ISACA releases guidance on physical penetration testing

ISACA has released a new white paper on strategies for physical penetration testing.

Physical penetration testing is often overlooked when it comes to security, despite a 28% increase in physical security incidents in both 2021 and 2022. The new ISACA resource aims to offer security professionals a deeper understanding of the subject, sharing an overview of physical penetration testing, the significance of physical security, and an exploration of the methodologies and tools employed by physical penetration testers.

Physical penetration testing is designed to identify weaknesses in the physical security controls of an organisation and simulate how a real attacker would try to gain access to restricted areas of information. The paper outlines different testing methods, including:

• social engineering;
• physical/technical bypass;
• destructive versus non-destructive testing;
• advanced persistent threats.
   

Professionals can also learn about how organisations and testing firms decide on which test they use based on factors such as budget, scope of the engagement, and inside information provided by the organisation. The publication explores these various testing types, including:

• Red team
• Black box
• White box
• Grey box
• Due diligence assessment (walkthrough).
   

“Technological advancements and variability in where organisational work is performed increases the difficulty securing sensitive data and assets. Enterprises cannot overlook the risks associated with physical access,” said Jon Brandt, Director, Professional Practices and Innovation at ISACA. “Physical security predates information security and while it may remain overshadowed by cyberthreats, the benefits of physical penetration testing are numerous and will strengthen any organisation’s overall security posture.”

While there are advantages to physical penetration testing such as regulatory compliance, personnel safety and data protection, there are also several challenges: cost, time, legal and ethical considerations, armed guard misunderstandings, off-limits areas/assets, and personnel who may not have the right skills for penetration testing. The paper shares strategies for overcoming challenges that an organisation may encounter.

To download a complimentary copy of ‘Physical Penetration Testing: The Most Overlooked Aspect of Security’, visit www.isaca.org/resources/white-papers/2023/physical-penetration-testing. ISACA members have access to an accompanying CPE quiz.

Image credit: iStock.com/Zephyr18