ECSA/ LPT
EC
Council
Module XXIX
EC
-
Council
Physical Security
Penetration Testing
Penetration Testing
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal
Fi
rewa
ll
Penetration Testing
Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing
Penetration Testin
g
Penetration Testing Roadmap

(cont

’
d)
(cont d)
Cont’d
Physical
Security
Database
Pii
VoIP
PiTi
Security
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat
i
on
T
est
i
n
g
Vi d
Vi
rus an

d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security
Patches
Data Leakage
Penetration Testing
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
Physical Attacks
Firewalls cannot be a deterrent against physical intrusions
Firewalls cannot be a deterrent against physical intrusions
.
Information assets cannot be safeguarded if proper physical
security measures are not in place.
Attackers/intruders can copy all important password files to a
floppy disk.
Boot the computer using USB drives and mirror the hard disk
in Apple
’
s iPod
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
in Apple s iPod
.
Steps in Conducting Physical
Security Penetration Testing
1
• Map the possible entrances
Security Penetration Testing

2
• Map the physical perimeter
3
• Penetrate locks used by the gates, door and closets
4
• Overviewing from outside
5
• Penetrate server rooms, cabling, and wires
6
• Attempt lock picking techniques
7
• Fire detection systems
8
• Air conditioning systems
9
• Electromagnetic interception
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
10
• Test if the company has a physical security policy
Steps in Conducting Physical Security
Penetration Testing (cont
’
d)
11
• Physical assets
Penetration Testing (cont d)
12
•Risk test

13
• Test if any valuable paper document is kept at the facility
14
• Check how these documents are protected
15
• Employee access
16
• Test for radio frequency ID (RFID)
17
• Physical access to facilities
18
• Documented process
19
• Test people in the facility
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
20
• Who is authorized?
Steps in Conducting Physical Security
Penetration Testing (cont
’
d)
21
• Test fire doors
Penetration Testing (cont d)
22
• Check for active network jacks in meeting rooms
23
• Check for active network jacks in the company lobby

23
24
• Check for sensitive information lying around meeting rooms
•
Check for receptionist/guard leaving lobby
25
Check for receptionist/guard leaving lobby
26
• Check for accessible printers at the lobby – print test page
Ob i h / l li i f h l bb i i
27
•
Ob
ta
i
n

p
h
one
/
personne
l li
st
i
ng
f
rom

t

h
e
l
o
bb
y

recept
i
on
i
st
28
• Listen to employee conversation in communal areas/cafeteria
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
29
• Can you enter the ceiling space and enter secure rooms?
Steps in Conducting Physical Security
Penetration Testing (cont
’
d)
30
• Check windows/doors for visible alarm senses
Penetration Testing (cont d)
31
• Check visible areas for sensitive information
32
• Try to shoulder surf users logging on

32
33
• Try to videotape users logging on
•
Check if exterior doors are guarded and monitored
34
Check if exterior doors are guarded and monitored
35
• Check guard patrol routines for holes in the coverage
I d l d i i
36
•
I
ntercept

an
d
ana
l
yze

guar
d
commun
i
cat
i
on
37
• Attempt piggybacking on guarded doors

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
38
• Attempt to use fake ID to gain access
Steps in Conducting Physical Security
Penetration Testing (cont
’
d)
39
• Test “after office hours” entry methods
Penetration Testing (cont d)
40
• Identify all unguarded entry points
4
1
• Check for unsecure doors
4
42
• Check for unsecure windows
•
Attempt to bypass sensors configured on doors and windows
43
Attempt to bypass sensors configured on doors and windows
44
• Attempt dumpster diving outside the company trash area
bi l f id h b ildi d if i h i i i id
45
•Use
bi

nocu
l
ars
f
rom outs
id
e t
h
e
b
u
ildi
ng an
d
see
if
you can v
i
ew w
h
at
i
s go
i
ng on
i
ns
id
e
46

