We need to be particularly well prepared for this type of situation. First, we need to sign a contract with your company, finalising all the parameters of the simulation, to protect ourselves.
Without these documents, we would be no different from criminals, because the methods we use are, for the most part, really no different from those used by burglars, criminals, fraudsters and anyone else who tries to steal your company’s data, information, hardware or other valuable assets.
In doing our work, however, we follow a simple rule: do no harm.
In the process, we pay particular attention to the following:
- Technical security system. Is the alarm on?
- What procedures do you have in place for non-employees entering your premises?
- How do your staff react to strangers?
- How do your staff react to workers in uniform (such as employees of telecom operators, security services, and so on)?
What will you learn from this type of simulation?
A physical intrusion simulation is usually part of penetration testing, which also covers other areas of information security. However, this specific test will give you at least two good pieces of information:
- how good your technical security is, and
- how resilient your employees are to social engineering attacks.
How do we go about simulating a physical intrusion?
Naturally, we can’t disclose all our methods because then we wouldn’t have much left to use, but here are a few examples to illustrate what we might do:
- we might disguise ourselves as security guards or firefighters, and try to enter your premises this way;
- we might put on our most professional clothes and claim to have a meeting with one of your managers;
- we find walking around your premises and trying random doorhandles especially fun – we never know what we’ll find;
- we often make use of a set of specialist lock-picking tools, available on Amazon for less than 30 EUR;
- at least once a year we watch the 1992 film Sneakers, starring Robert Redford, for inspiration and reminders of the classic ways of getting access to supposedly secure systems – because some things never change.
It’s important for us, and ultimately for you, that as few employees as possible are aware that such a simulation is in progress. This is the only way the results will reflect the real situation in your company, and the only way we can identify and thus address any weaknesses.