December 30, 2014

Last Updated on January 19, 2024

It’s interesting to me that we can start to pick up shifts in our industry through the “Contact Us” form on our website. One unexpected (and at this point still unexplained) recent trend is an emphasis on physical penetration testing. Part of why it’s unexplained is that it has been “hot” across diverse verticals including retail, manufacturing, banking, healthcare and critical infrastructure.
The surge in retail makes a lot of sense to me, however. The evolution from standalone cash registers to increasingly connected and sophisticated point-of-sale (POS) systems has increased the value proposition to the customer, the retailer, and unfortunately the malicious hacker as well. Wireless networks, mobile devices, tablet-based POS, and persistent/meaningful connectivity to the corporate data center has notably increased the threat surface and the potential impact of a physical attack. But while a heightened focus on the physical security in stores is appropriate, the reliance on penetration testing as a means of assessing security might not be.
A penetration test is intended to gauge the probability that vulnerabilities in your security can be exploited. And, if so, what the impact to your company would be (did we get access to the kiosk hard drive or admin access to your POS, for example?).
The problem is that a penetration test is only as good as your understanding of the vulnerabilities. And unfortunately, the budget for most physical penetration testing engagements does not allow the reconnaissance necessary to identify vulnerabilities before testing. In this scenario, a “clean” penetration test can actually reduce your security posture by giving you a false sense of security.
The amount of effort that you should extend during penetration testing should approach the amount of time that you think the attacker the test is intended to mimic would be willing to invest. If you think a cybercriminal would spend a week doing research and three days attempting to exploit five of your locations, the intensity of your testing should be similar. Our offerings are labeled Opportunistic, Intentioned, Tenacious, and Persistent to mimic these different threat scopes.
A recent test explains this concept well. We were asked to test two different stores that fortunately were relatively close to each other. This gave us the time to observe a wide range of operating conditions: store opening, day and night hours, store closing, operations during peak hours, customer requests to use bathrooms, customer requests that reduced security, interaction with building/mall personnel, behavior of particular clerks, etc.
We supplemented those observations with digitally recorded in-store reconnaissance and purchases. For one of the stores, this gave us three relatively simple test scenarios:

  • Social engineer access to the WLAN by asking for it.
  • From 1PM – 2PM the store was only staffed by one clerk, as each of the two clerks took a 30-minute lunch break. Have one member access the store and engage the single clerk while the second actor attempted to garner unobserved access to the stock area (door was noted as unlocked during in-store reconnaissance), where we expected the IT infrastructure was housed. If access was gained, plant a hub with a wireless access point on it and leave.
  • Create a badge similar to that of the mall maintenance crew, don similar dickies and a work shirt, and attempt to gain access to the stock area.

As we only had two actors, we attempted the first and used that as cover to attempt the second. The first failed, but the second was successful. The access point allowed us to access local devices on the network and escalate privilege to an admim level.
It’s important to point out that while penetration testing is exciting and “real-world,” it is not definitive. For example, the scenario outlined above may work 70% of the time, but might not have worked during our test.
A more definitive and accurate but less sexy method is a gap assessment. It takes a more security design centric approach, by looking at critical physical and information security controls, including:

  • Physical security perimeters (design, reception, fire doors, intruder detection, data center segregation)
  • Entry controls (logging, key card access, employee and visitor identification, monitoring)
  • Secure area operations (obfuscation, controlling video/photographic observation)
  • Delivery and loading areas (access control, asset management)
  • Supporting utilities (physical security of telecommunications, power, cabling)
  • Asset security (physical security of assets on-site, on-site unattended, off-site, clear desk)
  • Logical segregation of network segments (e.g., kiosk, retail wireless, guest wireless, VoIP, POS, front-office, retail internet access)
  • Strong authentication of users and systems
  • Appropriate use of encryption for WLAN, store to back-office communications, VoIP, local storage of sensitive data, etc.)
  • Minimized local storage of potentially sensitive data, especially on mobile devices
  • Centralized device, vulnerability, user and configuration managemen
  • Policy and procedure communication to and Security Awareness Training for in-store personnel

An ideal approach is to conduct a gap assessment, close the gaps, and then perform a   penetration test to see if everything works as expected.
To talk over penetration testing options for your business with an expert, contact Pivot Point Security.