Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11:45 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Assessing Your Security Controls

Do you include physical security as part of your cybersecurity risk management plan?

Physical access to your network and IT assets is as important as access through 1s and 0s. A security controls assessment is meant to test the perimeter defenses that you have implemented around your physical appliances, hardware, wiring, and support systems.

You should leverage real-time assessments of your security measures in order to protect your sensitive data. Organizations that perform security controls assessments generally leverage penetration testing and social engineering, but there are so many more weaknesses in a physical infrastructure that can also be exploited. Being effective at testing the multiple facets and layers of perimeter security can yield significant improvements in security and reduce costs by streamlining the overall security plan for the organization. Likewise, after weaknesses are identified, an organization will know the areas within the IT network, physical structures, and personnel security that need additional training or support to prevent external or internal threats from manipulating those weaknesses.

Equally important as external threats are the threats from insider attack. No organization wants to imagine that they have hired someone who would attempt to cause harm, but the reality is that this is not as uncommon as organizations would hope. Therefore, reasonable precautions should be implemented to protect sensitive data.

When performing your security controls assessment, you should structure the assessment on three areas that will overlap one another:

  • Physical security
  • Social engineering
  • On-premise internal network vulnerability

For guidance, you can leverage NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations; SANS Security Laboratory: IT Managers -- Safety Series; the PCI Data Security Standard; and the SANS Institute InfoSec Reading Room: Security Assessment Guidelines for Financial Institutions, Developing Security Policies For Protecting Corporate Assets, System Administrator -- Security Best Practices, and Data Center Physical Security Checklist.

Physical Security Assessment

Your assessment should be tailored to meet your specific environment and testing needs. Evaluate the physical security measures currently in place and the documentation implemented to protect critical data systems and information. Include in your review both external and internal controls and policies that govern employee access, vendor access, visitor access, responsibilities, and educational awareness. Focus your physical security assessment in eight primary areas:

  • Location (community, region)
  • Perimeter penetration testing by unauthorized personnel
  • Interior computer room penetration testing by unauthorized personnel
  • Disaster recovery and geographic location risks analysis
  • Monitoring of internal and external areas for unauthorized personnel
  • Personnel access requirements
  • Support facilities, including water and HVAC
  • Wireless access points vulnerabilities

Social Engineering Assessment

To assess security awareness and attempt to bypass the physical access controls of a building, use social engineering techniques. Social engineering refers to techniques of establishing trust relationships between an attacker and victim, with the objective of gathering information otherwise unauthorized through social interaction with employees, suppliers, and contractors. This information is used to breach your computer network defense assets and controls. Social engineering activities test a less technical but equally important security component, which is the ability of the organization’s people to contribute to or prevent unauthorized access to corporate entities. This includes office spaces and information systems.

Your process should be designed to determine the level of security awareness among employees. Impersonating vendors and other trusted personnel, your assessment should test the extent to which access to sensitive areas within the data center may be possible. You can begin to focus your social engineering assessment with four example scenario methods:

  • Dumpster diving to test document destruction compliance
  • Impersonation or piggybacking as vendors, inspection officials, or other trusted personnel
  • Dropping USB drives in strategic communal locations that contain a benign program indicating its unauthorized access to internal systems
  • Phishing via email, text messages, and telephone conversations

On-premise Internal Network Vulnerability Assessment

Your on-premise testing should also be scenario-based by focusing on internally accessible devices and applications with the goal of attempting to access sensitive data. Your scope should include both wired and wireless access points. After accessing the network, you should attach to the appropriate network segment and test the services and resources. Keep your stakeholders involved as you are moving from segment to segment so that if operations are impacted, system owners can respond appropriately. You want to keep any impact to ongoing operations to a minimum. You can begin to focus your on-premise testing in three example scenarios:

  • Wireless security penetration testing
  • Controlled access with unauthorized devices added to the internal network
  • Internal penetration testing and vulnerability exploitation

The local penetration testing must evaluate the security of the network infrastructure and services from the perspective of an insider or unauthorized user who has gained inside access. The focus of the scenarios is to understand the potential weaknesses and impacts to production systems that store, process, or transmit data on the inside. Four techniques may be used to perform your on-premise testing:

  • Passive data collection
  • Network scanning and OS fingerprinting
  • Attempted vulnerability exploitation
  • Privilege escalation

Ultimately, your security controls should be tested regularly with a report that includes the scope of testing, the approach taken, the goals, a timeline of activities, identified gaps, and recommended remediation activities. The report should include an executive summary written in non-technical terms. Lastly, the report should have a grading chart so that from period to period, improvements can be tracked. Socializing the report with all stakeholders is also a must so that everyone involved can take ownership.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.