Chapter 7 – Despite the security shortcomings of wireless networks

(both 802.11x and Bluetooth) being well documented, many panies continue to deploy them I discuss equipment, how to crackencryption and bypass other security mechanisms I provide you short-cuts to get you up and running quickly and introduce some newertechniques for compromising wireless networks that will guaranteethat if you’re using wireless in your business now, you won’t be whenyou finish this chapter

com-• Chapter 8 – This chapter offers an in-depth discussion of the

equip-ment you need, where to get it and how to use it

• Chapter 9 – This chapter offers a few historical scenarios taken from

my case history Names have been changed to protect those whoshould have known better

• Chapter 10 – This chapter provides basic information about what a

security policy should cover If you’ve read this far and still don’t have

a security policy, this chapter helps you write one

• Chapter 11 – This chapter covers how to minimize your exposure to

information leakage, social engineering and electronic surveillance

• Appendix A – This provides a legal reference useful to UK testers.

• Appendix B – This provides a legal reference useful to US testers.

• Appendix C – This provides a legal reference useful when conducting

testing in the European Union

• Appendix D – This clarifies the differing terms used in the United

States and United Kingdom

• Appendix E – This tells you about the various tests you can take or the

tests you want to be sure a tester has taken before hiring

What You Need to Use this Book

I’ve writtenUnauthorized Accessto be as accessible as possible It’s not

an overly technical read and although grounding in security principles

is desirable, it’s not a requirement Chapter 7 (in which the discussionfocuses on compromising the security of wireless technologies) is techni-cal from start to finish but it does not assume any previous knowledge andprovides references to the requisite software and hardware as well as step

by step instructions If you have a grounding in penetration testing (or atleast know what it is) so much the better but again this is not necessary.What you need to use this book and what you need to carry out aphysical penetration test are two different things (for that you should refer

to Chapter 8) However, I strongly recommend you have the following:

• A modern laptop computer;

• A copy of the Backtrack 3 Live Linux Disc – available fromwww.remote-exploit.org;

• A Backtrack compatible wireless network card (see Chapter 8).You may also wish to purchase a set of lock picks to practice what youlearn You should consider this to be the starting point There is a vastarray of equipment relevant to this field but you don’t, by any means,need all of it

I would like to thank my superb editing team and of course my colleagues

at Madison Gurkha for giving me the time to work on this In particular I’dlike to thank, in no particular order, the following: Andrew Dalton, FransKoll´ee, Pieter de Boer, Tim Hemel, Arjan de Vet, Steve Witmer, Carolinevan de Wiel, Hans van de Looy, Guido van Rooij, Remco Huisman,Walter Belgers, Ward Wouts, Thijs Hodiamont, Serge van den Boom,Marnix Aarts, Jan Hendrikx, Jack Franken, Haywood Mcdowell, RobLockwood, Corinne Hanskamp, Willem-Jan Grootjans and Gary Mcgath

Kevin Mitnick

Billions of dollars are spent each year by governments and industry

to secure computer networks from the prying eyes of an attacker As

a security consultant, I have done quite a few system hardening jobswhere the entire focus was upon the firewalls, server configuration,application security, intrusion detection systems, and the like Somemanagers completely rely on this technology and put little or no emphasis

on better securing their physical perimeter

Those employed in the computer security industry are fully aware thatonce physical access to networks is obtained 90% of the obstacles areremoved The attackers are aware of this too, and have demonstrated theiragility in bypassing standard security measures when foiled after attempts

at remotely accessing a system In addition to those on the outside thatmay attempt to circumvent your controls, there are many on the inside(employees and vendors) that already have access Adding another layer

of physical security may deter both of these groups Consultants in thesecurity field must continually expand their skill set to accommodatethe ever-changing environments and protect their client’s assets In thisbook Wil Allsopp has created a thorough reference for those looking

to advance into the area of physical penetration testing The book alsoserves as a guidebook for in-house security managers seeking to institutebetter policy safeguards

Every month it seems that we are hearing in the media about large-scaleattacks on corporations, the government and financial institutions Many

of these have involved physical barrier penetrations, with the most notablebeing a huge retailer whose credit card databases were compromised by

a group that was reportedly inside the network for more than two yearsundetected It was touted by the government as the largest theft to date

of credit card numbers, which was placed at over 47 million accounts.How were they able to get in? One method was to swipe a wirelessbarcode scanner and extract the encryption key used to communicatewith the wireless access point inside a retail location The crooks alsoobtained physical access to a crawlspace above the store, spliced intothe Ethernet, and planted their own secret wireless router While thisdescribes the most brazen of attackers, don’t be surprised to hear morestories like this in the future The rapidly advancing technology side

of computer security is making electronic intrusions increasingly moredifficult for hackers, therefore we will see greater implementation of thephysical security attack methods explained in this book, played out intandem with a technical attack

