Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 2. Planning Your Physical Penetration Tests

Chapter 2. Planning Your Physical Penetration Tests

The first casualty of war is the plan.


The goal of this chapter is to give you the knowledge to build the right team to carry out a physical penetration test. This is no small task; it involves assembling a team, designating appropriate roles, organizing preliminary research and being able to confidently plan the assignment from start to finish. There are also administrative and legal aspects to take into consideration. After the planning phase of the project is complete, your team members should know what is expected of them and, just as importantly, what to expect from the assignment. Work you put into the planning phase will be rewarded during execution.

There is an old joke that 'in theory, theory and practice are the same thing, but in practice they're not'. Touché. The important thing to remember during the planning phase is that nothing is, nor should be, set in stone. Your testing plan should be flexible enough to accommodate contingency arrangements should assumptions turn out to be incorrect or should circumstances you previously took for granted change. This chapter is drawn from my own experience planning physical penetration tests. My own methods have been tweaked over years of experience. You should draw from it or add to it as befits the individual requirements with your team.

When putting together an engagement scenario, you must consider the potential risks your client faces and what benefit physical testing will provide to them. If you perform generic testing or just go through the motions, you are wasting everyone's time and money. Consider this example: A high-end optics company wants a physical test performed on their European headquarters. The facility is large and employs several hundred people (mainly sales, middle management and support personnel). The site also houses the distribution warehouse for all products shipped to Europe, the Middle East and Africa. What is their primary risk? It's not espionage: no research and development is performed at the site although, like all the company's sites worldwide, it's networked. This company makes cameras, scanners and lenses, which is not a controversial line of business per se; therefore, the risk of infiltration by journalists and activists is minimal. In this instance, the biggest concern is probably simple theft. As the company produces devices that cost many thousands of dollars and fit into a backpack, the warehouse would be a tempting target for thieves. This is not to say that the offices, staff and computer network should not be considered in a penetration test but you must identify the client's risks as they relate to their business interests.

The above notwithstanding, a lot of the time you won't have much input into determining the target assets and will be heavily directed to the areas that the client wants tested. However you should not be shy in saying if you think any given scenario offers little real-world value and suggesting better alternatives. In the previous example, a testing team would have little difficulty in entering the target offices and taking photographs but would completely ignore the real issues. Risks vary between organizations but consider the examples in Table 2.1.

Table 2.1. Organization types and risks
Business areaExample riskExample scenario
Central government or militaryTerrorist attackSmuggling a package into a secure area.
Corporate headquartersEspionageAccess to files or computer systems.
Luxury car dealershipTheftRemoving assets.

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint