O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Physical Security Assessments Tom Eston Spylogic.net
Topics <ul><li>Convergence of Physical and Logical Assessment Methodologies </li></ul><ul><li>Planning the Assessment </li...
Penetration Test Definition <ul><li>Simulate the activities of a potential intruder </li></ul><ul><li>Attempt to gain acce...
Why conduct a physical security assessment? <ul><li>Assess the physical security of a location </li></ul><ul><li>Test phys...
Convergence of Methodologies <ul><li>Network assessment methodology is identical (NIST 800-42): </li></ul><ul><ul><ul><li>...
The Security Map <ul><li>Visual display of the security presence </li></ul><ul><li>Six sections of the OSSTMM </li></ul><u...
Planning the Assessment – Critical Tasks <ul><li>What are we trying to protect at the locations(s)? </li></ul><ul><ul><ul>...
Planning the Assessment <ul><li>Who will conduct the assessment? </li></ul><ul><ul><ul><li>Third party involvement </li></...
Planning the assessment continued… <ul><li>Escalation contact list </li></ul><ul><ul><ul><li>Include in the authorization ...
Authorization to Test Letter Example
Assessment Team Structure - Team Leader <ul><li>Identify a team leader! </li></ul><ul><ul><ul><li>Handles all coordination...
Assessment Team Structure - Team Members <ul><li>Maximum of three internal team members </li></ul><ul><ul><ul><li>Dependen...
Remote Reconnaissance <ul><li>Gather as much information as possible off-site! </li></ul><ul><ul><ul><li>Floor plans from ...
Maltego for Reconnaissance <ul><li>Can be used to determine the relationships and real world links between: </li></ul><ul>...
On-site Reconnaissance <ul><li>1/2 or 1 day is recommended for on-site recon </li></ul><ul><li>At a remote location or reg...
Penetration Test Phase <ul><li>After on-site recon, determine the plan! </li></ul><ul><ul><ul><li>Create multiple scenario...
Penetration Test Phase Continued… <ul><li>Take photos if you can </li></ul><ul><li>Use conference rooms to your advantage ...
Walk Through Phase <ul><li>Conducted after the penetration test </li></ul><ul><ul><ul><li>Time frame depends on objectives...
Walk Through Phase Continued… <ul><li>Conducted by at least two team members with the facility contact </li></ul><ul><li>W...
Walk Through Phase Continued… <ul><li>Ask questions! </li></ul><ul><ul><ul><li>“ Do you have any security concerns?” </li>...
Reporting and Lessons Learned <ul><li>Team Leader compiles notes and results from team members </li></ul><ul><ul><ul><li>P...
Standards and Books <ul><li>OSSTMM </li></ul><ul><ul><ul><li>Open-Source Security Testing Methodology Manual </li></ul></u...
<ul><li>Questions? Email: tom@spylogic.net </li></ul>
Próximos SlideShares
Carregando em…5
×

Physical Security Assessments

24.773 visualizações

Publicada em

Presentation I did for the 2007 Information Security Summit in Cleveland, Ohio on Physical Security Assessments.

Publicada em: Tecnologia, Negócios
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • site security analysis
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Physical Security Assessments