A few years ago I was performing a penetration test, which included ascope of testing physical security controls The first morning I dressed

in my suit and arrived in the lobby of the client’s office to meet with

my contact Noticing a display of business cards at the reception desk Ipocketed a few inside my coat jacket For the next two days I remained

in my car, parked close by, just watching the building and observingbehaviors of those coming and going At about 8:30 each night a janitorialservice arrived at the office complex to clean the offices I knew this was

my ‘in’ Armed with the business cards from the first morning, and onceagain outfitted in a suit, I walked up to the door and began banging onthe glass A few minutes later, one of the cleaning crew arrived to openthe door I explained that I had left my keys in my office while handinghim ‘my’ business card; he stepped aside and waved me through.Once I was in the building I began to search for my target’s cubicle(some research was performed beforehand to narrow down the location

of his cubicle) I sat at the computer, turned it on, slid a Linux Live

CD into the CD-ROM drive, entered in a few commands, and grabbedthe Administrator’s password hash for that machine It took only a fewminutes to crack the password hash using rainbow tables Once I hadaccess to the computer I installed a Trojan on the system (this was theset goal), powered down the system, packed up my things and left thepremises This all occurred in about twenty minutes and the client had

no idea that they had been compromised until the details were provided

in the report

Securing proprietary information is multi-faceted and can no longer beapproached with by focusing on the technology alone All potential accesspoints must be scrutinized carefully to ensure that ingress is denied onmultiple levels InUnauthorised Access: Physical Penetration Testing For

IT Security Teams, Allsopp addresses this concept with a relevant andpertinent outline for performing physical penetrations test by familiarizing

FOREWORD xixthe would-be tester with the methodologies and tools needed to performthe test, and illustrating them with the colorful recanting of tales from hisvast experience as a security consultant These stories help to providereal-world examples of the techniques that are being used by attackersevery day.

Performing physical penetration testing within your organization shouldnot only be reserved for businesses trying to safeguard information, butcan be also be applied to provide better security against theft, trespassing,and guard against industrial espionage This book will first take youthrough the terminology, planning, and equipment needed to perform thetest As Allsopp reminds you in later chapters, security is only as strong

as its weakest link, which is most likely to be the very people employed

by the target

Once the lingo used in testing is defined, and some of the pitfalls regardingphysical layouts of facilities that may be encountered are outlined, youare introduced to a primer on social engineering, which is the practice

of using deception, manipulation, and influence to persuade the target

to comply with your request Allsopp recognizes that those best versed

in social engineering possess certain personality traits that make themespecially adept in this type of manipulation, but attempts to provide anintroduction of some basic knowledge for the inexperienced to build onbecause he realizes the importance of mastering this skill This is critical,

as there is rarely a compromise of security that takes place without somelevel of social engineering

For those that have already conducted a physical penetration test in thepast, there are several chapters that should provide a few new things foryour arsenal as the subject matter switches to information gathering, lockpicking and wireless technology The chapter on lock picking is brief,but provides excellent resources to learn more on the subject as well asgiving the reader an overview of the basic steps in picking a lock alongwith general information on various locking mechanisms and how theycan be bypassed Even if you’re never picked a lock before, Chapter 7will make you want to try

Many might not consider wireless hacking as a ‘physical’ attack method,but if you consider that most wireless access points have a broadcast range

of less than 300 meters without a long-range antenna, to take advantage

of these devices you must place yourself within the allotted radius tocompromise the target Having in-depth knowledge of wireless devicescan be used for more than just attacking them If you can obtain physicalaccess to cabling, a ‘hard-wired’ network could suddenly become awireless one, if spliced into with a device placed in-line Wirelesstechnology is probably one of the most commonly misconfigured items

providing perimeter security, and if compromised, it can easily becomethe low-hanging fruit sought by attackers.

After you are enlightened and possess a solid understanding of executingphysical penetration tests, Allsopp gathers all the techniques discussedand rolls them into detailed true-life accounts in Chapter 9 The firstexample describes a pen test performed on a SCADA (Supervisory ControlAnd Data Acquisition) system There has been an elevated awareness ofterrorism since 9/11, and SCADA systems have been receiving significantmedia attention since they are used to monitor and control criticalinfrastructure processes such as power generation, life support systems,water treatment, and telecommunications Many speculators are afraidthat the power grid could be compromised in a standalone terrorist act,

or use in conjunction with a symbolic attack, to reduce the responsetime of emergency personnel to the scene These systems are in perpetualproduction and are not usually connected to the internet, so taking themoffline for maintenance and upgrades is very difficult, which makes theirphysical security all the more important

Allsopp’s example of lax security at a power substation, unfortunately,

is not limited to the UK Often, these critical systems in many countriesare left unmanned and may not be protected by anything more than abarbed-wire fence and padlocks Sure, there may be some electronicallylocked doors and access gates, but as shown in prior chapters, these areeasily bypassed by a determined intruder Armed with a laptop and keyinformation, if you can get past these controls, you are most likely going

to find an unpatched system that could grant you ‘keys to the kingdom’.The infusion of the real-life stories help to clearly demonstrate thetypical shortcomings due to the lack of proper procedures, employeetraining, and policies in place You can employ the latest technologyand implement multiple layers of defense, but if your personnel are notproperly trained to spot weaknesses and then act on them, all of theseprecautions are rendered almost useless Allsopp addresses concepts toprovide better policy, incident response, and access control Much of thisinvolves classifying assets so that employees are aware of what is mostimportant to safeguard

While this book is aimed at security consultants looking to add physicalpenetration testing to their repertoires it would also be a great readfor those managing security for various organizations It would be auseful reference tool for IT/Security Managers to implement better policyand training for its employees If you could only walk away with onething from this book it would be the lesson to teach your employees

to challenge and verify An apology is a much easier thing to give thanhaving to explain how you were instrumental in allowing an intruder tobypass established protocols

