Guidelines for Performing Physical Security Tests on Facilities

When performing physical security tests on facilities:

• Identify the physical security controls in place at the target premises as best you can.
• Look for low fences to entrances and other restricted areas that you might be able to go over.
• Consider using a ladder to scale a taller fence.
• Consider that scaling a fence with barbed or razor wire may lead to serious injury.
• Look for dumpsters outside of buildings that may contain sensitive material the organization has disposed of.
• Look for calendars containing passwords at the beginning of a new year.
• Look for poorly disposed-of sensitive business documents.
• Look for poorly sanitized storage drives and computer equipment.
• Practice with a lock picking tool to gain enough skill and experience to pick a key-based lock.
• Find other ways around keyless locks, like coming back at a time when the lock isn't activated.
• Use a handheld RFID writer to easily clone badges using insecure 125kHz EM4100 technology.
• Conceal a cloning tool in a bag or other container that can read badge data from several feet away.
• Use an Android device with NFC and a cloning app to clone encryption-based badges that use the default keys.
• Identify the area that motion sensors cover.
• Leverage motion sensor blind spots to move through a building.
• Consider using a piece of material to block a motion sensor, like cardboard.
• Focus an infrared light on a sensor to fool it into believing the area is at an acceptable level.