Penetration testing & the reason for conducting them
Penetration testing can mean several things, depending on who you discuss it with.;
- It can be a computer test to see if your network is vulnerable to a hack attack. IT departments and consultants conduct these on a continual, supposedly, basis based on the current threat level for computer networks and the media coverage of such large scale breaches in recent years
- The 2nd, and oldest, is the physical security kind, which is what I’m going to discuss. This is where a person, or team, attempt to penetrate your facilities security perimeter. And we do that by innumerable means, depending on the skill set of the ‘perpetrator’.
A short story of a successful test from 27 years ago; the assistant operations manager, Doug Dragert, of Wells Fargo Guard Services in Kansas City, MO. was asked to conduct a test of a large corporate office building. The Director of Corporate Security, later the VP of security, told my friend that “This building is secure. You’ll never make it to the executive offices. My security staff is better than you may think” And then left to meet with the CEO on other issues.
After wandering like he belonged, he found an open door with several smokers. He walked passed them through the door which had been propped open. For the next 30 minutes he kept the security staff moving in random patterns all over the building. After that interval he showed up, pushed past the secretary and into the CEO’s office and held out his arm as if he had a pistol.
The security director was embarrassed and the CEO frightened enough to believe, practically, everything he was told about security. Their security budget nearly tripled over the next decade and they added officers to every single building they leased, more than 30.
And that’s why penetration testing is necessary. To show you the deficiencies in your security system. Many facilities can be easily breached even today despite workplace violence (WPV) & terrorism fears, many remain open to anyone and everyone. And no one confronts a stranger, generally, when they spot one.
So what are some of the direct reasons for a penetration test?;
- Theft from office equipment, drugs, machinery, & other items
- Destroying assets of all kinds from equipment to annoyance items i.e. glass
- Terrorism events against a certain patient or group
- Active shooter event including terrorism, WPV, or just plain chaos & mayhem
- Disruptive individuals with mental issues or just upset by something
Those are just a few of the reasons to utilize & conduct a penetration test. But what are some of the things to think about during a test so as not to make it so disruptive to the work day or employees?;
- Informing employees ahead of time there will be an exercise. Not the day or time, but that it will occur
- Defining the goal of the exercise. Is it for one section, the entire facility or…
- Setting operating guidelines. Is the consultant allowed to do, or not, something? Can they lie, cheat, damage (hopefully not), or whatever
- Determining where and when the team will operate. Again, this is vitally important to the success of the test. Although they should be given the leeway to go outside the pre-set boundaries to give an objective observation and accurate assessment of what may happen
- Involving the target site’s security team. If the client/facility already has security on-site, then they have to be informed along with the other employees that a test is going to occur. You may want to inform them of the day or shift as well, but that is not necessary
- Assigning a challenge phrase for the target site’s security team. This will allow the facility security team to identify that the exercise is in effect and the individual is involved with it, so no mistakes can be made and someone else accidently allowed in
- Setting a time for review and analysis of the exercise to discuss the deficiencies and successes. And it is necessary that it has to be as harsh as possible in order to be effective. Some things can never be fixed but that doesn’t mean it can slide and not be attempted.
The key in all of this is to ensure that you actually have a physical security program in place. If your program is only haphazard then this is likely to be a total Charlie foxtrot (ask a friend who was in the military, possibly 20 or more years ago). And if you have this many issues with your program it may well not be worth the trouble, without totally revamping it.
If you don’t test something, you’ll never know how effective it is. And whether the effectiveness is in the training, policies, procedures, observational or listening skills or the organizations communication doesn’t matter. What does matter is your analysis.
And that means being as objective and critical as possible. If you’re not critical or objective then you can be assured that when it is necessary to rely on your program, officers, employees, and etc. it will fail. And in today’s dangerous modern world that can lead to more than just a bad decision resulting in lost time or money. It can, and possibly will, lead to someone’s death or injury. And no one wants that.
Robert D. Sollars is a recognized expert on security issues, specifically workplace violence. He’s spent nearly 33 years in the security field. Visit his Facebook page, One is too Many, where you will read about other items related to security & WPV issues. Or be a twitter follower at @robertsollars2.
I May be Blind but my Vision is Crystal Clear