1 The Basics of Physical Penetration

Testing

If you know the enemy and know yourself, you need not fear the result of

a hundred battles

Sun Tzu: The Art of War

There is an old saying that security is only as strong as the weakest link inthe chain This is an erudite and often overlooked truth The weakest link

is never the cryptographic keys protecting a VPN link or the corporatefirewalls guarding the borders of a network, although these technologiescertainly have their shortfalls The weakest link in any security scenario

is people Some people are lazy and all people make mistakes and can

be manipulated This is the most important security lesson you will everlearn: security in any form always boils down to people and trust Anydecent computer hacker will tell you: if you want to be good, learntechnologies and programming languages, reverse engineer operatingsystems, and so on To be agreathacker requires learning skills that aregenerally not maintained by people of this mindset Once you masterthe manipulation of people, you can break into anything – any systemwhether corporate, electronic or human is vulnerable

This chapter covers the basics of penetration testing, the things you need

to know before you dive into the more interesting practical chapters Thisincludes a guide to terminology unique to penetration testers, a little onlegal and procedural issues (because an understanding of the relevantlegislation is critical) and, of course, a discussion of why penetrationtesting is important, including a look at what organizations usually hope

to achieve from engaging in a penetration test

Conducting physical penetration tests is a unique and challenging way

to earn a living; it requires a certain mindset, a broad skill set and takesexperience to become accomplished This book can’t help you with the

mindset: that’s something you have to develop; or the experience: that’ssomething you have to accumulate; but it will go a long way to providingyou with the relevant skill set and this chapter is the first step.

If you are representing an organization and want to ensure that you havethe highest form of security in place, penetration testing can help you.This chapter tells you what to expect from a penetration testing team

What Do Penetration Testers Do?

Penetration testers are hired by organizations to compromise security inorder to demonstrate vulnerability They do this every day and their ability

to pay the rent depends on their success at breaking through security

To demonstrate computer security flaws, penetration testers use reverseengineering software They hack into networks and defeat protocols.With respect to physical security, they demonstrate vulnerability throughphysical intrusion into client premises This is most often achieved throughcovert intelligence gathering, general deception, and social engineeringalthough it may involve a more direct approach such as a night-timeintrusion, defeating locks and crawling up fire escapes, depending onthe rules of engagement The differences between computer and physicalintrusion may seem vast, but there is significant crossover between thetwo and they are often performed in tandem

I have been conducting penetration tests in one form or another for over adecade and in that time I’ve seen client requirements change – both withthe changing face of technology and a growing awareness of the threatsfaced by organizations wishing to keep their confidential data secure Theproblem in a nutshell is this: you can have the best firewalls and changecontrol procedures; you can have regular electronic penetration testingagainst networks and applications; you can audit your source code andlock down your servers All of these approaches are fine and, if conductedwell, are generally worthwhile However, if an attacker can physicallypenetrate your premises and access information systems directly, thesestrategies won’t protect you This ‘hard shell, soft center’ approach tosecurity has led to some of the most serious information system breaches

in memory As you will learn, there is far more to security than SSL andpatching against the latest buffer overflows

Security Testing in the Real World

Military organizations, particularly the US military, have employed etration testing teams (called ‘tiger teams’ or ‘red teams’) for decades

pen-SECURITY TESTING IN THE REAL WORLD 3

Their remit is to penetrate friendly bases to assess the difficulty an enemywould have gaining the same access This could involve planting a card-board box with the word ‘bomb’ written on it or attempting to steal codebooks It might involve gaining access to a secure location and takingphotographs or taking something of intelligence value As time has gone

by, the term ‘tiger team’ has become more associated with computerpenetration teams; however the term is still widely used in its originalcontext within the military The challenges faced by testers in the privateand government sectors are very different from those presented to mili-tary tiger teams, not least because they have significantly less chance of

being shot at (I speak from experience ) However while the attackers

that one wishes to guard against are fundamentally different (terrorists inone case and industrial espionage actors in the other, for example) theapproach is not dissimilar All testers start with a specific goal, gatherintelligence on their target, formulate a plan of attack based on availableinformation and finally execute the plan Each of these steps is covered indetail in this book but first, in the interests of consistency, let’s considersome of the terms I will be using throughout this text:

• Target – the client initiating the test and the physical location at which

the target resides;

• Goal – that which must be attained in order for the penetration test to

be considered successful, such as the following examples:

• Breach border security at the target location (the simplest form oftest, often as basic as penetrating beyond reception, where mostphysical security procedures end)

• Gain physical access to the computer network from within thetarget location

• Photograph a predetermined asset

• Acquire a predetermined asset

• Gain access to predetermined personnel

• Acquire predetermined intelligence on assets or personnel

• Plant physical evidence of presence

• Any combination of the above

• Asset – a location within the target, something tangible the operating

team must acquire (such as a server room or a document) or somethingintangible such as a predetermined level of access;

• Penetration test – a method of evaluating the security of a computer

system, network or physical facility by simulating an attack by anintruder;

• Operating team – the team tasked with conducting a penetration test.

