Red Team testing, or otherwise known as physical security penetration testing (pen test), occurs more often than is typically discussed amongst perhaps more sexy topics in the security industry like Executive Protection, Workplace Violence Prevention, or Event Security. However, the benefits learned if the red-teaming is done well can help solidify the very essential elements of a good security program.
Having administered in the proximity of 200+ pen tests over the course of the last half dozen years approximately I can say that no two tests often happen to be the same. Varying up days of the week and times of the day that tests are conducted will help ascertain the most robust, holistic information regarding a security program. And just because you might test one day at one time does not necessarily make the result of that particular test the definitive answer and solution; it could have been a case of the personnel working that particular day & time having a good or a bad day. You will want to to test that day and/or time more than once to ensure the same pattern is in place before jumping to a conclusion…not too dissimilar to surveillance in workers comp cases to refute the “Good Day” defense by the injured party.
The personnel who are conducting/administering the pen test should also be generally creative people in their approach and mindset in undertaking the assignment. Given creative freedom (within reason) could yield surprising results from the pen test. For example, in one instance our agent assigned for a pen test in the San Francisco Bay Area for a client through his advance research on the location and company created a cover story whereas he was a journalist from the local newspaper who desired to print a story regarding the client company in which he would provide very positive press for their philanthropic endeavors. This client location had security officer personnel in place and restricted elevators to each floor. The agent approached the security officer personnel at the lobby desk explaining his cover story and requested to meet with an individual (whom he had located in his advance open source research) that was a C-suite person for the company in that location. Within 10 minutes time the agent was sitting across a conference room table from this C-suite executive. His credentials were not checked. No screening mechanism enacted. All because the company strongly desired very positive press to be published on them and the opportunity was presented for just that. This is a very good learning experience for the company. No one has to lose their job nor should they be disciplined. It should be used as a learning experience to grow from for all parties involved. Having a creative agent in place who understands security programs while pushing boundaries in an authorized manner can achieve such objectives.
To summarize what steps were taken from the example above in order to get to the end-result:
1. Agree upon a specific statement/scope of work (SOW) between the service provider and the client.
2. Resource/assign an agent that is creative in their approach.
3. SOW should have had an allowance for advance research time prior to pen test to be conducted. I would generally recommend up to 5 hours of time for this in most circumstances but can change based on scope, square footage needing to be tested, and other factors.
4. Expect about the same amount of time on-site for conducting the pen test plus a couple of
additional hours for report writing time.
5. Expect to have near real-time communications between the agent/service provider and the client during the operation being conducted to ensure clarity of exact timing of the pen test. Doing so will help avoid any potential “bad actor” confusion with the operation.
6. Depending on the company’s goals and objectives of the pen test operation, consider having a tracking tool in place that is shared between the service provider and the client representative that is available on a moment’s notice. It could be an Excel sheet or other software that details dates, times, locations as well as names and contact numbers for each respectively should a timely call or note have to be placed. An effective tool will allow for filtering and sorting the content uploaded to moderate varying forms of data for different parties who might desire to see it.
7. While testing people and their practices is the most common denominator in physical security pen tests, there is a component of testing the company’s security technology as well. How well the agent can be seen on camera while conducting the test, any bypassing of access control systems in place that might have been had, or any alarm systems that might have (or should have) been activated when accessing a more vulnerable area of the company’s space are all aspects of security technology that should be looked at while the pen test was conducted. This can be done after the fact, it doesn’t have to be real-time, but doing so ensures the company equipment is also functioning properly.