1.2. Security Testing in the Real World

Military organizations, particularly the US military, have employed penetration testing teams (called 'tiger teams' or 'red teams') for decades. Their remit is to penetrate friendly bases to assess the difficulty an enemy would have gaining the same access. This could involve planting a cardboard box with the word 'bomb' written on it or attempting to steal code books. It might involve gaining access to a secure location and taking photographs or taking something of intelligence value. As time has gone by, the term 'tiger team' has become more associated with computer penetration teams; however the term is still widely used in its original context within the military. The challenges faced by testers in the private and government sectors are very different from those presented to military tiger teams, not least because they have significantly less chance of being shot at. (I speak from experience ...) However while the attackers that one wishes to guard against are fundamentally different (terrorists in one case and industrial espionage actors in the other, for example) the approach is not dissimilar. All testers start with a specific goal, gather intelligence on their target, formulate a plan of attack based on available information and finally execute the plan. Each of these steps is covered in detail in this book but first, in the interests of consistency, let's consider some of the terms I will be using throughout this text:

• Target – the client initiating the test and the physical location at which the target resides;

• Goal – that which must be attained in order for the penetration test to be considered successful, such as the following examples:

  • Breach border security at the target location (the simplest form of test, often as basic as penetrating beyond reception, where most physical security procedures end).

  • Gain physical access to the computer network from within the target location.

  • Photograph a predetermined asset.

  • Acquire a predetermined asset.

  • Gain access to predetermined personnel.

  • Acquire predetermined intelligence on assets or personnel.

  • Plant physical evidence of presence.

  • Any combination of the above.

• Asset – a location within the target, something tangible the operating team must acquire (such as a server room or a document) or something intangible such as a predetermined level of access;

• Penetration test – a method of evaluating the security of a computer system, network or physical facility by simulating an attack by an intruder;

• Operating team – the team tasked with conducting a penetration test. In the context of a physical penetration and starting from the moment the test is initiated, the operating team is likely to consist of:

  • planners;

  • operators (those actually conducting the physical test);

  • support staff.

    The makeup of the team will depend on the nature of the test. For example, a test involving computer access following a successful physical penetration must have at least one operator skilled in computer intrusion. Those skilled in social engineering are likely to be deployed in a planning or support capacity.

• Scope – the agreed rules of engagement, usually based around a black box (zero knowledge) approach or a crystal box (information about the target is provided by the client) approach;

• Anticipated resistance or security posture – the resistance an operating team faces, depending on a number of factors:

  • the nature of the target;

  • security awareness among staff;

  • quantity (and quality) of security personnel;

  • general preparedness and awareness of potential threats at the target.