In the context of a physical penetration and starting from the momentthe test is initiated, the operating team is likely to consist of:

to be deployed in a planning or support capacity.

• Scope – the agreed rules of engagement, usually based around a black

box (zero knowledge) approach or a crystal box (information aboutthe target is provided by the client) approach;

• Anticipated resistance or security posture – the resistance an

operat-ing team faces, dependoperat-ing on a number of factors:

• the nature of the target;

• security awareness among staff;

• quantity (and quality) of security personnel;

• general preparedness and awareness of potential threats at thetarget

Other factors include the difficulty of the assignment and the effectiveness

of the security mechanisms to protect assets

Legal and Procedural Issues

International law applicable to security testing is covered in Appendices

A and B However, this overview should at least get you thinking aboutthe legal issues you need to take into consideration

Most clients expect – and rightly so – a penetration team to be insuredbefore they even consider hiring them Although I’m not going to pointyou in the direction of any particular insurance providers, you mustpossess errors and omissions coverage, at a minimum The coveragerequired varies from region to region and is governed by rules laid out inspecific jurisdictions

Indemnity insurance is highly recommended Insurance companies maywant to know a little about your team members before signing off apolicy Such information could include medical backgrounds and almostcertainly will include details of criminal offences (i.e they expect to findnone) as well as professional histories None of this should be a concernbecause you performed background vetting on your team prior to hiringthem (Didn’t you?)

LEGAL AND PROCEDURAL ISSUES 5

When hiring a penetration testing team, be sure they are insured Thiswill help ensure that necessary background tests have been performed onthe team you hire to access what could be private information

Security Clearances

When performing penetration tests of any kind for either central ment or the military, team members need to hold security clearances.The following information is specific to the United Kingdom although thegist is the same for the United States, where clearance procedures arefar more stringent and make extensive use of polygraphs (‘lie detector’tests)

govern-Despite overwhelming evidence to the contrary, the US governmentinsists that polygraphs can’t be beaten They can and regularly are

Security clearances come in different flavors depending on the nature ofthe work being performed and the sensitivity of the target All clearanceshave to be sponsored by the department initiating the test unless they arealready held by the operating team (though there are exceptions to this) Ingeneral, all testing team members are expected to hold security check (SC)clearance Almost anyone who has no criminal record and is not known tothe intelligence agencies is unlikely to be turned down for this clearance.Potential team members are required to supply basic information aboutthemselves, including places they’ve lived and past employment Theyare generally asked questions about their membership of organizations

as well SC clearance permits access to protectively marked (classified)information on a project-by-project, need-to-know basis (usually up toSECRET) Although this clearance must be periodically renewed, it is not(usually) necessary to clear team members for individual tests In general,

SC clearance is adequate and the most realistic choice given the leadtime needed to arrange clearances

One step up is developed vetting (DV) clearance This is needed to workfor intelligence organizations such as GCHQ or MI6 and is a minimumrequirement for those regularly working at a TOP SECRET level Theseclearances are issued on a project-by-project basis and they are nottransferable To obtain DV clearance, prospective applicants are required

to attend an interview (usually conducted by the Defense Vetting Agency

or MI5) The process includes in-depth analysis of the personal andfinancial background of the applicant Family and partners are also likely

to be interviewed and their responses cross-referenced Processing DV

clearances is a costly and time-consuming business for the governmentand often people being vetted for government jobs start working in theirnew positions (albeit at a lower level of security) long before they arecleared Only the most sensitive tests will require DV clearance.

The bottom line is to know who you are hiring so that insurance andsecurity clearances are a mere headache rather than a major pain In the

UK, a potential hire can provide a statement from the police that no file isheld on them (the Data Protection Act gives the right to such a statement)

If you are putting a penetration testing team together, I recommend thatyou also run a financial background check on everyone, if only to be able

to show your clients that you’ve taken due diligence, rather than because

it has any intrinsic value

Appendix D covers security clearances in the United Kingdom and theUnited States

Staying Within the Law

It should go without saying that a lot of the skills outlined in this book are

of use to criminals as well as to legitimate penetration testers I have noparticular concerns in putting these skills down on paper The bad guysare already well versed in them However I would be remiss if I didn’tpoint out that it isyour responsibility to ensure you always remain onthe right side of the law As I discuss the various subjects in this book, I

do my best to apprise you of any relevant legal issues you may run intobut I’m not a lawyer Your company should always obtain qualified legaladvice The following pieces of UK legislation are illustrative examples

of aspects of the law you might not have considered

Human Rights Act 1998

In 2000, the United Kingdom incorporated the European Convention onHuman Rights into UK law The majority of the Human Rights Act 1998

is irrelevant to penetration testing However, there are one or two things

to be aware of when conducting any form of penetration testing

Article 8 – Right to respect for private and family life

1 Everyone has the right to respect for his private and family life, hishome and his correspondence

LEGAL AND PROCEDURAL ISSUES 7

2 There shall be no interference by a public authority with theexercise of this right except such as is in accordance with the lawand is necessary in a democratic society in the interests of nationalsecurity, public safety or the economic well-being of the country,for the prevention of disorder or crime, for the protection of health

or morals, or for the protection of the rights and freedoms of others

The key to Article 8 is privacy which can be (and has been) interpreted

in some unexpected ways For example, if a penetration testing team, inthe execution of their duties, accidentally or deliberately intercepted theprivate communications of target staff, an offence has been committedunder Article 8 For example, a target user checks her Yahoo! email on acompany computer over the company network Nobody has the right tointercept that email The fact that what she’s doing may be a disciplinarymatter under the terms of her employment is irrelevant

