Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11:45 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Assessing Your Security Controls

Do you include physical security as part of your cybersecurity risk management plan?

Physical access to your network and IT assets is as important as access through 1s and 0s. A security controls assessment is meant to test the perimeter defenses that you have implemented around your physical appliances, hardware, wiring, and support systems.

You should leverage real-time assessments of your security measures in order to protect your sensitive data. Organizations that perform security controls assessments generally leverage penetration testing and social engineering, but there are so many more weaknesses in a physical infrastructure that can also be exploited. Being effective at testing the multiple facets and layers of perimeter security can yield significant improvements in security and reduce costs by streamlining the overall security plan for the organization. Likewise, after weaknesses are identified, an organization will know the areas within the IT network, physical structures, and personnel security that need additional training or support to prevent external or internal threats from manipulating those weaknesses.

Equally important as external threats are the threats from insider attack. No organization wants to imagine that they have hired someone who would attempt to cause harm, but the reality is that this is not as uncommon as organizations would hope. Therefore, reasonable precautions should be implemented to protect sensitive data.

When performing your security controls assessment, you should structure the assessment on three areas that will overlap one another:

  • Physical security
  • Social engineering
  • On-premise internal network vulnerability

For guidance, you can leverage NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations; SANS Security Laboratory: IT Managers -- Safety Series; the PCI Data Security Standard; and the SANS Institute InfoSec Reading Room: Security Assessment Guidelines for Financial Institutions, Developing Security Policies For Protecting Corporate Assets, System Administrator -- Security Best Practices, and Data Center Physical Security Checklist.

Physical Security Assessment

Your assessment should be tailored to meet your specific environment and testing needs. Evaluate the physical security measures currently in place and the documentation implemented to protect critical data systems and information. Include in your review both external and internal controls and policies that govern employee access, vendor access, visitor access, responsibilities, and educational awareness. Focus your physical security assessment in eight primary areas:

  • Location (community, region)
  • Perimeter penetration testing by unauthorized personnel
  • Interior computer room penetration testing by unauthorized personnel
  • Disaster recovery and geographic location risks analysis
  • Monitoring of internal and external areas for unauthorized personnel
  • Personnel access requirements
  • Support facilities, including water and HVAC
  • Wireless access points vulnerabilities

Social Engineering Assessment

To assess security awareness and attempt to bypass the physical access controls of a building, use social engineering techniques. Social engineering refers to techniques of establishing trust relationships between an attacker and victim, with the objective of gathering information otherwise unauthorized through social interaction with employees, suppliers, and contractors. This information is used to breach your computer network defense assets and controls. Social engineering activities test a less technical but equally important security component, which is the ability of the organization’s people to contribute to or prevent unauthorized access to corporate entities. This includes office spaces and information systems.

Your process should be designed to determine the level of security awareness among employees. Impersonating vendors and other trusted personnel, your assessment should test the extent to which access to sensitive areas within the data center may be possible. You can begin to focus your social engineering assessment with four example scenario methods:

  • Dumpster diving to test document destruction compliance
  • Impersonation or piggybacking as vendors, inspection officials, or other trusted personnel
  • Dropping USB drives in strategic communal locations that contain a benign program indicating its unauthorized access to internal systems
  • Phishing via email, text messages, and telephone conversations

On-premise Internal Network Vulnerability Assessment

Your on-premise testing should also be scenario-based by focusing on internally accessible devices and applications with the goal of attempting to access sensitive data. Your scope should include both wired and wireless access points. After accessing the network, you should attach to the appropriate network segment and test the services and resources. Keep your stakeholders involved as you are moving from segment to segment so that if operations are impacted, system owners can respond appropriately. You want to keep any impact to ongoing operations to a minimum. You can begin to focus your on-premise testing in three example scenarios:

  • Wireless security penetration testing
  • Controlled access with unauthorized devices added to the internal network
  • Internal penetration testing and vulnerability exploitation

The local penetration testing must evaluate the security of the network infrastructure and services from the perspective of an insider or unauthorized user who has gained inside access. The focus of the scenarios is to understand the potential weaknesses and impacts to production systems that store, process, or transmit data on the inside. Four techniques may be used to perform your on-premise testing:

  • Passive data collection
  • Network scanning and OS fingerprinting
  • Attempted vulnerability exploitation
  • Privilege escalation

Ultimately, your security controls should be tested regularly with a report that includes the scope of testing, the approach taken, the goals, a timeline of activities, identified gaps, and recommended remediation activities. The report should include an executive summary written in non-technical terms. Lastly, the report should have a grading chart so that from period to period, improvements can be tracked. Socializing the report with all stakeholders is also a must so that everyone involved can take ownership.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.