Penetration testing of physical security systems is used to evaluate if a company’s security measures operate as intended. From a technology angle, penetration testing (pen testing) assesses whether the totality of the systems operate as designed, rather than testing each individual component. Does the system work with the officers, the policy and procedures that are in place?
A session at ISC East, Nov. 20 in New York, will address the need for and benefits of penetration testing (also known as red teaming). The session, titled “We Sneak into High Security Buildings and Get Paid for It”, will be presented by Michael Glasser, President, Glasser Security Group. He has two decades of experience providing security design strategic planning, implementation oversight, auditing and penetration testing.
“Penetration testing determines whether people and systems are providing the protection you think they are,” says Glasser. Various system components should come together into a solution that works for the client. People, technology and architecture are all components of successful security systems. His motto: “Stop guessing and starting testing".
Test-driving security systems
“You can compare it to driving a car,” says Glasser. “You want to be sure the brakes work and the engine works, but then somebody has to test-drive the car.”
Stop guessing and starting testing"
The concept of penetration testing goes back to the Cold War, when the military had “Red Teams” and "Blue Teams”, competing squads that used their skills to imitate attack techniques enemies might use. More recently, the term “pen testing” has become common in the cybersecurity industry, often referring to “white hat” hackers that test the effectiveness of cybersecurity measures. Applying the concept to physical security in corporate America brings the concept full circle.
“People think their controls work, but they realize they really need to see if it all works together,” says Glasser.
Pen testing in corporate America
“You can go to any military base or nuclear power site and you see pen testing,” says Glasser. “But often it doesn’t happen in corporate America.” Sometimes physical pen testing is approached as an extension of cybersecurity testing because addressing physical threats is an element in cybersecurity, too. “It’s the same service, except to make sure the physical house is in order,” says Glasser.
Glasser’s session will be among the SIA Education@ISC East presentations scheduled at the education theaters on the show floor at ISC East, Nov. 20-21 at the Javits Center in New York.
The process
If you believe the movies, Glasser’s job is all fun and excitement, like a “bunch of kids having fun”. The reality is more mundane, he says. “People think it’s fun, but it’s work, not fun.” The process is front-loaded with weeks of research and surveillance to determine possible vulnerabilities before attempting a break-in. Research is based on threat modelling: What is a company worried about? Who is the bad guy? What do they want to do? What are the threats?
The process is front-loaded with weeks of research and surveillance to determine possible vulnerabilities
Among other tools, Glasser uses Open Source Intelligence (OINT), which is collection and analysis of information gathered from public, open sources, such as media, the Internet, public government data, etc.
Glasser comes from a physical security industry family – both his mother and father were employed in the security industry – and he attended his first ISC East show in the 1990s when he was 11 years old. As a security consultant and security expert witness for more than 20 years, he has previously spoken at GSX and various ASIS International events.