I’ll give you another (true) example so that you can appreciate the scope

of what I’m talking about A hacker breaches the security of a centralgovernment department, or so he believes Actually, he’s breached a

‘honey pot’ set up to study hacker behavior The hacker routes his trafficvia this honey pot and uses it to check his email In doing so, he allowshis communications to be intercepted by government security personnel.This email is private; by capturing, storing (and indeed reading) the email,

an offence has been committed

The bottom line – whether you think this is crazy or not – is that you need

to be aware of what you’re looking at and the potential legal ramifications

of what you do If you are hiring a penetration testing team, you need to

be aware of what they can legally do

Computer Misuse Act 1990

At its core, the Computer Misuse Act 1990 makes it a crime to knowinglyaccess an information system without permission Read and craft yourrules of engagement carefully: a penetration testing team may havepermission to target a specific computer or network within the target, butnot the ones adjacent to it They may be authorized to attack a specificserver, but not the applications running on it (which may be under acompletely different sphere of organizational responsibility)

At any time, if the operating team is in doubt as to their legal position theyshould immediately confer with their support staff See the appendicesfor the relevant text of US, UK and EU legislation

Know the Enemy

I began this chapter with perhaps the most famous quotation from SunTzu’sArt of War: Know the enemy and know yourself Before you canknow the enemy, you have to know who the enemy is For the militarythis is straightforward: they tend to be the guys shooting at you andbombing you In the commercial world, the enemy is not quite so simple

to define The threats that organizations face in the modern world tend to

be various and multilateral

For a physical penetration test to have any intrinsic value, it is vital todetermine and, to a certain degree, emulate the nature of the threat facingthat organization The threats faced may differ dramatically Table 1.1briefly explains the targets and their potential exposure that operatingteams are most likely to encounter This subject gets much more detailedtreatment later in the book The given threat should not necessarily alteryour approach, but it should certainly guide it

Table 1.1 Targets and threats

Targets Potential threats

Corporate targets (headquarters; larger

self-contained facilities)

Breached border security: wide-ranging access

Corporate offices (shared premises), usually

managed by building services or a central

Power stations Terrorism

Military bases Foreign intelligence and protesters

There is a certain degree of crossover For example, a corporate defensecontractor can be considered as a military target How these threatsmanifest themselves varies:

ENGAGING A PENETRATION TESTING TEAM 9

• Commercial espionage – This can involve external hacking, physical

intrusion into corporate premises, use of moles or sleepers to gatherconfidential information, etc

• Commercial sabotage – Such acts can and have included ‘ethical’

or ‘environmental’ terrorism i.e attacks on facilities owned by drugcompanies, oil companies, animal testing facilities or abortion clinics(the latter being largely a North American phenomenon) Acts ofsabotage by one commercial entity against another are rare but notunheard of and I’ve investigated more than one

• Acts by a foreign power – At the end of the Cold War, a downsizing

of the traditional intelligence agencies was inevitable as many fieldoperatives suffered from a ‘reduction in force’ (RIF) However, manyex-KGB officers (for example) are now in engaged in commercialespionage, a great deal of it state sanctioned Industrial intelligencegathering against the US and Western European nations is a majorremit of the Russian intelligence-gathering apparatus, in particular theForeign Intelligence Service (SVR, the successor to the KGB) and, to

a lesser extent, the military intelligence organization (GRU) Favoritetargets include government contractors

• Terrorism – In the 1980s and 1990s, British government departments

and their counterparts in the commercial sector were targeted byvarious groups with no small degree of success As one group isneutralized, new threats emerge to take their place MI5 currentlymonitors thousands of potential terrorists and hardly a week seems to

go by without new suspects being arrested

In conclusion, the complexity and range of the threat is far more involvedthan it initially appears to be The climate we live in makes securityeverybody’s problem and it’s critical that every organization, large orsmall, understands the risks and is prepared for them

Engaging a Penetration Testing Team

This chapter covers the basics of physical penetration and its goals Youmay be reading this with the intention of engaging a company to carry out

a physical test Before you read any further you should consider the costs,potential benefits and limitations associated with such an exercise Is thisreally something you need? Is it really something that your organizationwill benefit from? Other questions you should ask yourself are these:

• Do you currently have an all-encompassing security policy?

• Are you auditing against that policy?

• What do you wish you learn from the exercise?

• Are there specific areas you lack confidence in and want tested?

• Should the test be black box or crystal box?

• How do you expect your organization to fare?

• Are you engaging a test to justify additional security budget?

