Our Approach and
Methodology
The SecureState Profiling Team are well known and highly regarded as
experts in Penetration Testing. Our approach follows industry accepted
testing methodologies such as
PTES,
NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately
replicate the testing SecureState has performed in their own environment
to accurately mitigate identified vulnerabilities. The SecureState
Profiling Team also helps identify strategic “root cause” issues through
our Penetration Tests. Our Risk Management Team is uniquely positioned
to work closely with the Profiling Team in order to assist clients with
mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules of engagement as well as the scope; and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.
Phase II – Remote Intelligence Gathering:
SecureState begins any Physical Security Assessment remotely by conducting an extensive search of open source intelligence on the target company. This research finds out information regarding the target company from public databases, tax records, job openings, social networks, Internet search engines and much more. Our staff then reviews extensive information about the target locations themselves through the use of online mapping tools; which include satellite imagery and street level views.
Information gathered from this phase is used to determine potential threats to the company and the locations in scope. In addition, this data is used in the report to provide a focused threat assessment specific to the facilities or locations.
Phase III – Guided Walkthrough:
SecureState meets with the client on-site to perform a guided walkthrough of the facility or location. Along with the client, SecureState evaluates all Physical Security controls that are in place. The following controls are evaluated for security best practices and implementation:
- Visitor Entry and Verification Procedures
- Access Control Systems (including badges)
- Security Guards and Guard Rotation
- Data Center Specific Controls
- Document Destruction
- CCTV or other Surveillance Cameras
- Alarms
- Locks
- Physical Key Management
- Security Lighting
- Fences and Barricades
- Safety Systems (fire suppression, backup power)
Phase IV – Vulnerability Analysis:
During the vulnerability analysis phase, SecureState attempts to determine what physical vulnerabilities of the evaluated controls are present. Included in this phase are questions to the client regarding recent physical security incidents as well as security concerns from the client themselves. SecureState uses this information to determine if certain controls need to be improved; or if a new technology can assist with mitigating threat agents identified from Phase I.
Phase V – Reporting:
As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management, a narrative body which details major findings and a detailed findings section aimed at technical staff. SecureState also provides a closing call and a high level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.