Today’s businesses typically devote many resources towards ensuring the logical security of their information systems. However, the devastating effect of even a single security breach also requires these organizations to consider their physical security, which they often overlook. Physical social engineering assessments evaluate a company’s ability to prevent unauthorized physical access of assets on their premises or to prevent someone from taking an unauthorized action based on someone requesting it in person. Experienced consultants can provide their clients with a great deal of information regarding their physical security. This aspect of social engineering is becoming increasingly popular in the U.S., but only a few consultants have the expertise needed to conduct this increasingly important assessment.
A physical social engineering test assesses the difficulty that an attacker would have in the people component of an organization to access an organization’s physical premises, generally for the purpose of obtaining sensitive information or control over internal systems or to get them to perform an action (sending a message, canceling a service, providing a refund, providing confidential information) that may not be in their best interest. It also includes advice on ways to mitigate these threats, which organizations often overlook when developing their information security strategy.
A physical social engineer’s job is to get a target to take an action that may be in the companies best interest, such as allowing physical access to an organization’s premises by convincing someone to admit them or by bypassing people controls (i.e., tailgating into a building) and performing a series of predetermined tasks that assess the organization’s physical security posture. The goal of these tasks is typically to obtain network access, often by planting devices that the attacker can operate remotely, to obtain access to a sensitive area of the building or to get a person to take an action. A physical social engineer also attempts to gather evidence of an organization’s security vulnerabilities in real-time. This evidence could include the presence of sensitive information left in the open, workstations left logged on, and clean desk policies.
The most challenging aspect of physical social engineering is convincing clients that physical social engineering is just as important to security as penetration testing. Mature organizations often conduct penetration testing of both their application and network security on a regular basis without ever assessing their physical security. The primary reason for this disparity is that the consultants who test security typically have expertise in logical security rather than physical security, so they simply aren’t capable of performing these tests. Furthermore, cyber security organizations usually don’t offer physical social engineering services, giving their clients the impression that their current measures are adequate for protecting their network and data.