If you don’t have a security policy, then implementing one should beyour priority If you don’t expect to perform very well in the test, considerwhy this is and implement additional security controls in these areas Ifyou don’t feel you have sufficient budget and are looking to boost it withdemonstrable security weaknesses then don’t worry, you’re not alone Infact, this is the number one reason that companies engage in any form ofpenetration test for the first time

Summary

This chapter has covered the basics of what you need to know if you want

to get to grips with the somewhat involved field of physical penetrationtesting There’s a lot more to cover beyond the essentials introduced here.There’s much more to security than just the technical aspects and there’smuch more to technical security than just buffer overflows You’velooked a little at what penetration testers do when faced with physicalassignments as well the history of the industry and how it grew largelyout of its military infancy into the commercial sector as the need arose.Most importantly, I have covered the basic terminology, which is critical

to understanding later material Getting used to the terminology also getsyou into right mindset

I’ve also introduced a little of why you would want conduct this form oftesting and the threats that different organizations face If you’re readingthis book from the perspective of a security manager or CIO you should

be a little clearer on what’s involved in hiring a testing team

2 Planning Your Physical Penetration

There is an old joke that ‘in theory, theory and practice are the same thing,but in practice they’re not’ Touch´e The important thing to rememberduring the planning phase is that nothing is, nor should be, set instone Your testing plan should be flexible enough to accommodatecontingency arrangements should assumptions turn out to be incorrect

or should circumstances you previously took for granted change Thischapter is drawn from my own experience planning physical penetrationtests My own methods have been tweaked over years of experience Youshould draw from it or add to it as befits the individual requirements withyour team

When putting together an engagement scenario, you must consider thepotential risks your client faces and what benefit physical testing willprovide to them If you perform generic testing or just go through themotions, you are wasting everyone’s time and money Consider thisexample: A high-end optics company wants a physical test performed

on their European headquarters The facility is large and employs several

hundred people (mainly sales, middle management and support nel) The site also houses the distribution warehouse for all productsshipped to Europe, the Middle East and Africa What is their primary risk?It’s not espionage: no research and development is performed at the sitealthough, like all the company’s sites worldwide, it’s networked Thiscompany makes cameras, scanners and lenses, which is not a controver-sial line of business per se; therefore, the risk of infiltration by journalistsand activists is minimal In this instance, the biggest concern is probablysimple theft As the company produces devices that cost many thousands

person-of dollars and fit into a backpack, the warehouse would be a temptingtarget for thieves This is not to say that the offices, staff and computernetwork should not be considered in a penetration test but you mustidentify the client’s risks as they relate to their business interests

The above notwithstanding, a lot of the time you won’t have much inputinto determining the target assets and will be heavily directed to the areasthat the client wants tested However you should not be shy in saying ifyou think any given scenario offers little real-world value and suggestingbetter alternatives In the previous example, a testing team would havelittle difficulty in entering the target offices and taking photographs butwould completely ignore the real issues Risks vary between organizationsbut consider the examples in Table 2.1

Table 2.1 Organization types and risks

Business area Example risk Example scenario

Central government or military Terrorist attack Smuggling a package into a secure area.Corporate headquarters Espionage Access to files or computer systems.Luxury car dealership Theft Removing assets

Building the Operating Team

The operating team actually carries out the physical penetration andmembers can be divided into different roles with different responsibilitiesand areas of expertise The team makeup will vary with each test as

no two are alike; consequently, it is not enough to build one team andhope for the best This must be done in the planning phase for every test.Financial and other practical considerations make it likely that these roleswill overlap and team members will assume more than one role evenwithin a single test

BUILDING THE OPERATING TEAM 13

Operator

Operator is a generic term used to refer to a core member of the operatingteam This term is used to refer to all team members regardless oftheir specialties or roles The basic operator role is where everybodystarts before training in a specialist field Though all team members mayaccurately be referred to as operators, these are usually the people whodirectly participate in testing rather than in a support role As I say, theterm is generic and does not imply expertise in any given role

Team Leader

This team member has the ultimate responsibility for delivering theassignment, managing the project and team members, liaising with theclient, and so on This role shouldn’t be permanent but cycled This giveseveryone leadership experience and encourages fresh approaches Theteam leader usually leads the team in the field but sometimes this needs to

be done from headquarters (HQ) where he takes the role of coordinator

It is not unusual to delegate the role of team leader to an operator in thefield while retaining an HQ coordinator, as this gives you the best of bothworlds

Coordinator or Planner

The coordinator directs and assists team members from HQ or fromanother offsite location when the team leader is deployed with the mainoperating team This member of the team ensures that offsite assistance(technical, legal, reference, social engineering, etc.) is always available.When direct offsite coordination of deployed operators is unnecessary,

it is still usual to have someone in this role and absolutely critical ifmultiple vectors or teams are deployed simultaneously against the sametarget A common example would be a physical test carried out inparallel with a computer-based intrusion, particularly when informationfrom each team needs to be fed into the other; a successful computerintrusion may depend on information gathered on site and a successfulphysical intrusion may need ongoing remote intelligence or some form

of electronic control

Social Engineer

Social engineering is the art of deception and human manipulation, acritical skill to the success of the sort of engagement discussed in thisbook The basics of social engineering are discussed in Chapter 4 but

expertise in this field cannot easily be taught; it is either natural or learnedthrough experience.

