The SecureState Profiling Team is well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. SecureState's Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules of engagement as well as the scope; and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.
Phase II – Remote Intelligence Gathering:
SecureState begins any Physical Security Assessment remotely by conducting an extensive search of open source intelligence on the target company. This research finds out information regarding the target company from public databases, tax records, job openings, social networks, Internet search engines and much more. Our staff then reviews extensive information about the target locations themselves through the use of online mapping tools; which include satellite imagery and street-level views.
Information gathered from this phase is used to determine potential threats to the company and the locations in scope. In addition, this data is used in the report to provide a focused threat assessment specific to the facilities or locations.
Phase III – Guided Walkthrough:
SecureState meets with the client on site to perform a guided walkthrough of the facility or location. Along with the client, SecureState evaluates all Physical Security controls that are in place. The following controls are evaluated for security best practices and implementation:
- Visitor Entry and Verification Procedures
- Access Control Systems (including badges)
- Security Guards and Guard Rotation
- Data Center Specific Controls
- Document Destruction
- CCTV or other Surveillance Cameras
- Physical Key Management
- Security Lighting
- Fences and Barricades
- Safety Systems (fire suppression, backup power)
Phase IV – Vulnerability Analysis:
During the vulnerability analysis phase, SecureState attempts to determine what physical vulnerabilities of the evaluated controls are present. Included in this phase are questions for the client regarding recent physical security incidents as well as the client's security concerns. SecureState uses this information to determine if certain controls need to be improved; or if a new technology can assist with mitigating threat agents identified from Phase I.
Phase V – Reporting:
As part of the deliverable, SecureState provides a report which contains a short, graphical summary aimed at senior management, a narrative body which details major findings and a detailed findings section aimed at technical staff. SecureState also provides a closing call and a high-level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.