866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Physical Penetration Tests: An Overview Blog Feature
Tyler Petersen

By: Tyler Petersen

Print/Save as PDF

Physical Penetration Tests: An Overview

Penetration Testing

When many think of a “penetration test,” the first thing that may spring to mind is cybersecurity. But in fact, you do have the option to conduct a physical penetration test—or, a simulation of a physical attack on your premises.

Understanding your landscape of physical security is crucial—though some may not realize it, we grapple with the intricacies of physical security controls every day, from the locks securing our front doors to the card readers we encounter at work. But how robust are these controls and tools that you’ve invested in? Are those being granted physical access being truly scrutinized?

Though the common belief is that our physical security controls effectively repel malicious actors, the reality is often different, and that’s where a physical penetration test can help. In this blog post, we’ll use our extensive experience to unravel the intricacies of a physical penetration test, including its importance, its purpose, the targeted goals, considerations to make when setting the parameters, and answers to other frequently asked questions.

 

Why is a Physical Penetration Test Important?

Among your many security assessment options, why do you also need a physical penetration test?

Because just as malicious actors can hack your network from off-site, they can blend in with your staff or socially engineer them to gain access to sensitive information or areas of your building—from there, they can then perform other network-based attacks. (Consider that the person you courteously held the door for might not be as innocent as they seem; they could be a potential threat actor aiming to pilfer company secrets or infiltrate the internal network.)

These attacks on your physical security can be as simple as planting a small computer with an out-of-band internet connection in a network closet, or as large as physically infiltrating your data center and interacting with the systems housed there, which could cause loss of data availability, confidentiality, and integrity.

 

What is a Physical Penetration Test?

A physical penetration test can help you better understand how vulnerable you are to those threats. Though it can encompass a broad scope, the focus of this assessment remains on scrutinizing your physical security controls and network access controls—rather than where you’re vulnerable on the Internet.

A physical penetration test delves deep to physically validate the functionality of those controls beyond the basic assessment of whether a padlock secures and releases—it examines your entire landscape, including the installation integrity of doors and whether or not each door is susceptible to complete bypass. (After all, what’s the point of a high-end security system if it’s improperly installed?)

Another integral part of physical penetration testing is the element of social engineering—a strategic process of deceiving individuals to achieve specific goals, which be performed by your testers making requests as innocuous as, "Hello, can you let me in? I left my badge in my hotel room."

Though often overlooked in general, the human element of security is particularly essential in maintaining your physical defenses, and a penetration test that appraises your personnel’s level of awareness is key to comprehensively understanding and addressing your security.

 

What are the Goals of a Physical Penetration Test?

All that being said, you retain a lot of flexibility in what you want your physical penetration test to achieve.

Objectives you set for your assessors may include the following examples:

  • Gaining access to a conference room and capturing a photo
  • Infiltrating the CEO's office after hours and identifying sensitive information
  • Gaining access to the internal corporate network by plugging into a network jack
  • Chaining physical access by dropping a remote access device to obtain a foothold on the domain

It all depends on what holds significance for you and your business—or, what keeps you up at night. If safeguarding your data center is a business priority, then the goal of your physical penetration test should revolve around securing that data center.

Once you know what you want to test, you’ll also decide what the penetration testers are permitted to do during the engagement, like whether they can target door access control systems or conduct testing during off hours. Remember, these engagements thrive on keeping an open mind; the more flexibility granted to physical penetration testers, the greater the potential for valuable insights and comprehensive security evaluations.

 

Other Considerations Regarding Your Physical Penetration Test

When shaping your physical penetration test, your most critical decisions will include:

  • Defining your scope
  • The goals of your test
  • Specific tasks you want the penetration testers to perform
  • The physical locations where the engagement will take place

That being said, you also must consider the following aspects when having a physical penetration test performed:

  • Off-Hours Liaisons: Identify individuals who will be available as points of contact during off hours to ensure smooth communication and coordination throughout the engagement.
  • Landlord Approval: Assess whether approval from a landlord is necessary to conduct the testing, especially if it involves physical spaces owned or managed by a third party.

Addressing these considerations ahead of testing will help the engagement proceed more seamlessly.

 

Physical Penetration Test FAQs

How Long Does a Physical Penetration Test Take?

Testing is typically accomplished within one to two weeks, but timelines can vary depending on the number of locations you include, as well as any restrictions on timing. For instance, if your penetration testers require several days for after-hours reconnaissance of a building, the overall engagement duration would naturally be longer when compared to a more concise social engineering assessment.

Setting the timeline during the planning phase and being mindful of scheduling is crucial, as it will help set realistic expectations.

Are There Any Issues with Legality When Having a Physical Penetration Test Performed?

Given that the nature of a physical penetration test is effectively what could be considered a form of breaking and entering, that’s a valid question—the answer to which is a nuanced "yes" and "no."

Because just as it is with any digital penetration test, this is an ethical and cosigned breach—meaning, nothing happens without an established contract between testers and the organization who grants written authorization for the defined activities to take place. This letter of permission essentially serves as a "Get-Out-of-Jail Free” card that testers carry at all times. While the primary goal is to avoid involving law enforcement altogether, in the event testers do encounter them during our activities, these letters are presented, and the police contact the previously designated individuals listed within for confirmation that everything has been previously sanctioned.

What are the Deliverables of a Physical Penetration Test?

When you work with Schellman, near the end of our engagement, our penetration testers will compile a comprehensive report detailing:

  • The defined scope
  • An attack narrative that elucidates the pretexts and methods we employed to gain access
  • Videos and photos to provide visual insights into specific aspects of the testing process
  • A breakdown of our findings, including individual vulnerabilities, their severity ratings, and fundamental remediation steps

Overall, the document is intended to provide a clear understanding of your security landscape and highlight areas for improvement within your security measures.

 

Moving Forward with a Physical Penetration Test

While you may be more familiar with the concept of a web application or internal penetration test, a physical penetration test is no less important, as this assessment can help you answer the question “What happens when your hardened external physical perimeter is sidestepped?”

Securing your physical perimeter can be made easier using the insight of a physical penetration test, and now that you understand a bit more about these evaluations, you may agree that it’s the right option for your organization. If that’s the case, contact our team today to see if Schellman is the right fit for you.

But it may be the case that a different type of pen test better suits your more immediate needs, and to help confirm, be sure to check out our content detailing the various kinds of tests:

About Tyler Petersen

Tyler Petersen is a Penetration Tester with Schellman Compliance, LLC based in Madison, Wisconsin. Prior to joining Schellman in 2022, Tyler worked as a Penetration Tester for a financial institution, specializing in external and internal network penetration testing. Tyler also supported various other areas of information security. Including vulnerability scanning, incident response, and security operations. Tyler has a wide variety of certifications and currently holds his Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), the Certified Red Team Operator (CRTO) and the Certified Information Systems Security Professional (CISSP). In his free time, Tyler is always learning more by doing CTFs and other events.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.