Social engineering is mostly performed off site and is an attack commonlyperformed prior to physical testing That being said, all operators can beexpected to perform some degree of social engineering while on site

Computer Intrusion Specialist

This role is also referred to as the ‘ethical hacker’, a discipline in and ofitself The computer intrusion specialist is responsible for gaining access

to computers and networks In the context of a physical penetrationtest, this will usually (but not exclusively) be performed on site The keytargets in physical penetration testing are usually information systems,therefore it is unlikely you will have much long-term success unlessyour resources include people capable of this kind of work Luckily, thecomputer-penetration testing industry is booming and this skill set is nothard to find

Physical Security Specialist

This team member should be skilled in picking locks and in profilingand defeating physical security measures in general Usually at least onemember of the team should have rudimentary skills in this area Pickinglocks is not difficult but it does take practice and a little luck I covereverything you need to get started in Chapter 5 and refer to various bits

of equipment that will make your life a little bit easier

Surveillance Specialist

This team member is expected to be able to capture photos of buildings,staff, badges, dumpsters and perimeter security Surveillance staff shouldobviously be skilled with a camera although this is only the most basicprerequisite A surveillance operator is a core member of the team andmust be capable of gathering evidence by covert means on foot, in avehicle or by public transport Covert photography is discussed in Chapter

6 and expands a little on these themes

Assigning Roles to Team Members

The roles in the previous sections do not describe individual teammembers but specialist skill sets – the roles that any given team membermay be asked to assume in the execution of a test Only the largest

PROJECT PLANNING AND WORKFLOW 15

testing groups will be able to deploy operating team roles at this level ofresolution Even then, doing so is neither cost effective nor operationallyefficient

Efficiency demands that individual team members adopt multiple areas

of responsibility For example, information gathering is not listed as aspecialist skill set This is something that every team member will have

to contribute to throughout the test and, given the numerous disciplinesthis encompasses, it cannot be considered ‘specialist’ per se

Some equipment is standard on all assignments; some is not required;much is optional The overall nature of the test and the roles a particularteam member has been assigned should determine the equipment youallocate to team members A comprehensive discussion of kit can befound in Chapter 8

The very definition of a team means that individual team members willhave different skill sets and will be naturally predisposed towards certainroles Allocating an ethical hacker to a social-engineering role is not just

a waste of resources but demonstrates a lack of understanding of thequalities that make up a good social engineer They are not necessarilycompatible with the nature of an ethical hacker In principle at least,anyone can learn and become skilled at ethical hacking, photography,

or lock picking Social engineering requires a certain kind of ity: confident, extroverted, and generally good with people This is notsomething in which one can become accredited On the other hand, theabilities of a computer intrusion specialist may not be immediately appar-ent to somebody inexperienced in ethical hacking Therefore practitionersmust either have demonstrable experience in the field or possess base-line accreditation (the former being preferable) Security accreditation isdiscussed in the appendices

personal-I strongly advise that when putting together a team you include only yourown staff members Using contractors is not recommended for operationaland legal reasons Think about this from the perspective of your clientwho might object to you bringing in third parties who may be unknown

to you and whose credentials may be harder to verify

Project Planning and Workflow

As you plan your project, create a workflow to be sure that you cover allaspects of the assignment The workflow in Figure 2.1 shows the stages,more or less, that any physical test will follow Although vague, the chart

Photographic Surveillance

Reappraise Roles

Social Engineering

Execute Assignment Write Report

PROJECT PLANNING AND WORKFLOW 17

in Figure 2.1 can easily be imported into your own project managementmethodology

When the planning phase is concluded, the paper output of each stagewill make up part of the project document set

There are a number of phases involved in preparing for an engagement.Some are unavoidable and some are open to interpretation However, Itake the following approach because it’s thorough and leaves as little aspossible to chance:

1 Receiving the assignment – At this stage, contracts have been signed

and certain legal formalities observed

2 Negotiating the Rules of Engagement – These define what you can

and can’t do during testing and their purpose is usually to limit testers

to a certain scope

3 Performing Preliminary Research – You are now ready to pursue the

initial information-gathering phase This will take many forms:

• Determining Risk – It’s important to accurately gauge the risk a

project poses both to the company and to the team membersexecuting it

• Writing a Test Plan – A formal (but flexible) test plan is a good

idea from both project management and legal perspectives

• Gathering Equipment – Equipment is discussed in Chapter 8 but

it’s important for the team to take gear that’s appropriate to thetest without being over encumbered

4 Providing documentation and legal requirements – Once the

plan-ning stage is complete you will have a not insignificant amount ofdocumentation We discuss what you should have and who shouldhave access to it

Receiving the Assignment and Negotiating the Rules of Engagement

The planning phase usually begins when contracts are signed andexchanged However, this is not exclusively the case Some clients want

to negotiate the rules of engagement (RoE) and include them as a section

of the contract prior to signing This is a matter of preference: largerorganizations tend to want as much detail in the contract as possible.The RoE are tremendously important They are the operational parameterswithin which penetration test team members work; they guide andconstrain the team They exist to determine not only what needs to beconsidered during the lifecycle of the project but also to protect testersand clients from misunderstandings and the legal consequences these

can generate RoEs are mutually agreed to by testers and the client Here

is a list of the minimum considerations:

• You must determine which areas of security the client considers to beweak and wants tested, for example the physical perimeter security

• You must determine which areas of testing the client wishes to avoidfor legal reasons, such as close surveillance of staff Some clients mayprefer to avoid testing in some areas because confidence in that area

is high or it has been recently assessed

• You must agree on which team members will carry out testing Notall team members may hold the necessary clearances