  1. 1. Physical Security Assessments Tom Eston Spylogic.net
  2. 2. Topics <ul><li>Convergence of Physical and Logical Assessment Methodologies </li></ul><ul><li>Planning the Assessment </li></ul><ul><li>Team Structure </li></ul><ul><li>Reconnaissance </li></ul><ul><li>Penetration Phase </li></ul><ul><li>Walk Through Phase </li></ul><ul><li>Lessons Learned </li></ul>
  3. 3. Penetration Test Definition <ul><li>Simulate the activities of a potential intruder </li></ul><ul><li>Attempt to gain access without being detected </li></ul><ul><li>Gain a realistic understanding of a site’s security posture </li></ul>
  4. 4. Why conduct a physical security assessment? <ul><li>Assess the physical security of a location </li></ul><ul><li>Test physical security procedures and user awareness </li></ul><ul><li>Information assets can now be more valuable then physical ones (USB drives, customer info) </li></ul><ul><li>Risks are changing (active shooters, disgruntled employees) </li></ul><ul><li>Don’t forget! Objectives of Physical Security: </li></ul><ul><ul><ul><li>Human Safety </li></ul></ul></ul><ul><ul><ul><li>Confidentiality </li></ul></ul></ul><ul><ul><ul><li>Integrity </li></ul></ul></ul><ul><ul><ul><li>Availability </li></ul></ul></ul><ul><li>Not limited by the size of an organization! </li></ul>
  5. 5. Convergence of Methodologies <ul><li>Network assessment methodology is identical (NIST 800-42): </li></ul><ul><ul><ul><li>Planning </li></ul></ul></ul><ul><ul><ul><ul><li>Objective and Scope </li></ul></ul></ul></ul><ul><ul><ul><li>Discovery </li></ul></ul></ul><ul><ul><ul><ul><li>Remote and On-site reconnaissance </li></ul></ul></ul></ul><ul><ul><ul><li>Attack </li></ul></ul></ul><ul><ul><ul><ul><li>Penetration test and walk through </li></ul></ul></ul></ul><ul><ul><ul><li>Reporting </li></ul></ul></ul><ul><ul><ul><ul><li>Final report and lessons learned </li></ul></ul></ul></ul><ul><li>OSSTMM ( Open Source Security Testing Methodology Manual) </li></ul>
  6. 6. The Security Map <ul><li>Visual display of the security presence </li></ul><ul><li>Six sections of the OSSTMM </li></ul><ul><li>Sections overlap and contain elements of all other sections </li></ul><ul><li>Proper testing of any one section must include the elements of all other sections, direct or indirect </li></ul>* Security Map © Pete Herzog, ISECOM
  7. 7. Planning the Assessment – Critical Tasks <ul><li>What are we trying to protect at the locations(s)? </li></ul><ul><ul><ul><li>List the critical assets (these can be your objectives if applicable) </li></ul></ul></ul><ul><ul><ul><li>Rank them (high, medium, low) </li></ul></ul></ul><ul><li>What are the threats to the locations(s)? </li></ul><ul><ul><ul><li>Weather, Fire, High Crime Rate, Employee turnover </li></ul></ul></ul>
  8. 8. Planning the Assessment <ul><li>Who will conduct the assessment? </li></ul><ul><ul><ul><li>Third party involvement </li></ul></ul></ul><ul><ul><ul><li>Team members </li></ul></ul></ul><ul><li>What is the scope? </li></ul><ul><ul><ul><li>Process and controls </li></ul></ul></ul><ul><ul><ul><li>Security awareness- Is the team challenged for ID? </li></ul></ul></ul><ul><ul><ul><li>Removal of confidential customer information </li></ul></ul></ul><ul><ul><ul><li>Steal laptop, proprietary information </li></ul></ul></ul><ul><ul><ul><li>Social engineering included? </li></ul></ul></ul><ul><li>Target selection </li></ul><ul><ul><ul><li>Regional location, size of facility, dates (schedule well in advance) </li></ul></ul></ul>
  9. 9. Planning the assessment continued… <ul><li>Escalation contact list </li></ul><ul><ul><ul><li>Include in the authorization to test letter </li></ul></ul></ul><ul><li>Walk through contact (very important) </li></ul><ul><ul><ul><li>Facility person, security guard, department head </li></ul></ul></ul><ul><ul><ul><li>They should not know when you are on-site! </li></ul></ul></ul><ul><ul><ul><li>Do not forgot! The Authorization to Test Letter </li></ul></ul></ul><ul><ul><ul><li>(aka: Get out of jail free card- literally!) </li></ul></ul></ul>
  10. 10. Authorization to Test Letter Example
