Physical Penetration Testing – A London Law Firm
The Client
Our client was a CSO who had just commenced a new role at a global law firm with offices in London and four other UK cities. His requirement was to quickly establish the security posture of the buildings, the staff security culture, and to identify any vulnerabilities which required attention.
The Client Consultation
Our first step was to conduct a thorough client consultation. We established the locations that we would be testing, the known and potential unknown adversaries faced by the business, and the client’s appetite for our range of tests. This was a chance for us to explain our capabilities to the client and to gain an understanding of who the threat actors were, enabling us to create a range of tests to realistically replicate the measures that they would use.
The Threat Actors
The law firm was primarily concerned about well-planned attacks from criminal entities aiming to obtain their client’s personal information and that relating to ongoing cases. They were also aware that opportunistic attackers could seek entry to steal hardware or other office items.
The Planning Stage
Once we had agreed on the scope of our tests, we conducted reconnaissance of each building to be tested, this lasted for five days in each location, during which time we identified who the contractors, suppliers, staff and visitors were, what time various people arrived, how the security measures operated and the obvious physical weaknesses of the buildings.
We then spent two weeks researching the business as a whole, the individual offices, the key executives and the employees. The information that we gained assisted us in deploying social engineering methods to identify additional information regarding the workings of the business and we started to draw up a plan of how we would gain access to the buildings.
We chose our team based on the pretexts that we thought would enable us to gain entry, they ranged from facilities and contractor guises to visiting executives from other offices.
The Deployment
We deployed our tests simultaneously to minimise suspicion being conveyed between sites. We gained entry to every building, some multiple times.
Our aim is rarely to just gain entry. When replicating an attack, we need to reach the targets that the adversaries would aim for. One inside we wanted to prove that confidential information could be accessed, items could be removed, and we could exit without detection. We are also continuously assessing as we move through the building, we need to present our clients with highly comprehensive reports which make genuine recommendations to enhance their security and safety.
A big part of our testing is around the security of the organisation’s people, very often people can be coerced or tricked into providing information and providing access. Our aim is to present these findings neutrally without blame, in a way which people will learn and adopt different security techniques.
In this instance, our physical infiltrations resulted in accessing unlocked computers, gaining information relating to the network and WIFI used, inserting keylogging devices onto computers, installing replica audio eavesdropping and video bugging devices, and the removal of hard drives. We found passwords, personal information and an access badge that allowed our entry into the most secure parts of the buildings.
We were not compromised at any of the buildings and the hardware that we removed was not reported as missing until we were a considerable distance from the target buildings.
The Result
Our report was presented to the client, who was able to request a budget to improve some access control measures, and most importantly develop a staff training package to ensure that vital policy and procedure information was communicated correctly to staff and the correct measures were adopted.
The financial cost of our project was minimal compared to the damage that could have been caused by a genuine hostile attacker.
For a free Penetration Testing Quotation contact us:
Email: enquiries@sloaneriskgroup.com
Phone: 0203 633 0672
Website: www.sloaneriskgroup.com