• You must agree on the duration of the test or the maximum timepermitted

• You must agree about the level of information given in advance (ifany) A test in which the operating team gets substantial information

in advance (in order to save time and focus on a particular area) iscalled ‘crystal box testing’ When no information is provided the test

is referred to as ‘black box testing’ Something in the middle may becalled a ‘grey box test’

• You must agree on the target assets Assets are components of theoverall goal Usually an asset is something the team must acquire,identify, gain access to, or photograph Examples include networkoperation centers, passwords or target personnel

• You need to agree on the circumstances that must occur for the test to

be considered a success from the perspective of the operating team

• You should outline the circumstances that must occur for the test to

be considered a failure from the perspective of the operating team

• You should include circumstances in which, if they occur, the test isconsidered to be aborted

• You must agree on the actions to be taken directly following successful,failed and aborted tests

• You must set a schedule for the presentation and delivery of thepost-testing report

Once you and your client agree about these details, document thecomplete RoE for addition to the project document set

Performing Preliminary Research

The techniques involved in conducting preliminary research and mation analysis can be found in various chapters throughout this book.Here I discuss the subject purely from the perspective of comprehensionand planning

infor-PROJECT PLANNING AND WORKFLOW 19

Preliminary intelligence gathering can broadly be categorized into theareas in the following list Given that your goals usually (though not neces-sarily) revolve around gaining access to corporate or government facilities,the sort of intelligence you gather must further and support these ends:

• Human Intelligence (HUMINT) – intelligence gathered directly from

human sources;

In general, HUMINT refers to privileged, although not necessarilyclassified or formally confidential, information obtained from insidersunder false pretences The act of gathering such information is referred

to as social engineering and it’s an important enough subject to

be treated on its own (see Chapter 4) The skilled use of humanintelligence gathering will give the operating team a considerableedge when penetrating any organization

• Signals Intelligence (SIGINT) – intelligence gathered through the use

of interception or listening technologies;

Breaching site-wide wireless networks from outside the target core is

a form of SIGINT that you might consider using during the preliminaryphase However, in general, this is likely to be secondary to other forms

of intelligence gathering in the preliminary phase (unless the targethas extremely insecure or exposed communications) After physicalsecurity borders have been crossed (referred to as moving from PRIME

to CORE), signals intelligence becomes more important as networklinks and short-range wireless technologies become available

• Open Source Intelligence (OSINT) – intelligence that draws on

infor-mation from public sources;

These sources are most likely to be found either on or via theInternet Employee information, for instance, is particularly usefulwhen engaging in pretexting and other forms of social engineering

• Imagery Intelligence (IMINT) – intelligence gathered through

rec-orded imagery, i.e photography

If possible, photographs of the target site and possibly staff should

be acquired in the preliminary phase, depending on the nature ofthe engagement The value of good photographic intelligence can-not be understated and its benefit will become increasingly apparentthroughout this book Historically, IMINT also refers to satellite intel-ligence; however satellite imagery is a cross over between IMINT andOSINT as far as it extends to Google Earth and its equivalents

Determining Risk

Ultimately, it is the team leader’s responsibility to determine what stitutes an acceptable level of project risk If the team leader feels thelevel of risk is too high then the RoE should be reassessed or the test

con-should not be carried out Risk in physical penetration testing can beexpressed in a number of ways but can be broadly categorized into thefollowing areas, which are linked and overlapping – no risk exists in avacuum – contractual, operational, legal and environmental risks Enthu-siastic project managers will notice this provides you with a convenientacronym – COLE.

• Contractual Risks – Contractual problems usually occur when the

testing company has bitten off more than it can chew and the team’sability to deliver the assignment falls short of its contractual obliga-tions This is a common but avoidable problem To put it anotherway, because an inadequately prepared and poorly trained team hasbeen unable to complete an assignment does not necessarily meanthat the client is secure This is a common thread throughout allspheres of vulnerability assessment, but particularly in physical pen-etration testing as failures tend to be more apparent Never take anassignment that you don’t believe you can complete or that cannot

be completed

• Operational Risks – These are inadvertent or unforeseen problems

during the execution of a test that, at best, lead to difficulty completingthe assignment and, at worst, to an aborted mission Operational risksare usually predictable with a little forethought and are, therefore,avoidable Examples include:

• Communications breakdown due to human or technical failure

• Inexperienced team members misinterpreting instructions or goals

• A failure to assess correctly the difficulty of achieving an initialmilestone leading to subsequent meltdown

• Legal Risks – A project may incur direct or indirect legal risk.

Team members may be put in a position that could directly lead totheir arrest This may happen when an overly enthusiastic securityguard circumvents procedure and directly involves law enforce-ment; when someone believes a team member is acting suspiciouslyand calls the police; or when team members are directly appre-hended by the police, for example, during a night-time penetrationexercise

During a black box test, the scope may be operationally exceeded,sometimes catastrophically An example of this is penetrating thewrong facility or business Don’t laugh; this happens, particularly inshared premises Imagine the embarrassment of hacking the wrongwireless network or of hearing that a team member (possibly lack-ing in basic math), has climbed through the wrong window into aneighboring business’s board room At the very least, this may involveexplaining to a judge that you accidentally broke into the wrongbuilding Such mistakes are invariably expensive