• Use active high frequency voice sensors to hear private conversation among company staff
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
47
• Dress as a FedEx/UPS employee and try to gain access to the building
Step 1: Map the Possible
Entrances
Entrances
Locate different ways people can enter the
premises:
• Through doors
•Throu
g
h windows
premises:
g
• Fire exits
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Map the Physical
Perimeter
Perimeter
Draw the map of a physical perimeter of the target
Draw the map of a physical perimeter of the target
•
Doors used
Identify the following:
•

Doors used
• Types of windows used
• Ceiling strength
• Basement
• Access policies
• Types of locks used
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Penetrate Locks Used on
the Gates, Doors, and Closets
the Gates, Doors, and Closets
Try to penetrate locks
Try to penetrate locks
You will need lock picking tools to accomplish this task
You will need lock picking tools to accomplish this task
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step4: Observing From a
Distance
Distance
U tl ht h f ht hi d t
U
se
t
e
l
ep
h

o
t
ograp
h
y
f
or

p
h
o
t
ograp
hi
ng
d
ocumen
t
s
Capture the documents from any position at an angle >15
degree above horizontal
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Penetrate Server Rooms,
Cabling and Wires
Cabling
,
and Wires
Penetrate server rooms

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Attempt Lock Picking
Techniques
Techniques
A lk iki
A
ttempt
l
oc
k
p
i
c
ki
ng
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Fire Detection Systems
What ha
pp
ens if the fire alarm is
pp
triggered?
A
skilled hacker can easil
y
steal

y
computers and laptops in a panic
situation.
Check the fire alarm system policies and
procedures within the company.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Air Conditioning Systems
Check the air conditioning systems for possible penetration attempts.
Check the air conditioning systems for possible penetration attempts.
Investi
g
ate the air condition ducts and check for wa
y
s of hidin
g

gyg
information devices.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Electromagnetic
Interception
Interception
An attacker using an antenna an a receiver can monitor and retrieve
lifid
iti
if ti

it
i
bi
d
ith t
th
c
l
ass
ifi
e
d
or sens
iti
ve
i
n
f
orma
ti
on as
it
i
s
b
e
i
ng processe
d
w

ith
ou
t
th
e
user being aware that a loss is occurring.
Bug a telephone line inside the building and see if you can pick up the
signals from outside the building using frequency receivers.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for the Following
Physical access to facilities
Physical access to secure areas within facilities
Ph i l t ti (
Ph
ys
i
ca
l
access
t
o

compu
ti
ng

resources
(

e.g.,

workstations, laptop computers)
Ph
y
sical access to
p
a
p
er records
ypp
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Test if the Company has
a Ph
y
sical Securit
y
Polic
y
yyy
Without a physical security policy, there are no formal requirements
Without a physical security policy, there are no formal requirements
for what is to be done to physically secure the company.
An employee will not necessarily know what to do from a physical
security perspective.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 11: Physical Assets
Assess the value of physical assets (e.g., computers, equipment,
i
if i )
f
h
propr
i
etary
i
n
f
ormat
i
on
)
o
f
t
h
ecompany.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Risk Test
The risk associated with physical security at a given facility is
largely dependent on the value of the items inside the facility.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 13: Test if any Valuable Paper
Document is Ke
p
t at the Facilit
y
py
Im
p
ortant documents should not be left unattended.
p
Sensitive documents should be kept in safes, lockers, and so on.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Check how these
Documents are Protected
Documents are Protected
How are they protected?
How are they protected?
What physical access measures have been taken to prevent
unauthorized access to paper documents?
Are sensitive paper documents shredded before they are thrown away?
What would the impact be to the company if unauthorized individuals
accessed these documents?
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
accessed these documents?
Step 15: Employee Access
Employee access to sensitive facilities in the organization should be

restricted.
The
physical
security
measure
related
to
personnel
security
should
be
The
physical
security
measure
related
to
personnel
security
should
be
in place.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited