AdvancedPhysical Security

Conduct an annual physical penetration test of your offices and data centre

Organisations that conduct regular network penetration tests often have no equivalent programme for physical security. Physical penetration testing — engaging a firm to attempt tailgating, impersonation, dumpster diving, and device planting at your facilities — reveals gaps that policy and awareness training cannot surface. Professional physical pentesters routinely succeed in entering secure areas, planting rogue network devices, and photographing sensitive materials. The results directly inform where physical controls need investment. At minimum, conduct an annual physical security assessment of your primary office, data centre, and any facility that houses network equipment.

Tags

physical pentestred teamsecurity assessmentphysical controlstailgating

More in Physical Security

All guides
intermediatefeatured

Install mantraps or badge-enforced turnstiles to eliminate tailgating

Training employees to challenge tailgaters helps, but research consistently shows 70–80% of people will hold a secure door open for a stranger who looks like they belong. The only reliable control is a physical barrier that permits exactly one person per badge swipe: a mantrap (an airlock with two doors where the first must close before the second opens) or a badge-enforced turnstile. These are standard in data centres and high-security facilities for exactly this reason. For areas that do not justify the cost of mantraps, tailgate detection sensors that alert security when multiple people pass a single badge read provide monitoring capability.

See: Tailgating Social StudyPhysical Security
beginner

Disable USB mass storage on all corporate workstations via Group Policy or MDM

The FIN7 criminal group mailed BadUSB drives disguised as Amazon packages and Best Buy gift cards to hotel and restaurant employees. 45% of people plug in USB drives they find — even when they know they should not. BadUSB devices emulate keyboards and automatically type commands; they bypass all file-based antivirus scanning because they deliver no files. Disable USB mass storage on all corporate workstations via Group Policy (Windows) or MDM profiles (macOS/Linux). If USB access is required for legitimate use cases, use endpoint security tools that allow USB device whitelisting by hardware ID rather than disabling USB entirely.

See: FIN7 BadUSB Mail DropPhysical Security
beginner

Implement a clean desk policy and lock unattended screens automatically

A physical intruder who reaches an unlocked workstation has the same access as the authenticated user who left it. During Kevin Mitnick's penetration operations, unlocked terminals, discarded printouts, and papers left on desks were as valuable as any technical exploit. Implement: automatic screen lock after 5 minutes of inactivity (enforce via Group Policy/MDM), required badge-out to lock desks when leaving them, a prohibition on leaving sensitive documents visible on desks, and locked cabinets for paper records. Clean desk audits — periodic unannounced checks of workstation and desk areas — measure compliance without being punitive.

See: Kevin Mitnick Physical IntrusionPhysical Security