  11. 11. Assessment Team Structure - Team Leader <ul><li>Identify a team leader! </li></ul><ul><ul><ul><li>Handles all coordination </li></ul></ul></ul><ul><ul><ul><li>Sets up meetings </li></ul></ul></ul><ul><ul><ul><li>Central point of contact for feedback and problems </li></ul></ul></ul><ul><ul><ul><li>Compile and document results </li></ul></ul></ul><ul><ul><ul><li>Put together the final report </li></ul></ul></ul><ul><ul><ul><li>Should be your most senior member to start out </li></ul></ul></ul><ul><li>To avoid burn out…rotate the team leader position! </li></ul>
  12. 12. Assessment Team Structure - Team Members <ul><li>Maximum of three internal team members </li></ul><ul><ul><ul><li>Dependent on scope </li></ul></ul></ul><ul><ul><ul><li>Assist with all phases if required </li></ul></ul></ul><ul><ul><ul><li>Document results and observations (photos..good for keeping a log) </li></ul></ul></ul><ul><ul><ul><li>Communicate issues or problems to the team lead (cell phone required!) </li></ul></ul></ul><ul><li>Decide on third-party involvement </li></ul><ul><ul><ul><li>Comfort factor </li></ul></ul></ul><ul><ul><ul><li>Anonymity of the testing team </li></ul></ul></ul><ul><ul><ul><li>$$$ </li></ul></ul></ul>
  13. 13. Remote Reconnaissance <ul><li>Gather as much information as possible off-site! </li></ul><ul><ul><ul><li>Floor plans from company documents </li></ul></ul></ul><ul><ul><ul><li>Google Maps satellite views </li></ul></ul></ul><ul><ul><ul><li>Google searches for news and information about the target location(s) </li></ul></ul></ul><ul><ul><ul><ul><li>Better yet…use Maltego ! http://www.paterva.com/web/Maltego/ </li></ul></ul></ul></ul><ul><ul><ul><li>Number of employees at the locations(s) and listings </li></ul></ul></ul><ul><ul><ul><li>Job functions, departments at the site (phone numbers) </li></ul></ul></ul><ul><ul><ul><li>Security guards? Armed? </li></ul></ul></ul><ul><ul><ul><li>Access Control - Card Readers? Photo ID’s? </li></ul></ul></ul><ul><ul><ul><li>Call or email the city building department for blueprints…seriously! </li></ul></ul></ul>
  14. 14. Maltego for Reconnaissance <ul><li>Can be used to determine the relationships and real world links between: </li></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><ul><ul><li>Groups of people (social networks) </li></ul></ul></ul><ul><ul><ul><li>Companies </li></ul></ul></ul><ul><ul><ul><li>Organizations </li></ul></ul></ul><ul><ul><ul><li>Web sites </li></ul></ul></ul><ul><ul><ul><li>Internet infrastructure such as: </li></ul></ul></ul><ul><ul><ul><ul><li>Domains </li></ul></ul></ul></ul><ul><ul><ul><ul><li>DNS names </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Netblocks </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IP addresses </li></ul></ul></ul></ul><ul><ul><ul><li>Phrases </li></ul></ul></ul><ul><ul><ul><li>Affiliations </li></ul></ul></ul><ul><ul><ul><li>Documents and files </li></ul></ul></ul>
  15. 15. On-site Reconnaissance <ul><li>1/2 or 1 day is recommended for on-site recon </li></ul><ul><li>At a remote location or region? </li></ul><ul><ul><ul><li>Coordinate with the pen test team the night before to discuss the recon plan </li></ul></ul></ul><ul><li>Two team members maximum </li></ul><ul><li>Ensure you have authorization to test letters in hand! </li></ul><ul><ul><ul><li>Things to observe: </li></ul></ul></ul><ul><ul><ul><ul><li>Building location, parking, traffic patterns </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Employee entrance procedures (smokers area?) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Look for cameras and access control systems </li></ul></ul></ul></ul><ul><ul><ul><ul><li>After hours procedures? Are things different at night? </li></ul></ul></ul></ul>
  16. 16. Penetration Test Phase <ul><li>After on-site recon, determine the plan! </li></ul><ul><ul><ul><li>Create multiple scenarios based on your objectives </li></ul></ul></ul><ul><ul><ul><li>Some examples: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Tailgate (easiest) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Look like you belong (goes great with tailgating) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Printer repair man </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I’m late for a meeting!” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Chat with the smokers </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“I forgot my badge” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>I’m here to see <INSERT NAME OF EXECUTIVE> </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a business card (faked) as ID </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Create a fake ID </li></ul></ul></ul></ul></ul>
