Penetration tests are considered to be the de facto standard of testing security with as realistic a scenario as possible that a site may be likely to encounter. At PMV Security we are always pushing the limit on what security is and how we apply it to our client’s sites. We are one of the few companies in Vietnam providing high-quality effective security tests.
What are penetration tests?
Many businesses think they have good security or think their security team is performing well without ever putting it to a real world test. The purpose is for organizations who want to gauge how effective their security measures are 0r if any unknown vulnerabilities exist currently. A scenario (or multiple scenarios) will be developed and our pen testers will make real world attempts to discover vulnerabilities and exploit them. This can include physical or digital threats.
The goal isn’t to just compromise security.
I bribe the power utility company to shut down power to your neighborhood, drive over your security gate with a military tank and hold your security guards hostage with assault rifles. I did compromise your security however that was never the scope of your security in the first place. You don’t have security at your facility to stop a coordinated para-military threats that have the ability to shut down power grid infrastructures and storm your facility with armored vehicles and assault rifles.
What’s the goal?
The real goal is to gauge the effectiveness of existing security measures & identify previously unknown vulnerabilities executed by a likely potential threat. If the threat is outside the scope of protection than it is not a likely scenario to test for.
How does it work?
Planning | Pre-Test Phase
First, a consultation will take place to determine what the purpose of your current security measures and what your goals for protection are for.
For example, a manufacturing company has finished products and sample products that need to be protected in addition to valuable equipment and the physical property itself.
The manufacturer is concerned about:
- Small coordinated thefts, potentially 1 or 2 individuals initiating a burglary after operational hours.
- Insider threats such as employees smuggling product outside during operational hours either for counterfeit manufacturers or stolen goods sales.
- Threats posing as an employee to smuggle goods / prototype goods or photograph prototype product.
A series of tests would be developed using real world scenarios as closely matched to your potential threats as possible.
Once we have established what your goals for having security are and what you want protected we will set a time period for the testing to occur. We won’t provide specific days or times we will conduct any testing the only information that will be provided is a certain time period. Depending on the site or type of client this testing time period can range from a few days all the way up to a month.
For safety and existing security purposes we will setup a procedure for the pen testers to follow in the event they are caught by your staff or security force. This is for the safety of all individuals involved and also in the unlikely event a real attacker is caught they are not mistaken as a pen tester.
Our pen testers will have various equipment. The type of security will determine what kind equipment they will bring to execute the penetration test. This can range from:
- Lock Pick Sets
- Lock Shims
- Bump Keys
- RFID Cloners
- RFID Cards / FOBs
- Fingerprint Lifts
- Hidden Cameras
- Aerosol Spray
- Fraudulent Access Badges
- Compromised USBs (deploying a digital payload)
and the list goes on and on.
They will operate off the same principal earlier mentioned in that all attempts will be made to utilize tools and techniques that a threat within the organizations scope of security would utilize.
Stage 1 – Reconnaissance: Once the testing time period has been initiated, our testers will conduct as much reconnaissance as needed to gain knowledge of your security measures implemented at your site. Again depending on the client, size of location, and what the target is will determine the length of this stage. Once pen testers have collected enough intelligence on security measures to bypass.
Stage 2 – Execution: Again, once enough intelligence has been gathered an operational plan will be developed and executed. This can vary from site to site. There may multiple targets on one site or even multiple sites with multiple targets so it can vary on the time length needed to execute the operational plan.
Stage 3 – After Action Review: Once the tests have been executed (successful or unsuccessful), we will compile a report with a presentation to provide to management. This will detail all the tests conducted on your sites, methods of exploitations, success/failure and finally control measures that need to be implemented to mitigate the risk.
Results are what really matters at the end of the day not just with penetration tests but anything in business. What did these tests do for your organization? Once these tests are conducted a performance KPI would be applied to each of the tests giving you idea on the performance of existing security assets and policies. The organizations ability to identify and respond to security threats and evaluate the overall security posture.
Recommendations on security policies, equipment, or personnel will be what provides the best results. We will provide a comprehensive list of recommendations for security measures needed to address any vulnerabilities discovered or improve the performance of an existing security measure.
Contact PMV Security Group today for a consultation on penetration tests.
Think you have what it takes to be a penetration tester or security auditor? Check out our open positions or send us your CV.