  17. 17. Penetration Test Phase Continued… <ul><li>Take photos if you can </li></ul><ul><li>Use conference rooms to your advantage </li></ul><ul><li>Be prepared to be compromised </li></ul><ul><ul><ul><li>If you feel someone wants to challenge you…quickly turn around and walk the other way! </li></ul></ul></ul><ul><ul><ul><li>If you are asked for ID..fake it for a minute. If you think it’s over, pull out the authorization letter. </li></ul></ul></ul><ul><ul><ul><li>Be ready to make a phone call if needed </li></ul></ul></ul><ul><ul><ul><li>Do not endanger yourself or others! (Beware of big dogs!) </li></ul></ul></ul>
  18. 18. Walk Through Phase <ul><li>Conducted after the penetration test </li></ul><ul><ul><ul><li>Time frame depends on objectives and location </li></ul></ul></ul><ul><li>One team member should be coordinating the walk through with the designated contact during the pen test </li></ul><ul><ul><ul><li>Ensure you will have someone available </li></ul></ul></ul><ul><ul><ul><li>No chance of pen test compromise </li></ul></ul></ul><ul><ul><ul><li>Be prepared to escalate to management </li></ul></ul></ul>
  19. 19. Walk Through Phase Continued… <ul><li>Conducted by at least two team members with the facility contact </li></ul><ul><li>What are we looking for? </li></ul><ul><ul><ul><li>Perimeter controls </li></ul></ul></ul><ul><ul><ul><li>Confidentiality control of hard-copy data </li></ul></ul></ul><ul><ul><ul><li>Internal access controls </li></ul></ul></ul><ul><ul><ul><li>Cameras/Alarms </li></ul></ul></ul><ul><ul><ul><li>Personnel practices (security awareness) </li></ul></ul></ul><ul><ul><ul><li>Emergency procedures (evacuation) </li></ul></ul></ul><ul><ul><ul><li>Fire extinguishers (expired?) </li></ul></ul></ul><ul><li>OSSTMM is a good place to start for creating a physical security checklist </li></ul><ul><ul><ul><li>No one standard, dependent on your organization </li></ul></ul></ul>
  20. 20. Walk Through Phase Continued… <ul><li>Ask questions! </li></ul><ul><ul><ul><li>“ Do you have any security concerns?” </li></ul></ul></ul><ul><li>Take notes and pictures </li></ul><ul><ul><ul><li>Ask for permission prior to taking pictures </li></ul></ul></ul><ul><li>Tell them about the penetration test </li></ul><ul><ul><ul><li>Prepare for “hostility”! </li></ul></ul></ul><ul><ul><ul><li>Put an awareness spin to it. “Your not getting in trouble” </li></ul></ul></ul>“ Full Metal Jacket” © 1987 Warner Bros. Pictures
  21. 21. Reporting and Lessons Learned <ul><li>Team Leader compiles notes and results from team members </li></ul><ul><ul><ul><li>Prepare the final report ASAP </li></ul></ul></ul><ul><li>Setup meetings shortly after the assessment with management of the facilities </li></ul><ul><ul><ul><li>Don’t wait too long! You will loose the effectiveness of the assessment. </li></ul></ul></ul><ul><ul><ul><li>Keep them in the loop </li></ul></ul></ul><ul><li>Lessons learned with the assessment team! </li></ul><ul><ul><ul><li>Setup a meeting – include third-party if used </li></ul></ul></ul><ul><ul><ul><li>What went well? What didn’t? </li></ul></ul></ul>
  22. 22. Standards and Books <ul><li>OSSTMM </li></ul><ul><ul><ul><li>Open-Source Security Testing Methodology Manual </li></ul></ul></ul><ul><ul><ul><li>Version 2.2 http://www.isecom.org/osstmm/ </li></ul></ul></ul><ul><li>NIST 800-12 (Chapter 15 – Physical Security) </li></ul><ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-12/ </li></ul></ul></ul><ul><li>NIST 800-42 (Guideline on Network Security Testing) </li></ul><ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf </li></ul></ul></ul><ul><li>Physical Security for IT </li></ul><ul><ul><ul><li>Michael Erbschloe </li></ul></ul></ul><ul><li>The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems </li></ul><ul><ul><ul><li>Mary Lynn Garcia </li></ul></ul></ul>
  23. 23. <ul><li>Questions? Email: tom@spylogic.net </li></ul>

×